Introduction to Microsoft Word Remote Code Execution CVE-2015-0097

Source: Internet
Author: User

Introduction to Microsoft Word Remote Code Execution CVE-2015-0097

0x00 Introduction
Microsoft Office Word 2003,200 7 Remote Code Execution Vulnerability

0x01 known successful environment
Word 2003,200 7 SP3 on Windows XP, 7, 8, 8.1 all up to this date.

0x02poc file description
Create-Recordset.hta: used to generate recordset.txt and dldrun. vbs
Poc. bin: used to fill in Word Files
POC-Generator.vbs: Generate poc after running
Readme + Instructions. rtf: English Instructions

0x03 simple principle
1. Vulnerability description:
Word allows arbitrary code execution by calling the ADO object.
2. poc description:
After opening a malicious Word file:
Download recordset.txt from the remote server and save it to the local startup Item and name it poc. hta;
The poc. hta function is to download dldrun. vbs;
Dldrun. vbs is used to run calculators;

0x04poc Modification
Test POC-Generator.vbs found at least 3 locations to be modified
1. Add an ip address
The strURL variable does not specify the Server ip address and needs to be manually set
2. Remove Redundancy
"Plase tell me the file name of the executable, with the. exe extension, to download and run", "EXE name" is useless and can be deleted
3. An error occurred while determining the startup Item path.
Ax. writeLine ("svd =" "\ users \" "+ f +" "\ appdata \ roaming \ microsoft \ windows \ start menu \ programs \ startup \ poc. hta ") This statement points to an error path and cannot be written.

0x05 actual test
1. Follow these steps to modify the POC-Generator.vbs and run

2. Upload recordset.txt and dldrun. vbs to the server
3. Run test. rtf locally and then start the item to generate poc. hta

4. Run poc. hta at the next boot. Download dldrun. vbs and bring up the calculator.

0x06 additional instructions
Doc/docx/rtf tests are successful.
 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.