CVE-2009-1129 PPT 2010-05-06BMW Vision (My Dream Car) from saraswasingh@gmail.com

Interesting PPT file

Update May 12. 

An anonymous reader found it to be MS09-017 -a stack based overflow in PP7X32.dll (thank you)

Ted W. found the same (MS09-017) plus added that this ppt's exploit  overwrites one seh handler, offset is 0xF70, then jump to shellcode at offset 0x189c, the total size of the poc is 0x5400 (thank you)

 This appears to be CVE-2009-1129

CVE-2009-1129 Multiple stack-based buffer overflows in the PowerPoint 95 importer (PP7X32.DLL) in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allow remote attackers to execute arbitrary code via an inconsistent record length in sound data in a file that uses a PowerPoint 95 (PPT95) native file format, aka "PP7 Memory Corruption Vulnerability," a different vulnerability than CVE-2009-1128.

I have another ppt of the same kind and from the same sender, let me know if you want it, I am not going to post it.

Download
BMW.ppt and bmw__PEFILE__OFFSET=0x5400__XOR-KEY=0xcc.bin  ac as a password protected archive (please contact me for the password if you need it)

Details 722efe25f0d973fbb684cc32da1f693e BMW.ppt


 

From: saraswati singh [mailto:saraswasingh@gmail.com]
Sent: Thursday, May 06, 2010 8:30 PM
To:
Subject: BMW Vision (My Dream Car) !!!!

an be your Future Goal......!
The All New ...  BMW Vision
 http://www.virustotal.com/analisis/771293ab20afd4da5ac9908915f5fd04467f6b444bade8ac68bb8ed60648c792-1273205194
File BMW.ppt received on 2010.05.07 04:06:34 (UTC)
Current status: finished
Result: 5/39 (12.82%)
Antiy-AVL     2.0.3.7     2010.05.06     Trojan/MSPPoint.Agent
Authentium     5.2.0.5     2010.05.07     MSPowerPoint/Dropper.B!Camelot
Kaspersky     7.0.0.125     2010.05.07     Trojan-Dropper.MSPPoint.Agent.cp
TrendMicro     9.120.0.1004     2010.05.07     TROJ_POWPOINT.A
TrendMicro-HouseCall     9.120.0.1004     2010.05.07     TROJ_POWPOINT.A
Additional information
File size: 877670 bytes
MD5   : 722efe25f0d973fbb684cc32da1f693e

OfficeMalscanner results

bmw__PEFILE__OFFSET=0x5400__XOR-KEY=0xcc.bin
XOR encrypted MZ/PE signature found at offset: 0xcf462 - encryption KEY: 0xcc




http://www.virustotal.com/analisis/db10c19f6d5da8e3f5990a371c453667a56fd2f30d8d340059528c558bea8cee-1273205940
bmw__PEFILE__OFFSET_0x5400__XOR-K  received on 2010.05.07 04:19:00 (UTC)
Result: 3/41 (7.32%)
AntiVir    8.2.1.236    2010.05.06    TR/Samsa.V
DrWeb    5.0.2.03300    2010.05.07    Trojan.Proxy.298
McAfee-GW-Edition    2010.1    2010.05.06    Heuristic.LooksLike.Win32.Samsa.I
Additional information
File size: 53248 bytes

MD5...: 9dfe33215a410362451747ecfe283802

April 02, 2009 CVE-2009-0556 PPT - 0 Day One of the first samples. Cooperative threat reduction

• CVE-2009-0556 Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac, allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an an invalid index value that triggers memory corruption, as exploited in the wild in April 2009 by Exploit:Win32/Apptom.gen, aka "Memory Corruption Vulnerability."

Download infected ppt files  Cooperative Threat Reduction briefing.PPT - b622b9e294647277dc40205dcf27e086 and CTR_talk.PPT - 0e1fc785eff45ff0b140dbf61abf3eab 
(password protected archive, you need to contact me for the password) 

Details: Cooperative Threat Reduction briefing.PPT - b622b9e294647277dc40205dcf27e086 and CTR_talk.PPT - 0e1fc785eff45ff0b140dbf61abf3eab 

From: XXXXXX@gmail.com
Sent: Thursday, April 02, 2009 3:59 AM
To: XXXXXXXX
Subject: Cooperative Threat Reduction
I've attached the CTR concept paper.  Feel free to circulate it. We very much look forward to the comments of you and your colleagues.
Best regards,
[name and contact info removed]

Message received on April 2, 2009

Attachment 1

Cooperative Threat Reduction briefing.PPT - b622b9e294647277dc40205dcf27e086

Virustotal scan on April 2, 2009
http://www.virustotal.com/analisis/dcf59752b35afa4034cc6e99e24ab9b8
File Cooperative_Threat_Reduction_brie received on 2009.04.02 22:22:40 (UTC)
Current status: finished
Result: 2/40 (5.00%)
Antivirus     Version     Last Update     Result
McAfee-GW-Edition     6.7.6     2009.04.01     OLE2.LooksLike.Suspicious.gen
Norman     6.00.06     2009.04.02     ShellCode.A
 Additional information
File size: 838144 bytes
MD5...: b622b9e294647277dc40205dcf27e086