A CVE-2017-11882 vulnerability is a new variation of a sample of the debugging and analysis-vulnerability warning-the black bar safety net

Recently harvested a suffix called doc word document, view the After is actually a rich text format document. In a test environment to open after the discovery of a network connection and executing a program of action, determine the sample is malware document. After a preliminary analysis, found that the sample is CVE-2017-11882 vulnerabilities using a new sample. CVE-2017-11882 vulnerability and CVE-2018-0802 vulnerability based on Office equation editor processing logic, is the nearest office of malicious attacks document by conventional means. On the network for the vulnerability of the Genesis, the use of analysis of already in place, such as 360 days eye laboratory using the Office Equation Editor special processing logic of the newestfree to killtechnical analysis of CVE-2017-11882, as well as Tencent computer housekeeper NDAY vulnerability CVE-2017-11882 and 0Day vulnerability CVE-2018-0802 vulnerability combination of the dissemination of remote control Trojans of the sample analysis and other technical reports. The samples and before each analysis are slightly different, should be CVE-2017-11882 vulnerability and a variant version.
First, the basic operation of the
Experimental environment: windows 7 x64 sp1, Chinese edition, office 2010 Chinese version.
The vulnerability of the sample after opening, the display content of the document is garbled, as shown below.
! [](https://image.3001.net/images/20181124/1543024815_5bf8b0aff1ceb.png! small)
In addition, in the%temp%directory to build and run a named emre. exe executable files. Capture found emre. exe from http://ghthf. cf/cert/ochicha. exe download generated. As shown below.
! [](https://image.3001.net/images/20181124/1543025083_5bf8b1bb3a590.png! small)
Second, the vulnerability to debug
1, the sample form
winhex opens the following two figures shown. The document directly behind the heel to display the content.
! [](https://image.3001.net/images/20181124/1543025978_5bf8b53ac1bc7.png! small)
Followed by that object, as shown below.
! [](https://image.3001.net/images/20181124/1543025728_5bf8b44012bda.png! small)
2, RTF, a preliminary analysis of the
With rftobj after the analysis of the results is shown below. You can see the clsid for 0002ce02-0000-0000-c000-000000000046 i.e. Microsoft Equation Editor object.
! [](https://image.3001.net/images/20181124/1543026347_5bf8b6ab810d7.png! small)
! [](https://image.3001.net/images/20181124/1543026881_5bf8b8c10fb6b.png! small)
From the figure we can see that the object name is“eQuatiON native”, the normal name of the object“Equation Native”for the case conversion operations, may also be the pursuit offree to killone of the effects.
3, vulnerability debugging
According to various aspects of the vulnerability analysis report, we direct commissioning a vulnerability where a function 0041160F it.
! [](https://image.3001.net/images/20181124/1543027328_5bf8ba80a5a02.png! small)
After the 11th rep after the operation, as in the following figure, the stack 0x0043F775 be covered.
! [](https://image.3001.net/images/20181124/1543027588_5bf8bb8428e33.png! small)
! [](https://image.3001.net/images/20181124/1543027800_5bf8bc58c5a27.png! small)
And EQNEDT32. EXE process 0x0043F775 the value of is C3, happens to be the instruction retn。
! [](https://image.3001.net/images/20181124/1543028035_5bf8bd439c8e9.png! small)
After the execution jumps to the shellcode location. As shown below:
! [](https://image.3001.net/images/20181124/1543028175_5bf8bdcf72dd2.png! small)
4, the shellcode debugging analysis
shellcode location in the eQuatiON-native object.
Divided into two parts, wherein the start location 0×0826, B9 C439E66A shown on figure 0018F354 at the disassembly instructions start to 0851, followed by four bytes 0x0043F7F5（EQNEDT32. EXE process in the RETN instruction is. The second portion of the position in the 0x089E at the beginning to the end.
! [](https://image.3001.net/images/20181124/1543028371_5bf8be938ff06.png! small)
The first part of the shellcode to jump to the second part of the compilation command as shown below:
! [](https://image.3001.net/images/20181124/1543029212_5bf8c1dc1ce30.png! small)
After analysis, found that the segment of shellcode, a series of jmp jump instruction operation, due to shellcode obfuscation and protection. For example, the following figure shows:
! [](https://image.3001.net/images/20181124/1543029376_5bf8c280e0d65.png! small)

[1] [2] next