Description
Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability."
File is a modification of previous versions of vulnerability. File consists of four parts.
First ShellCode - offset 0xD0E
Second ShellCode - offset 0x6600
Size Second ShellCode - 0x413 Byte
TrojanFile - offset 0x6A13
New ExcelFile - offset 0x6A13 + size_TrojanFile
First ShellCode = First ShellCode^(0xFF - i)
Second ShellCode = Second ShellCode^SPECIAL_MASK
TrojanFiles encryption:
mov edx, Buffer
mov ecx, 400h
loc_243:
dec ecx
dec ecx
dec ecx
dec ecx
xor dword ptr [edx+ecx], 0xMASK_TROJAN
test ecx, ecx
jnz short loc_243
push esi
push edi
mov ecx, 600h
mov esi, edx
mov edi, edx
inc esi
inc edi
loc_25F:
dec ecx
dec ecx
lodsw
xchg al, ah
stosw
test ecx, ecx
jnz short loc_25F
mov ecx, 600h
mov esi, edx
mov edi, edx
loc_274:
dec ecx
dec ecx
lodsw
xchg al, ah
stosw
test ecx, ecx
jnz short loc_274
pop edi
pop esi
Virus Total
Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability."
File is a modification of previous versions of vulnerability. File consists of four parts.
First ShellCode - offset 0xD0E
Second ShellCode - offset 0x6600
Size Second ShellCode - 0x413 Byte
TrojanFile - offset 0x6A13
New ExcelFile - offset 0x6A13 + size_TrojanFile
Encryption
First ShellCode = First ShellCode^(0xFF - i)
Second ShellCode = Second ShellCode^SPECIAL_MASK
TrojanFiles encryption:
mov edx, Buffer
mov ecx, 400h
loc_243:
dec ecx
dec ecx
dec ecx
dec ecx
xor dword ptr [edx+ecx], 0xMASK_TROJAN
test ecx, ecx
jnz short loc_243
push esi
push edi
mov ecx, 600h
mov esi, edx
mov edi, edx
inc esi
inc edi
loc_25F:
dec ecx
dec ecx
lodsw
xchg al, ah
stosw
test ecx, ecx
jnz short loc_25F
mov ecx, 600h
mov esi, edx
mov edi, edx
loc_274:
dec ecx
dec ecx
lodsw
xchg al, ah
stosw
test ecx, ecx
jnz short loc_274
pop edi
pop esi
Virus Total
No comments:
Post a Comment