Sunday, August 29, 2010

Microsoft Office Property Code Execution exploit (CVE-2006-2389) Analysis!!

The Sample is from Thanks Mila =)

All Files and recreated exploit code are uploaded at for analysis...

Exploit added at :::
This file exploits the vulnerability CVE-2006-2389.The Document size is 292864 bytes. There is an executable and real doc file embedded in this file.

Upon executing this file an executable is dropped which is embedded at offset 0x18200. This executable is XOR’ed with 32 bit key 0x58E5F269 and also the first 512 bytes are flipped using 16 bit byte flip operation. The size of this exe is 90112 bytes.

Additionally This dropped executable also drops an exe named “NAVPInst.exe” of size 28672 bytes

From offset 0x2e200 an genuine DOC file is embedded. Its size is 103936 bytes. The first 4 bytes of doc file which are 0xD0CF11E0 are replaced by 0xCFD0E011.

The shellcode starts from offset 0x16738 and 0x16a08 which writes the executable and the genuine doc file to the disc and executes it.


  1. hey, i was going though the same file, but unable to locate or find NAVPInst.exe file, can you pls upload that file so that I can continue my research over this.

  2. Hi You can find the sample and all related files here