Wednesday, May 12, 2010

CVE-2009-1129 PPT 2010-05-06BMW Vision (My Dream Car) from saraswasingh@gmail.com

Interesting PPT file

Update May 12. 
An anonymous reader found it to be MS09-017 -a stack based overflow in PP7X32.dll (thank you)

Ted W. found the same (MS09-017) plus added that this ppt's exploit  overwrites one seh handler, offset is 0xF70, then jump to shellcode at offset 0x189c, the total size of the poc is 0x5400 (thank you)


 This appears to be CVE-2009-1129
CVE-2009-1129 Multiple stack-based buffer overflows in the PowerPoint 95 importer (PP7X32.DLL) in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allow remote attackers to execute arbitrary code via an inconsistent record length in sound data in a file that uses a PowerPoint 95 (PPT95) native file format, aka "PP7 Memory Corruption Vulnerability," a different vulnerability than CVE-2009-1128.


I have another ppt of the same kind and from the same sender, let me know if you want it, I am not going to post it.

Download
BMW.ppt and bmw__PEFILE__OFFSET=0x5400__XOR-KEY=0xcc.bin  ac as a password protected archive (please contact me for the password if you need it)


Details 722efe25f0d973fbb684cc32da1f693e BMW.ppt


 


From: saraswati singh [mailto:saraswasingh@gmail.com]
Sent: Thursday, May 06, 2010 8:30 PM
To:
Subject: BMW Vision (My Dream Car) !!!!

an be your Future Goal......!
The All New ...  BMW Vision
 http://www.virustotal.com/analisis/771293ab20afd4da5ac9908915f5fd04467f6b444bade8ac68bb8ed60648c792-1273205194
File BMW.ppt received on 2010.05.07 04:06:34 (UTC)
Current status: finished
Result: 5/39 (12.82%)
Antiy-AVL     2.0.3.7     2010.05.06     Trojan/MSPPoint.Agent
Authentium     5.2.0.5     2010.05.07     MSPowerPoint/Dropper.B!Camelot
Kaspersky     7.0.0.125     2010.05.07     Trojan-Dropper.MSPPoint.Agent.cp
TrendMicro     9.120.0.1004     2010.05.07     TROJ_POWPOINT.A
TrendMicro-HouseCall     9.120.0.1004     2010.05.07     TROJ_POWPOINT.A
Additional information
File size: 877670 bytes
MD5   : 722efe25f0d973fbb684cc32da1f693e

OfficeMalscanner results

bmw__PEFILE__OFFSET=0x5400__XOR-KEY=0xcc.bin
XOR encrypted MZ/PE signature found at offset: 0xcf462 - encryption KEY: 0xcc




http://www.virustotal.com/analisis/db10c19f6d5da8e3f5990a371c453667a56fd2f30d8d340059528c558bea8cee-1273205940
bmw__PEFILE__OFFSET_0x5400__XOR-K  received on 2010.05.07 04:19:00 (UTC)
Result: 3/41 (7.32%)
AntiVir    8.2.1.236    2010.05.06    TR/Samsa.V
DrWeb    5.0.2.03300    2010.05.07    Trojan.Proxy.298
McAfee-GW-Edition    2010.1    2010.05.06    Heuristic.LooksLike.Win32.Samsa.I
Additional information
File size: 53248 bytes

MD5...: 9dfe33215a410362451747ecfe283802

No comments:

Post a Comment