[原创]分析CVE-2017-8570 rtf 样本

发表于: 2018-8-26 16:45 5016

[原创]分析CVE-2017-8570 rtf 样本

树梢之上

2018-8-26 16:45

5016

up777

1.样本信息

样本是在www.reverse.it上找的,基本信息如下.

2.打开情况

混淆情况

3.去除静态混淆

可以看到,样本被混淆得很厉害(虽然卡巴还没拖进去就被杀了),对我们分析样本造成了一定的阻碍

windbg加载winword

bp ole32!OleConvertOLESTREAMToIStorage

然后断网,将rtf拖入winword中

ole32!OleConvertOLESTREAMToIStorage:
77a028fa 8bff mov edi,edi
断下来了

0:000> kb
ChildEBP RetAddr Args to Child
00164cb8 69d3912e 043138d4 05490100 00000000 ole32!OleConvertOLESTREAMToIStorage [d:\w7rtm\com\ole32\ole232\ole1\ostm2stg.cpp @ 486]
WARNING: Stack unwind information not available. Following frames may be wrong.
00164f40 69fc827c 042ba000 043138d4 00000001 wwlib!DllCanUnloadNow+0xadec
00164f80 6997c4e8 042ba000 04310980 00164fec wwlib!DllCanUnloadNow+0x299f3a
0:000> dc 043138d4 l4
043138d4 6a2c78ec 00000001 01bf00e4 0000037d .x,j........}...

0:000> db poi(01bf00e4) l37d
03c47e58 01 05 00 00 02 00 00 00-08 00 00 00 50 61 63 6b ............Pack
03c47e68 61 67 65 00 00 00 00 00-00 00 00 00 55 03 00 00 age.........U...
03c47e78 02 00 6c 6f 6e 67 69 6e-74 65 72 63 6f 6e 73 74 ..longinterconst
03c47e88 61 2e 53 63 54 00 43 3a-5c 49 6e 74 65 6c 5c 6c a.ScT.C:\Intel\l
03c47e98 6f 6e 67 69 6e 74 65 72-63 6f 6e 73 74 61 2e 53 onginterconsta.S
03c47ea8 63 54 00 00 00 03 00 1d-00 00 00 43 3a 5c 49 6e cT.........C:\In
03c47eb8 74 65 6c 5c 6c 6f 6e 67-69 6e 74 65 72 63 6f 6e tel\longintercon
03c47ec8 73 74 61 2e 53 63 54 00-57 02 00 00 3c 3f 58 4d sta.ScT.W...<?XM

第一个对象是package

0:000> .writemem c:\1.package poi(01bf00e4) l37d
Writing 37d bytes.

第二个

0:000> kb

ChildEBP RetAddr Args to Child
00164cb8 69d3912e 04313b9c 05490068 00000000 ole32!OleConvertOLESTREAMToIStorage [d:\w7rtm\com\ole32\ole232\ole1\ostm2stg.cpp @ 486]
WARNING: Stack unwind information not available. Following frames may be wrong.
00164f40 69fc827c 042ba000 04313b9c 00000001 wwlib!DllCanUnloadNow+0xadec
00164f80 6997c4e8 042ba000 04310980 00164fec wwlib!DllCanUnloadNow+0x299f3a

0:000> dd 04313b9c l4

04313b9c 6a2c78ec 00000001 01bf00dc 00000264

0:000> dc poi(01bf00dc) l264

03c87e78 00000501 00000002 00000008 6b636150 ............Pack
03c87e88 00656761 00000000 00000000 0000023c age.........<...
03c87e98 6f670002 2e69646e 00636f64 495c3a43 ..gondi.doc.C:\I
03c87ea8 6c65746e 6e6f675c 642e6964 0000636f ntel\gondi.doc..

0:000> .writemem c:\2.package poi(01bf00dc) l264

Writing 264 bytes

第三个

0:000> kb

ChildEBP RetAddr Args to Child
00164cb8 69d3912e 04313b9c 05495888 00000000 ole32!OleConvertOLESTREAMToIStorage [d:\w7rtm\com\ole32\ole232\ole1\ostm2stg.cpp @ 486]
WARNING: Stack unwind information not available. Following frames may be wrong.
00164f40 69fc827c 042ba000 04313b9c 00000001 wwlib!DllCanUnloadNow+0xadec
00164f80 6997c4e8 042ba000 04310980 00164fec wwlib!DllCanUnloadNow+0x299f3a

0:000> dd 04313b9c l4

04313b9c 6a2c78ec 00000001 01bf00dc 0005e2cb

0:000> dc poi(01bf00dc)

05290020 00000501 00000002 00000008 6b636150 ............Pack
05290030 00656761 00000000 00000000 0005e2a3 age.............
05290040 6f6d0002 2e69646e 00657865 495c3a43 ..mondi.exe.C:\I
05290050 6c65746e 6e6f6d5c 652e6964 00006578 ntel\mondi.exe..
05290060 13000300 43000000 6e495c3a 5c6c6574 .......C:\Intel\
05290070 646e6f6d 78652e69 e1ff0065 5a4d0005 mondi.exe.....MZ
05290080 00030090 00040000 ffff0000 00b80000 ................
05290090 00000000 00400000 00000000 00000000 ......@.........

