Crafting a Full Exploit RCE from a Crash in Autodesk Revit R...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.thezdi.com/blog/2025/10/6/crafting-a-full-exploit-rce-from-a-crash-in-autodesk-revit-rfa-file-parsing
• Blog Title: Crafting a Full Exploit RCE from a Crash in Autodesk Revit RFA File Parsing
• Suggested Section: Generic Methodologies & Resources -> Basic Forensic Methodology -> Specific Software/File-Type Tricks -> Office file analysis (add subsection: OLE Compound File exploitation: Autodesk Revit RFA - ECC recomputation and controlled gzip) and cross-link to a Windows Exploitation/ROP page for the destructor-loop/weird-machine and writable-IAT gadget-creation techniques

🎯 Content Summary

Post: Crafting a Full Exploit RCE from a Crash in Autodesk Revit RFA File Parsing (October 8, 2025) by Simon Zuckerbraun (Trend Micro ZDI).

What’s exploited
A type confusion in Autodesk Revit 2025’s RFA deserializer lets a crafted RFA file drive an indirect call through a fake vtable pointer, enabling stack pivot and full x64 ROP for arbitrary command execution. Tracked as CVE‑2025‑5037 (ZDI‑CAN‑26922, advisory ZDI‑25‑597), patched by Autodesk in July 2025. Comb...

🔧 Technical Details

Deserializer vtable type confusion → single‑gadget execution: When a deserializer assumes vtable[0] for destructor on objects read by 16‑bit type index, selecting a non‑polymorphic type lets the value at offset 0 be attacker‑controlled. Choosing AString (idx 0x1F) places a pointer to attacker bytes at offset 0; the destructor loop executes call qword ptr [rax], granting one controlled gadget per object.

Controlling OLE RFA bytes despite auto‑repair: RFA’s Global\Latest stream is header + GZIP + zero‑pad + ECC trailer. Revit auto‑corrects minor changes and rejects big mismatches. Recompute ECC and use Revit‑compatible gzip/gunzip to ensure the exact bytes reach the deserializer and persist.

Stack pivot without stack smash: If rax is a 32‑bit heap address (Win10), hunt a misaligned mov esp,eax “monster gadget” that eventually rets to the heap ROP chain. On Win11, use the dest...

🤖 Agent Actions

I analyzed the ZDI blog post and updated HackTricks with the new techniques and tools. Summary of what I did:

1. Selected the best location for the file-format exploitation details

• Found: src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
• This is the right place to document OLE Compound File tricks and Revit RFA stream control.

2. Added a new subsection to Office file analysis for OLE RFA exploitation

• Title: OLE Compound File exploitation: Autodesk Revit RFA – ECC recomputation and controlled gzip
• Content added:
  • RFA is an OLE Compound File; serialized model is at Global\Latest.
  • Global\Latest structure: header + gzip payload + zero padding + ECC trailer.
  • Revit auto-repairs mutations using ECC and rejects large mismatches; to get exact bytes to the deserializer, you must recompress with Revit-compatible gzip and recompute ECC.
  • Practical workflow using CompoundFileTool to expand/rebuild OLE files:
    • Expand: CompoundFileTool /e model.rfa /o rfa_out
    • Edit rfa_out/Global/Latest with Revit-compatible gzip and ECC recomputation.
    • Rebuild: CompoundFileTool /c rfa_out /o model_patched.rfa
  • Short exploitation insight to pick AString (0x1F) and leverage the destructor loop call primitive:
    rcx = [rbx]; rax = [rcx]; call qword ptr [rax]
  • Cross-links:
    • To Windows pivot/ROP methodology pages:
      • ../../../binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md
      • ../../../binary-exploitation/rop-return-oriented-programing/README.md
  • Tooling references: CompoundFileTool, IDA+TTD, Fiddler.
  • References section appended:
    • ZDI blog URL
    • CompoundFileTool GitHub
    • Microsoft OLE CFBF docs

3. Cross-linked and extended Windows exploitation content (stack pivoting)

• Updated: src/binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md
• Added a new section: Windows: Destructor-loop weird-machine pivots (Revit RFA case study)
  • Describes using the one-gadget-per-object destructor loop primitive to pivot:
    • Win10 pivot: misaligned “monster gadget” mov esp, eax; ret
    • Win11 pivot: two-gadget loop-machine pivot using push rax; pop rbp; ret and leave; … ; ret
  • Added Windows x64 tips:
    • Shadow space (0x20 bytes), 16-byte alignment before calls.
    • lea rcx, [rsp+0x20]; call rax + pop rax; ret trick to pass stack literals as args.
    • Non-ASLR helper libraries for stable gadgets and import resolution.
    • Creating missing gadgets via writable thunk: overwrite a writable function pointer target so a sequence ending in call becomes ret (e.g., mov rdx, rsi; mov rcx, rdi; ret).
  • Added the ZDI blog to the References.

4. External research used

• ZDI blog (fetched)
• CompoundFileTool README (for usage)
• Microsoft OLE Compound File docs

Files modified:

• src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
• src/binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md

Notes:

• I did not create any new page, as existing pages were a good fit.
• I kept formatting and style consistent and added “## References” sections where required.
• The Office page now cross-links to the Windows ROP/pivot pages.
• The stack pivot page now includes the destructor-loop/weird-machine pivot pattern and the writable-thunk gadget creation technique as requested.

References added:

• ZDI blog: https://www.thezdi.com/blog/2025/10/6/crafting-a-full-exploit-rce-from-a-crash-in-autodesk-revit-rfa-file-parsing
• CompoundFileTool: https://github.com/thezdi/CompoundFileTool
• OLE Compound File docs: https://learn.microsoft.com/en-us/windows/win32/stg/istorage-compound-file-implementation

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.thezdi.com/blog/2025/10/6/crafting-a-full-exploit-rce-from-a-crash-in-autodesk-revit-rfa-file-parsing

Content Categories: Based on the analysis, this content was categorized under "Generic Methodologies & Resources -> Basic Forensic Methodology -> Specific Software/File-Type Tricks -> Office file analysis (add subsection: OLE Compound File exploitation: Autodesk Revit RFA - ECC recomputation and controlled gzip) and cross-link to a Windows Exploitation/ROP page for the destructor-loop/weird-machine and writable-IAT gadget-creation techniques".

Repository Maintenance:

• MD Files Formatting: 896 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge