Analyzing an exploit for СVE-2017-11826
来源:互联网 发布:如何查网络摄像头 编辑:程序博客网 时间:2024/06/05 00:23
The latest Patch Tuesday (17 October) brought patches for 62 vulnerabilities, including one that fixed СVE-2017-11826 – a critical zero-day vulnerability used to launch targeted attacks – in all versions of Microsoft Office.
The exploit for this vulnerability is an RTF document containing a DOCX document that exploits СVE-2017-11826 in the Office Open XML parser.
The exploit itself is in word/document.xml as follows:
Under the ECMA-376 standard for Office Open XML File Formats, the valid ‘font’ element describing the fonts used in the document must look like this:
In the body of the exploit the closing tag </w:font> is absent. The opening tag <w:font> is followed by the object element <o:idmap/> which cause ‘type confusion’ in the OOXML parser. Any object element can be used to successfully exploit this vulnerability. To pass one of the checks preceding the exploitation, there must be an OLEObject element in front of the <w:font> tag, and the length of the content of the attribute name must be no shorter than 32 bytes after conversion from UTF-8 into Unicode.
After conversion from UTF-8 to Unicode, E8 A3 AC E0 A2 80 becomes EC 88 88 08.
If all these conditions are fulfilled, this pointer will be dereferenced, and control will be transferred to the contents of this address with the offset 4.
To control the memory content at address 0x088888EC, the attackers apply the popular heap spraying technique with use of ActiveX components:
The exploit bypasses ASLR and DEP using ROP and gadgets from msvbvm60.dll. The msvbvm60.dll module is loaded from the RTF document with the help of a CLSID associated with this DLL:
The first part of ROP sets the ESP register’s value:
The second part of ROP is ignored: it was used to set the EIP register at 0x088883EC. The last ‘pop eax; retn’ gadget moves the address 0x729410D0 into EAX. This is the address for the VirtualProtect pointer in the Imports area of msvbvm60.dll from Kernel32.dll:
The VirtualProtect pointer is used in the next ROP gadget to call the function VirtualProtect(0x8888C90, 0x201, 0x40, 0x72A4C045). After this, control is transferred to the shellcode at the address 0x8888F70, which decrypts and executes the embedded DLL:
Kaspersky Lab’s security solutions detect exploits for СVE-2017-11826 as:
- Exploit.MSWord.Agent.ix;
- Exploit.MSOffice.CVE-2017-11826.a;
- HEUR:Exploit.MSOffice.Generic.
IOC
cb3429e608144909ef25df2605c24ec253b10b6e99cbb6657afa6b92e9f32fb5
- Analyzing an exploit for СVE-2017-11826
- VE for eclipse 3.3
- Current O2 support for analyzing Spring MVC
- Full TrustZone exploit for MSM8974
- Full TrustZone exploit for MSM8974
- VE
- VE
- exploit
- exploit
- Exploit
- Exploit
- warftp1.65 exploit for winxp sp2
- Exploit for the FreeBSD protosw vulnerability
- Root exploit for Android (adb setuid)
- The best resources for learning exploit development
- How to Analyzing Authorization Checks for SAP User
- Investigating and Analyzing Applications - Discovering and Exposing an Service Bus Service
- Analyzing the Performance of an Anycast CDN(含论文谷歌翻译,人工修正)
- 如何更改webstorm中ts自动生成get和set方法的带下划线问题
- 手动更新HomeAssistant版本
- Java 8 HashMap 实现机制简析
- 添加并设置sudo/su用户权限
- 求一整型数组的严格单调的最长连续子序列的长度
- Analyzing an exploit for СVE-2017-11826
- python numpy包基础(1)
- HDU 5701 中位数计数(思维,区间)好题
- Nginx与Tomcat 实现负载均衡
- java分割超大文本文件
- 46.Permutations leetcode java
- 编程作业(三)
- 15算法课程 171. Excel Sheet Column Number
- 海康威视web插件