Recently I got a EXCEL samples, allegedly an over-all anti-virus of 0day, after the analysis after a let me disappointed, this is a 2 0 1 2-year old vulnerability, not 0day the. Although not picked to the 0day, but this sample of shellcode is still quite distinctive, it is indeed possible to bypass most of the antivirus and Proactive Defense. Following on to analyze this EXCEL EXP the use of exploits and shellcode techniques.
The vulnerability is CVE-2 0 1 2-0 1 5 8, a stack overflow vulnerability, a vulnerability causes MSCOMCTL. OCX in parsing a flag for the Cobj structure when the direct use of the contents of the file data as the copy length, resulting in the copy of the data can overwrite a function return address, causing a stack overflow vulnerability.
On the vulnerability analysis there are many online, here not as the analysis focus, we mainly look at this exp shellcode is how to write to bypass the antivirus software.