CVE-2017-11882 is a remote code execution vulnerability disclosed by Microsoft. The vulnerability is caused by the EQNEDT32.EXE formula editor module, which is installed by default during the installation of Office. The module uses OLE technology (Object Linking and Embedding) to embed formulas in Office documents.
The vulnerability is caused by the fact that the formula editor EQNEDT32.EXE (path C:\Program Files\Common Files\microsoft shared\EQUATION) reads OLE data containing MathType, and does not check the name length when copying the formula font name, allowing attackers to overwrite the function return address on the stack with deliberately constructed data content, causing stack buffer overflow, hijacking the program execution process, and executing their own malicious code. In addition, when inserting and editing mathematical formulas, EQNEDT32.EXE is not created as a child process of the Office process, but exists as a separate process. Therefore, the protection mechanism of the Office process cannot protect the EQNEDT32.EXE process from being exploited. Judging from the effect of the vulnerability exploitation, it can kill all versions of Office from 2003 to 2016.
APT organizations such as Manlinghua, White Elephant, Maha Grass, and Rattlesnake used this vulnerability document to launch attacks.
(The above content comes from the Internet)
System environment: win10
Office version: Office 16
poc:https://github.com/Ridter/CVE-2017-11882
Because calc.exe will pop up after double-clicking the poc, breakpoints are set on the CreateProcess and WinExec functions.
The break occurs at the WinExec function. The return address of WinExec is 00430C18, the parameter is 19ef00, and the content is to open calc.exe through cmd.
At this time, ebp should store the caller's ebp, but now it is 41414141, ebp has been destroyed. Go up to the lower address (the lower address has the function stack that has been executed) to find where ebp was destroyed.
Instruction rep movsd at 411658 copies the contents of esi to edi, ecx double words in size
rep movs byte ptr es:(edi), byte ptr ds:(esi) is abbreviated as: rep movsb
rep movs word ptr es:(edi), word ptr ds:(esi) Abbreviated as: rep movsw
rep movs dword ptr es:(edi), dword ptr ds:(esi) is abbreviated as: rep movsd
The number of copies is determined by ecx.
EDI is ebp-28 (40 bytes), the size of the copied content is 48 bytes, 41414141 overwrites ebp, and the remaining four bytes overwrite the return address. Jump to the return address to execute the call WinExec function, and the parameters are already in the stack. (If ecx is greater than A, ebp will be destroyed. If it is greater than B, the return address will be destroyed)
The breakpoint is set at the WinExec function.
Find the function that calls winexec from the stack (looking towards a higher address).
Analyze function 4115a7, call function 41160f, and call the unsafe strcpy function at 411658. The length of the parameter is not judged or limited, resulting in a stack overflow.
The calculator pops up successfully.
Locating the vulnerability
Use pchunter and process monitor to locate the module that causes the vulnerability, which is EQNEDT32.EXE.
And use the forfiles process to execute the released file mcods.exe (C:\ProgramData\Microsoft\DeviceSync\mcods.exe)
Utilizing IFEO to hijack and debug
计算机\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EQNEDT32.EXE
Exploitation
According to the analysis of CVE, the breakpoint is set at 411658, and F9 is pressed continuously (note the value of exc, check when it is greater than B). At this time, exc is 0xC, and after F8, the stack is overwritten as shown in the figure below.
The return address is overwritten to 48C7C2.
Continue to execute to the leave instruction and ret instruction at the end of the function.
Leave is equivalent to:
movl %ebp %esp
popl %ebp
The RET instruction pops the return address at the top of the stack to EIP, and then continues executing the program according to the instruction address indicated by EIP at this time.
Jump to the return address 48C7C2 and execute the ret instruction.
After the ret instruction is executed, the program jumps to 19eec4, and the fs segment register is offset to 0x30h, where the PEB can be found. The first fs:(30h)+2 points to BeingDubgged in PEB. When BeingDubgged=1, it is being debugged.
19eec4 source description:
Before the instruction at 411658 is executed, 19eec4 already exists in the stack. Looking at the stack, we can see that it is the parameter of the 41160f function.
Next, look at the instruction at 19EEC4. After bypassing the anti-debugging (BeingDubgged is changed to 0), the address of the second shellcode is obtained and executed.
Get pe write “C:\ProgramData\Microsoft\DeviceSync\mcods.exe”
Call the ShellExecuteA function to execute the command “forfiles.exe /pc:\windows /m twain_32.dll /cc:\windowsuser\..\programdata\microsoft\deviceSynC\mcods.exe”
Analysis of mcods.exe
Determine whether it is the Chinese time zone.
If it is Chinese time zone, execute sub_408E80 function.
sub_408E80
Create the rendumm mutex.
Decrypt UserAgent and get uuid.
Get the user name and computer name.
Get the system version, local IP address, and backdoor version.
The concatenated string is as shown in the figure below. Format: uuid=user ID#un=user name#cn=computer name#on=system version#lan=local IP address#nop=#ver=backdoor version
Create a thread and pass the acquired information as a thread function parameter. Thread function: Encrypt the information with AES + base64 + add = or & to the specified position.
Use http protocol post to upload encrypted information to the C2 server.
In addition to the information obtained above, mcods.exe also collects the following information.
Write to the BdZ22x.tmp file in the temp path.
Then read the BdZ22x.tmp file, encrypt it with AES+base64, and upload the file.
Instruction 33: Download the file from the specified URL
Snow watching ID: pyikaaaa
https://bbs.kanxue.com/user-home-921642.htm
*This article is a featured article from the Kanxue Forum, originally written by pyikaaaa. Please indicate that it is from the Kanxue Community when reprinting.
Click to read the original text for more
GIPHY App Key not set. Please check settings