Skip to main content

Posts

Showing posts from January, 2018

What happened ..??

Introduction  Below is the memory dump of Donny's system. He's not happy with what's going on it :(. Find What's happened ? Link:  https://mega.nz/#F!0moF0RaC!H2W9tUNs5Pjk1PA_p7dudA SHA256: 3E4FF07DA0D18E0387D0A6E8A0FA936974A652EB30D1FB3A4E61CA391E731944 Hint : Use Volatility or Rekall Memory Forensics Framework Solutions : Coming Soon !! :)

CVE-2017-11882 technical analysis

Introduction  This post explains how to analyse an office RTF document to identify CVE-2017-11882 vulnerability. Microsoft Equation Editor is a Microsoft Office component, contains a stack buffer overflow vulnerability that enables remote code execution on a vulnerable system. The component was compiled on November 9, 2000, over 17 years ago. Without any further recompilation, it was used in all currently upported versions of Microsoft Office. Microsoft Equation Editor is an out-of-process COM server that is hosted by eqnedt32.exe, meaning it runs as it’s own process and can accept commands from other processes. Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) should protect against such attacks. However, because of the manner in which eqnedt32.exe was linked, it will not use these features, subsequently allowing code execution. Being an out-of-process COM server, protections specific to Microsoft Office such as EMET and Windows Defender Exploit Gua