CVE-2015-1641 PoC — Microsoft Office 内存损坏漏洞

Source

https://github.com/Cyberclues/rtf_exploit_extractor

Associated Vulnerability

Title:Microsoft Office 内存损坏漏洞 (CVE-2015-1641)
Description:Microsoft Word等都是美国微软（Microsoft）公司的Office系列产品。Word是一套文字处理软件。Office Compatibility Pack SP3是一套Office兼容包。Word Viewer是一套免费的Office Word文档查看器。 Microsoft Office软件中存在远程执行代码漏洞，该漏洞源于程序没有正确处理内存中的丰富的文本格式文件。攻击者可通过使用经特殊设计的文件，利用该漏洞在当前用户的安全上下文中执行操作。以下产品受到影响：Microsoft Wor

Description

Script to extract malicious payload and decoy document from CVE-2015-1641 exploit documents

Readme

# rtf_exploit_extractor
Script to extract malicious payload and decoy document from CVE-2015-1641 exploit documents

	usage: rtfexploit_extract.py [-h] [-o OUTFILE] [-d DECOY] [-l LENGTH] [-v] inputfile
	
	
	inputfile             exploit document to examine
	
	optional arguments:
	
		-h, --help			show this help message and exit
	  
	  	-o OUTFILE, --outfile OUTFILE
	  						output filename for extracted payload
	  						
		-d DECOY, --decoy DECOY
							output filename for extracted decoy document
							
	  	-l LENGTH, --length LENGTH
							length of each marker to search for (def: 7)
							
		-v                    print debug messages


All args are optional except for input filename.

Ref: http://blog.malwareclipboard.com/2015/10/rtf-exploit-document-extraction.html

File Snapshot


 [4.0K]  /data/pocs/0d5afb6c8cc73fa843def691dbb3997f51d92a6f
├── [ 782]  README.md
└── [7.4K]  rtfexploit_extract.py

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!