Microsoft Office XP – Remote code Execution

• Exploit Database
• 13 阅读

• 作者： Francis Provencher
  日期： 2011-06-14
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17399/

• #####################################################################################
  
  Application: Microsoft Office XP Remote code Execution
  
  Platforms: Windows Vista
  
  Exploitation: Remote code execution
  
  CVE Number:
  
  Microsoft Bulletin:
  
  {PRL}: 2011-07
  
  Author: Francis Provencher (Protek Research Lab's)
  
  WebSite: http://www.protekresearchlab.com/
  
  Twitter: @ProtekResearch
  
  
  #####################################################################################
  
  1) Introduction
  2) Report Timeline
  3) Technical details
  4) POC
  
  #####################################################################################
  
  ===============
  1) Introduction
  ===============
  
  Microsoft Office is a proprietary commercial office suite of inter-related desktop
  
  applications, servers and services for the Microsoft Windows and Mac OS X operating
  
  systems, introduced by Microsoft in 1989. Initially a marketing term for a bundled
  
  set of applications, the first version of Office contained Microsoft Word,
  
  Microsoft Excel, and Microsoft PowerPoint. Over the years, Office applications have
  
  grown substantially closer with shared features such as a common spell checker,
  
  OLE data integration and Microsoft Visual Basic for Applications scripting language.
  
  http://en.wikipedia.org/wiki/Microsoft_Office
  
  #####################################################################################
  
  ============================
  2) Report Timeline
  ============================
  
  2011-01-03 - Vulnerability reported to vendor
  2011-06-14 - Uncoordinated public release of advisory
  
  
  #####################################################################################
  
  ====================
  3) Technical details
  ====================
  
  This vulnerability allows remote attackers to execute arbitrary code on vulnerable
  
  installations of Microsoft Office Word. User interaction is required to exploit this
  
  vulnerability in that the target must visit a malicious page or open a malicious file.
  
  0:000> g
  (c18.bf4): Access violation - code c0000005 (!!! second chance !!!)
  eax=41424344 ebx=00000011 ecx=00000010 edx=00000001 esi=00000000 edi=41424344
  eip=308eb16d esp=00125450 ebp=00125474 iopl=0 nv up ei pl zr na pe nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010246
  winword!wdGetApplicationObject+0x150fac:
  308eb16d 8b07mov eax,dword ptr [edi]ds:0023:41424344=????????
  
  
  #####################################################################################
  
  ===========
  4) POC
  ===========
  
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17399.doc (PRL-2011-07.doc)
  http://www.protekresearchlab.com/exploits/PRL-2011-07.doc