Here I show you technical analysis of a fascinating exploit CVE-2017-11882 which takes advantage of a buffer overflow vulnerability in Microsoft Office Equation Editor (EQNEDT32.exe).

I demonstrate how to quickly analyse this exploit from a behavioural point of view, show you how to run rtfdump.py to extract the malicious object and also how to attach the victim process to a debugger so you can see for yourself the buffer being overflowed.

Malicious Doc File:
insurance-2017-2018.doc
MD5: 080b3a6dc6ddf645f6c156e1561eb0b8

Tools Used:
Process Monitor: https://docs.microsoft.com/en-us/sysi...
Burp Suite : https://portswigger.net/burp
REMNux: https://remnux.org/
RTFdump: https://blog.didierstevens.com/2016/0...
gflags.exe: https://docs.microsoft.com/en-us/wind...
x64dbg: x64dbg.com

Recommended Reading:
https://embedi.com/blog/skeleton-clos...
https://researchcenter.paloaltonetwor...

Patching:
You should definitely update your Office environment. In the interim you can apply the following registry updates to disable the EQNEDT32.exe process from launching:

reg add "HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000- 0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400

reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400

More here from Microsoft:
https://support.microsoft.com/en-us/h...

If you liked the video, press Like, if you loved it, please subscribe. Also, please follow me on https://twitter.com/cybercdh

Thanks for watching!