Information

Stack based buffer overflow in EQNEDT32.EXE at image base + 0x43F6C.
This bug let us control eip and ebp directly.
The module is not compiled with any mitigations and Microsoft added ASLR after the fix for EMBEDI poc.
It is possible to overcome ASLR by creating 256 equations which will cover all possible base address under 32bit.

Crash Dump

(884.8cc) Access violation - code c0000005 (first chance) 
First chance exceptions are reported before any exception handling. 
This exception may be expected and handled. 
eax=0030be76 ebx=00000006 ecx=75ebd04d edx=00000002 esi=0018f7dc edi=0018f5e0 
eip=41414141 esp=0018f484 ebp=41414141 iop1=0 nv up ei pl nz ac po nc 
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b 	ef1=00010212 
41414141 	?? 		??? 

PoC

poc.zip password is “infected”


Attachments:
poc.zip

References:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802
https://research.checkpoint.com/another-office-equation-rce-vulnerability/