From EK to DEK - An Analysis of Modern Document Exploit Kits

Explore the evolution and inner workings of modern document exploit kits in this 40-minute conference talk from BSidesLV 2019. Delve into an in-depth analysis of ThreadKit and VenomKit, examining their infection chains and campaign examples. Gain insights into various exploitation techniques, including compound moniker logic exploits, composite moniker OLE objects, and scriptlet examples. Investigate buffer overflow exploits in Equation Editor and font records, as well as Adobe Flash use-after-free vulnerabilities. Learn about the adoption of red team techniques and understand the key takeaways for defending against these sophisticated threats.

Intro
DOCUMENT EXPLOIT KITS
THREADKIT AND VENOMKIT
THREADKIT CAMPAIGN EXAMPLE
OLE OVERVIEW
THREADKIT INFECTION CHAIN EXAMPLE
VENOMKIT INFECTION CHAIN EXAMPLE
COMPOUND MONIKER LOGIC EXPLOIT
COMPOSITE MONKER OLE OBJECT
SCRIPTLET EXAMPLE
EQUATION EDITOR BUFFER OVERFLOW EXPLOITS
FONT RECORD BUFFER OVERFLOW
LOGFONT BUFFER OVERFLOW
ADOBE FLASH UAF - UAF TRIGGER
RED TEAM TECHNIQUE ADOPTION
CONCLUSION & TAKEAWAYS
ACKNOWLEDGEMENTS