A newline character causes the Oscar vulnerability 0day(CVE-2017-8759)reproduction-latest Office the highest level of threat attack warning-vulnerability warning-the black bar safety net

Krzysztof, the 360 group focus of the Security Business Unit elucidating the team invented a new type of Office document high-end intimidating onslaught, the 进击应用了9月12日补钉刚修复的.NET Framework flaws vulnerability bug, the flaw exploits a bug in the field is applied for 0day condition, the user closed the vicious thoughts of the Office document will be caught. The flaws exploit the bug of the tips make sense and the year of the hack“Oscar”of Pwnie Awards on the best client flaws vulnerability bug（CVE-2017-0199）the same, the differences is that the hackers in the Offcie of the document embedded in the new Moniker of the tool, the application is. net Library flaws exploits a bug in an Office document is loaded perform a long of vicious thoughts. NET code, 而全部破绽漏洞bug的罪魁祸首竞是.NET Framework, a newline, and the disposal of the mistakes.
Onslaught impact of elucidating
Via the process of a series of fields of application of the samples the the server file time to stop tracking elucidating, we have reason to trust the flaws vulnerability bug field application time the presentation time for the 2017 year 8 on 16, or even earlier, the flaws vulnerability bug toward the application of 0day flaws vulnerability bug situation, today Microsoft had an urgent announcement. net Framework patch to repair the flaws vulnerability bug.
! [](/Article/UploadPic/2017-9/2017913201828446. png? www. myhack58. com)
该破绽漏洞bug影响所有主流的.NET Framework version. Because mainstream windows operating systems are tacitly built in. net Framework hack via process office documents embedded in the long-haul of vicious thoughts. net code to stop the onslaught, all of the windows System and the installation of the office software users YAP affected. Now the flaws vulnerability bug details once in the foreign small-scale enactment, a onslaught to May was numerous trend.
Microsoft . NET Framework 4.6.2
Microsoft . NET Framework 4.6.1
Microsoft . NET Framework 3.5.1
Microsoft . NET Framework 4.7
Microsoft . NET Framework 4.6
Microsoft . NET Framework 4.5.2
Microsoft . NET Framework 3.5
Microsoft . NET Framework 2.0 SP2
0day flaws vulnerability bug problem details elucidating
In the. net Library in the SOAP WSDL profiling module IsValidUrl function without the right disposal including carriage return newline in the environment, lead to the misappropriation of those functions PrintClientProxy the presence of code injection to fulfil flaws vulnerability bug.
! [](/Article/UploadPic/2017-9/2017913201828596. png? www. myhack58. com)
Diversion’s function screenshot below

! [](/Article/UploadPic/2017-9/2017913201828256. png? www. myhack58. com)
Disorders environment currently on file including a plurality of soap:address location when PrintClientProxy function of the innate code as long as the first row is useful, other actions of the body.
But the Department code is not at the discretion of the soap:address location content can be perhaps the presence of a newline character, leading to the body of the command“//”only the first line of the failure, else the code is as useful code disorders to fulfill.
Vicious thoughts sample will structure the following figure the output the soap xml data
! [](/Article/UploadPic/2017-9/2017913201828977. png? www. myhack58. com)
Because of the presence of flaws vulnerability bug profiling Library for soap xml data in the newline disposal blunders, csc. the exe will compile its injected. net code running
! [](/Article/UploadPic/2017-9/2017913201828949. png? www. myhack58. com)
Sample flaws vulnerability bug onslaught process of elucidating
Above we picked the flaw exploits a bug of a field application of the sample to stop elucidating the flaws vulnerability bug really document the pattern of rtf, the sample application cve-2017-0199 same objupdate tool update mechanism, the application of the SOAP Moniker from the long-distance server to pull a SOAP XML file, specify the . net Library SOAP WSDL module analysis.

! [](/Article/UploadPic/2017-9/2017913201828677. png? www. myhack58. com)
! [](/Article/UploadPic/2017-9/2017913201829309. png? www. myhack58. com)
Flaws vulnerability bug the complete fulfillment flow the following:
! [](/Article/UploadPic/2017-9/2017913201829375. png? www. myhack58. com)
Sample onslaught script loads elucidating
Vicious thoughts of a soap xml file to be pulled to the local, SOAP WSDL library to dissect the flaws vulnerability the bug is triggered, csc. exe will take the initiative to compile the fulfilment of which the. net code.
! [](/Article/UploadPic/2017-9/2017913201829780. png? www. myhack58. com)
The Code of the Application System. Diagnostics. Process. Start interface misappropriation of Rwanda. exe loaded long-haul hta script to fulfil.
! [](/Article/UploadPic/2017-9/2017913201829266. png? www. myhack58. com)
Vicious thoughts hta script embedded in a db suffix of the binary stream file in, played a certain promiscuous pretend to reform it.
! [](/Article/UploadPic/2017-9/2017913201829692. png? www. myhack58. com)
Ultimate, the sample will be applied powershell download operation pretending to offcie patch file name of the PE load.
! [](/Article/UploadPic/2017-9/2017913201829765. png? www. myhack58. com)

Sample PE load briefly elucidating
Via the process of the PE load of elucidating, in our invention the sample is the sample application of the severe confounding of the code and the fictional machine tips specifically blocking the researchers elucidating the fictional machine encryption framework is relatively complicated, probably flow less.

[1] [2] next