CVE-2018-0802
CVE-2018-0802 copied to clipboard
rxwx
not working embedded 1
i made a gif to show not working and how it dropped executable. maybe you should check this then u realize the complains of it not working
And maybe you should check the equation editor version before raising issues.
Issue closed.
sorry about that i think i get your point, i need to install update for cve-2017-11882 before it could work.
i tried installing but i am getting this error
i downloaded the update from here
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
and there were not recent update in my windows update archive
Grab the .cab file from here (ignore the fact it's for 2007, any version will work as it's the same file):
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4011604
Then extract this using 7zip and you will see an .msp file like this:
Then extract that .msp file using 7zip also, and you will see a bunch of files like this:
Just grab the first one, rename it to EQNEDT32.EXE and drop it in the folder below (replacing the older version):
C:\Program Files\Common Files\Microsoft Shared\Equation\EQNEDT32.EXE
The patched version of EQENEDT32.exe should have version number: 17081400
The sha256 hash for the file is: 6e69fa45984410399b7fdd565ee79c6f775c6898d32298f1cce21b74fbe6c9bf
Looks like you have the wrong cab file. Did you download it from that link above? If you just grab the first one in the table from that link it should do the trick.
yes i grab it from the link you gave me, i even tried maybe running it when i can't find EQNEDT32 but i got error in the image also no EQNEDT32 folder in C:\Program Files\Common Files\Microsoft Shared
i was able to make it work on win7 by replacing EQNEDT32 with the one i extracted from eqnedt32-sv-se.msp\PATCH_CAB.
But tested against this version using the -d option and it works on Win10 x32
but without the -d option, it did not working. just drop payload and not executing
Yup, the reason it is working on the older version is because it will be exploiting both CVE-2017-11882 (the older exploit), and CVE-2018-0802.
With regards to the path to EQNEDT32.exe on different versions of Office, please take a look at the blog from 0patch, which explains how to re-install the Equation Editor.
To quote the blog:
The location of the EQUATION folder depends on both the Office version and whether it's 32-bit or 64-bit Office. These are the default locations:
- 32-bit Office 2007, 2010 and 2013 on 32-bit Windows:
C:\Program Files\Common Files\microsoft shared\EQUATION - 32-bit Office 2007, 2010 and 2013 on 64-bit Windows:
C:\Program Files (x86)\Common Files\microsoft shared\EQUATION - 64-bit Office 2007, 2010 and 2013:
C:\Program Files\Common Files\Microsoft Shared\EQUATION - 32-bit Office 2016 and 365 on 32-bit Windows:
C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION - 32-bit Office 2016 and 365 on 64-bit Windows:
C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION - 64-bit Office 2016 and 365:
C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION
to understand this better, if EQUATION do not exist on system it will not be vulnerable to 11882 & 0802?
Also, i found out this does not work on 64bit ms office 2016 system. tried on different PC only drop payload and not executing but same RTF works on others
@moaeddy Choose to install updates based on your version of office, I successfully tested it
