Clicky

Pages

Showing posts with label - MS WORD 2002. Show all posts
Showing posts with label - MS WORD 2002. Show all posts

Tuesday, February 23, 2010

Feb 22 CVE-2006-6456 MS Word Taiwan 2010 from diguapinggao@gmail.com Febr 22, 2010 4:17 AM

This is an old exploit targeting systems that have been unpatched for a long time. It appears that the document was created using 2007最新DOC捆绑器 (thanks to zha0 for helping translate and spell the tool name). The tool can be easily found online and is designed to exploit CVE-2006-6456 / MS07-014 vulnerabitly. According to the Symantec post describing this tool in April 2007, shellcode in documents generated by the tool usually starts at offset 0x16730, which seems to be our case too. The exploit will not work on Office 2003 SP3 and earlier versions with MS Update kb 929434 (MS07-014).

Update March 3, 2010 - Abhishek Lyall kindly provided additional details about the sample
"The "taskmgr.exe" embedded from offset 0x24E00. The exe is XOR'ed with 64 bit key 0xCA5039AF00000000. If you  XOR the file again with same key you'll find the exe headers at offset 0x24E00." Please see his screenshot below


 
Download  the following files as a password protected archive. (Please contact me if you need the password)





├───analysis files (by Tom - see below)
exe (taskmgr.ex   441D239744D05B861202E3E25A2AF0CD 32,768 bytes; taskmgr.idb)
│ shell  (shel1.bin; shel1.idb; shel2.bin; shel2.idb)
├───collected
│ 1.tmp                   441D239744D05B861202E3E25A2AF0CD 32,768 bytes
│ Taiwan 2010.doc 85AF26A74E548B56ADEA933CFB878520 52,224 bytes
│ taskmgr.exe          441D239744D05B861202E3E25A2AF0CD 32,768 bytes
└───original doc
   Taiwan 2010.doc  9EF09819AA5D552ECB15067A14A33152 183,808 bytes



From: 孙丰 [mailto:diguapinggao@gmail.com]
Sent: Monday, February 22, 2010 4:17 AM
To: diguapinggao@gmail.com
Subject: Taiwan 2010







read more...
Posted by Mila at 7:53 AM 0 comments Tags: , ,
Subscribe to: Posts (Atom)
Home