Original article: http://exploitshop.wordpress.com/2012/01/14/ms12-005-embedded-object-package-allow-arbitrary-code-execution/
MS12-005: Arbitrary Code Execution of embedded objects
MS12-005 is really fun.
Demonstration video see here http://t.co/g4BKbgGF (domestic may not see)
Update 2: MS12-005 is more dangerous than I think. Very easy to use, 100% reliable. No user interaction is needed. sample: http://www.cc.gatech.edu /~ Blee303/exploit/ms12-005/MS12-005.ppsx. Download and double-click the ppsx file (PPT demo file) to execute the embedded python script. In this sample file, custom animations are used to activate embedded files (python scripts) for running. No permission check is required. In addition, we would like to thank yorick
Update 1: See http://seclists.org/fulldisclosure/2012/Jan/164.
This guy seems to be the discoverer of MS12-005, and we recommend using office and. application. When constructing a sample, you need to check whether user interaction is required (for example, enabling macros ).
Pre-Patch: packager. dll, 6.1.7600.16385 (win7_rtm.090713-1255)
Patch: packager. dll, 6.1.7601.17727 (win7sp1_gdr.111118-2330)
Here let's take a look at the background of MS12-005 (see http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/packager_what_is_obj_pkg.mspx? Mfr = true). Object packager can contain any file to another file. Of course, any file contains the office file.
You only need to drag and drop any file to the Office document, and the icon of the file will be displayed in the document.
Double-click this icon to execute the embedded file (if it is executable), of course, packager. the dl will pop up a warning message before opening the file saying "it is dangerous not to do so", which requires the user to confirm.
The problem with MS12-005 is:
1) how to identify executable files; 2) how to display warning messages to users.
1. How to identify executable files
Before the patch, packager. dll identifies whether the file is executable through the Table query (we call this table execExtTable ).
. Text: 02FA1D98 execExtTable dd offset a_exe; data xref: CPackage: _ GetCurrentIcon (_ IC *) + 69o
. Text: 02FA1D98; CPackage: _ GiveWarningMsg (HWND _ *) + 5Eo
. Text: 02FA1D98; cmd.exe"
. Text: 02FA1D9C dd offset a_com; ". com"
. Text: 02FA1DA0 dd offset a_bat; ". bat"
. Text: 02FA1DA4 dd offset a_lnk; ". lnk"
. Text: 02FA1DA8 dd offset a_cmd; ". cmd"
. Text: 02FA1DAC dd offset a_pif; ". pif"
. Text: 02FA1DB0 dd offset a_scr; ". scr"
. Text: 02FA1DB4 dd offset a_js; ". js"
. Text: 02FA1DB8 dd offset a_jse; ". jse"
. Text: 02FA1DBC dd offset a_vbs; ". vbs"
. Text: 02FA1DC0 dd offset a_vbe; ". vbe"
. Text: 02FA1DC4 dd offset a_wsh; ". wsh"
. Text: 02FA1DC8 dd offset a_sct; ". sct"
. Text: 02FA1DCC dd offset a_vb; ". vb"
. Text: 02FA1DD0 dd offset a_wsc; ". wsc"
. Text: 02FA1DD4 dd offset a_wsf; ". wsf"
. Text: 02FA1DD8 dd offset a_wmz; ". wmz"
You can only search for this table cyclically to see if the embedded file has the same suffix name.
This is actually done by calling the IsProgIDInList function.
. Text: 02FA72F4 push 11 h; int
. Text: 02FA72F6 push offset execExtTable; dangerousTable
. Text: 02FA72FB push esi; pExtName
. Text: 02FA72FC push 0; int
. Text: 02FA72FE call? IsProgIDInList @ yghpb?pbqbgi @ Z; IsProgIDInList (ushort const *, uint)
What ?? Can only these extensions be executed? There are many more executable file extensions, as you may know.
Although the execution of these files may be related to the system (AH. He reminds me of WINDOWS vulnerabilities in ancient times)
(TRANSLATOR:. txt notepad.exe % 1 or something ),
. Py and. pl are common enough. At this point, I believe some others may have better ideas (. vsto file can be regarded as one ??).
The MS12-005 patched this issue by calling AssocIsDangerous () to check the extension of the executable file.
. Text: 02FA6A11 push eax
. Text: 02FA6A12 call ds :__ imp _ AssocIsDangerous @ 4; AssocIsDangerous (x)
. Text: 02FA6A18 test eax, eax
. Text: 02FA6A1A jnz short loc_2FA6A42
Try DarunGrim. It explicitly indicates that this block has been changed
2) how to display warning messages
This part is simple. Before the patch, packager. dll displays a warning message only when it is an executable file.
See function: CPackage ___ GiveWarningMsg (HWND ).
This function cyclically searches for the table execExtTable. If it is not in execExtTable, no warning message is displayed!
(TRANSLATOR: simply modify the suffix to bypass verification)
How to Use
We demonstrated on YouTube (http://www.youtube.com/watch? V = Odi6HiqzmL8 & feature = youtu. be & hd = 1 ).
For simplicity, we use the Python script to embed it into the Office document, and write a macro (double-click) to execute this embedded Python script. After opening the Office document, you need to confirm the execution of the macro, which will immediately execute the python script.
Translator:
The script running in the sample is:
Ping exploitshop.wordpress.com
Nslookup exploitshop.wordpress.com
See http://www.exploit-db.com/exploits/18372/