Format overflow vulnerabilities are often APT to attack the use. In such vulnerability, CVE2012-0 1 5 8 over the past year the most often used one. The use of the vulnerability of the carrier is typically an RTF file formats, the internal data in hex string form saved. 2 0 1 3 years 1 month of capture to through e-mail attachments attack of the samples, the samples using the MIME format, the sample information already in the VirusTotal on to the query can, for this sample the use of technology for the next presentation.
Most of the prior use of the CVE2012-0 1 5 8 samples are RTF format, as follows:
! Figure 1 RICH Text Format overflow sample data screenshot Figure 1 RICH Text Format overflow sample data screenshot
And this article captured sample is MIME format as shown in Figure 2:
! Figure 2 MIME format overflow sample Figure 2 the MIME format overflow samples
Wherein the embedded ocxstg001. mso file is a doc document file, the MIME uses base64 encoding to be encoded, using the CLSID it is cve2012-0 1 5 8 where the vulnerability of the module CLSID “BDD1F04B-858B-11D1-B16A-00C0F0283628”in.
! Figure 3 MIME in CLSID Figure 3 MIME in CLSID
! Figure 4ocxstg001. mso content Figure 4 ocxstg001. mso content
The ocxstg001. the mso content is BASE64 decoded to get a doc file: