Lucene search

K
myhack58佚名MYHACK58:62201891962
HistoryNov 09, 2018 - 12:00 a.m.

The use of a posture clear odd 11882 format overflow document analysis-vulnerability warning-the black bar safety net

2018-11-0900:00:00
佚名
www.myhack58.com
523

EPSS

0.974

Percentile

99.9%

Prior to inadvertently give a very interesting rtf document, the sandbox where the behavior of a pile, the document itself and confuse the very clear odd, so spend a little time to analyze this sample. Substantially clear the sample of the attack techniques and attack the chain, the open part of the analysis process, the sample and data for your reference.
Special thanks to Flygend provide the intelligence and the silver Yan ice during the analysis about the shellcode understand the confusion of support
0x00 sample basic information
The sample is an rtf document, first upload the VT time is 10 months 24 days, is located by the China the user through the web upload.
! [](/Article/UploadPic/2018-11/201811914344718. png)
Use the editor to view the sample can be learned from sample of embedded OLE objects through the confusion.
! [](/Article/UploadPic/2018-11/201811914345322. png)
Unable to use the tool to extract the OLE objects of the premise, the use of silver Yan ice to inform the method, successfully acquired the Equation. 3 objects, and in stream flow found in the part of the suspected shellcode data.
! [](/Article/UploadPic/2018-11/201811914345629. png)
Analyzing and sorting samples of landing process chain is as follows:
Winword.exe
EQNEDT32.EXE
MSCLTPAA.exe
DXDriver.dll
_XDSFA_XVGVGGH. dmp

0x01 doc document analysis process
First, you can see the document of the ole object is a serious confusion. Then you need to let the memory to load the ole object, and dump it out, see the following commissioning elements:
! [](/Article/UploadPic/2018-11/201811914345482. png)
For Eqnedt32. exe to register the debugger, run the rtf documents, find the doc file will trigger the cve-2017-11882 vulnerability, the specific copy of the content shown in the following figure the red box the circle the part will trigger the vulnerability: the
! [](/Article/UploadPic/2018-11/201811914345596. png)
Stack frame structure the following box and red circle out of the section, respectively, as a function of the return address and pressed into the first parameter of:
! [](/Article/UploadPic/2018-11/201811914345268. png)
The following screenshots you can see that strlen returns the result to 0x30, and you want to copy to the stack in the location of ebp-0x28, so there will be 8 bytes of the overflow, replace the function return address is 0x410db7 it. And 0x410db7 location of the instruction is a ret, so the second bounce of the stack, the EIP is assigned the value of this function is the first parameter, which is 0x18f354.
! [](/Article/UploadPic/2018-11/201811914345951. png)
The program runs to the next figure, the implementation of the first paragraph of the shellcode is. This section of shellcode behavior: jump to the current esp+0x2c8(0x18f4a4 points to the memory area 0x5a88f0 it.
! [](/Article/UploadPic/2018-11/201811914345847. png)
The decryption is finished after the jump to the real shellcode
! [](/Article/UploadPic/2018-11/201811914345718. png)
Through the figure above that, the shellcode in the heap, so only not turned on dep in the environment in order to run the second paragraph of the shellcode is.
The second paragraph of the shellcode first XOR decryption, the decryption is completed, a jump to the function entry. This shellcode hard coding a lot of strings and the API address, and encryption. The first half of through a lot of string concatenation and padding method, to generate will be the release of files to a directory and you want to load the dll name.
! [](/Article/UploadPic/2018-11/201811914345997. png)
! [](/Article/UploadPic/2018-11/201811914345664. png)
Access to the registry key, set the start on boot:
! [](/Article/UploadPic/2018-11/201811914345596. png)
The enumeration process the anti-debugging:
! [](/Article/UploadPic/2018-11/201811914345784. png)
Release file:
! [](/Article/UploadPic/2018-11/201811914345158. png)
The MSCLTLAA. exe for string2Byte after decryption, the resulting PE file.
! [](/Article/UploadPic/2018-11/201811914346672. png)
Create MSCLTPAA. exe and then write the decrypted data.
! [](/Article/UploadPic/2018-11/201811914346300. png)
! [](/Article/UploadPic/2018-11/201811914346711. png)

[1] [2] [3] next