Recently I’ve been researching into ActiveX controls in Office documents as I had some ideas I wanted to test out after reading Dominic Wang’s paper “Understanding Microsoft Word OLE Exploit Primitives: Exploiting CVE-2015-1642 Microsoft Office CTaskSymbol Use-After-Free Vulnerability” [1] and Haifei Li’s and Bing Sun’s presentation slides “Attacking Interoperability: An OLE Edition” [2]. Some vulnerabilities…
Bypassing Windows ASLR in Microsoft Office using ActiveX controls
This is just a short post highlighting how easily ASLR could be bypassed by instantiating ActiveX controls using certain classids in Microsoft Office. I’ve mainly tested with MS Word on an updated Windows 7 32bit with Office 2010 32bit but other applications such as Excel and PowerPoint should work too. All these classids listed in…
-
Recent Posts
- Dokany/Google Drive File Stream Kernel Stack-based Buffer Overflow Vulnerability
- Exploiting STOPzilla AntiMalware Arbitrary Write Vulnerability using SeCreateTokenPrivilege
- Exploiting System Shield AntiVirus Arbitrary Write Vulnerability using SeTakeOwnershipPrivilege
- IKARUS anti.virus and its 9 exploitable kernel vulnerabilities
- Exploiting Vir.IT eXplorer Anti-Virus Arbitrary Write Vulnerability
Categories
Tags
Archives
- January 2019 (1)
- September 2018 (1)
- January 2018 (1)
- November 2017 (2)
- September 2016 (1)
- December 2015 (2)
- July 2015 (1)
- January 2015 (1)
- December 2014 (1)
- June 2014 (1)
- January 2014 (1)
- November 2013 (1)
- September 2013 (1)
- February 2013 (1)
- December 2012 (1)
- August 2012 (1)
- June 2012 (1)
- February 2012 (1)
- January 2012 (1)
- December 2011 (1)
- November 2011 (1)
- August 2011 (2)
- July 2011 (1)
- April 2011 (1)
- March 2011 (1)
- October 2010 (3)
- June 2010 (1)
- May 2010 (1)
- March 2010 (2)
- February 2010 (1)
- December 2009 (1)
- September 2009 (1)
- May 2009 (1)
- April 2009 (1)
- September 2008 (1)
- November 2007 (2)
Meta