0:000> .writemem c:\3.package poi(01bf00dc) l5e2cb

Writing 5e2cb bytes..............

第四个

0:000> g

Breakpoint 0 hit
eax=000004e8 ebx=042cf3c0 ecx=00008000 edx=00000000 esi=05490960 edi=00164f78
eip=77a028fa esp=00164cbc ebp=00164f40 iopl=0         nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00200206
ole32!OleConvertOLESTREAMToIStorage:
77a028fa 8bff            mov     edi,edi

0:000> kb

ChildEBP RetAddr Args to Child
00164cb8 69d3912e 04313b9c 054957f0 00000000 ole32!OleConvertOLESTREAMToIStorage [d:\w7rtm\com\ole32\ole232\ole1\ostm2stg.cpp @ 486]
WARNING: Stack unwind information not available. Following frames may be wrong.

0:000> dd 04313b9c

04313b9c 6a2c78ec 00000001 01bf00dc 0000017e
04313bac 00040010 00000002 00000000 00000000
04313bbc 00000000 00000000 00000000 00000000
04313bcc 00000000 00000000 00000000 00000000
04313bdc 00000000 00000000 00000000 00000000
04313bec 00000000 00000000 00000000 00000000
04313bfc 00000000 00000000 00000000 00000000
04313c0c 00000000 00000000 00000000 00000000

0:000> dc poi(01bf00dc)

03c87e78 00000501 00000002 00000008 6b636150 ............Pack
03c87e88 00656761 00000000 00000000 00000156 age.........V...
03c87e98 6e690002 632e6964 4300646d 6e495c3a ..indi.cmd.C:\In
03c87ea8 5c6c6574 69646e69 646d632e 03000000 tel\indi.cmd....
03c87eb8 00001200 5c3a4300 65746e49 6e695c6c .....C:\Intel\in
03c87ec8 632e6964 bb00646d 45000000 204f4843 di.cmd.....ECHO
03c87ed8 0d46464f 7465730a 6c6e7520 3d6b636f OFF..set unlock=
03c87ee8 6d742522 0d222570 7465730a 636f6c20 "%tmp%"..set loc

0:000> .writemem c:\4.package poi(01bf00dc) l17e

Writing 17e bytes.

第五个

0:000> g

Breakpoint 0 hit
eax=000004e8 ebx=042dabe0 ecx=00008000 edx=00000000 esi=05490960 edi=00164f78
eip=77a028fa esp=00164cbc ebp=00164f40 iopl=0         nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00200206
ole32!OleConvertOLESTREAMToIStorage:
77a028fa 8bff            mov     edi,edi

0:000> kb

ChildEBP RetAddr Args to Child
00164cb8 69d3912e 04313b9c 054966f0 00000000 ole32!OleConvertOLESTREAMToIStorage [d:\w7rtm\com\ole32\ole232\ole1\ostm2stg.cpp @ 486]
WARNING: Stack unwind information not available. Following frames may be wrong.

0:000> dd 04313b9c

04313b9c 6a2c78ec 00000001 01bf00dc 00000314
04313bac 00040010 00000002 00000000 00000000
04313bbc 00000000 00000000 00000000 00000000
04313bcc 00000000 00000000 00000000 00000000
04313bdc 00000000 00000000 00000000 00000000
04313bec 00000000 00000000 00000000 00000000
04313bfc 00000000 00000000 00000000 00000000
04313c0c 00000000 00000000 00000000 00000000

0:000> dc poi(01bf00dc)

03c87e78 00000501 00000002 00000008 6b636150 ............Pack
03c87e88 00656761 00000000 00000000 000002ec age.............
03c87e98 6f680002 2e69646e 00646d63 495c3a43 ..hondi.cmd.C:\I
03c87ea8 6c65746e 6e6f685c 632e6964 0000646d ntel\hondi.cmd..
03c87eb8 13000300 43000000 6e495c3a 5c6c6574 .......C:\Intel\
03c87ec8 646e6f68 6d632e69 02480064 43450000 hondi.cmd.H...EC
03c87ed8 4f204f48 0a0d4646 454d4954 2054554f HO OFF..TIMEOUT
03c87ee8 0a0d2031 20746573 70704122 6e69773d 1 ..set "App=win

0:000> .writemem c:\5.package poi(01bf00dc) l314

Writing 314 bytes.

第六个是olelink

0:000> g

Breakpoint 0 hit
eax=000004e8 ebx=042dab40 ecx=00008000 edx=00000000 esi=05490960 edi=00164f78
eip=77a028fa esp=00164cbc ebp=00164f40 iopl=0         nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00200206
ole32!OleConvertOLESTREAMToIStorage:
77a028fa 8bff            mov     edi,edi

0:000> kb

ChildEBP RetAddr Args to Child
00164cb8 69d3912e 04313b9c 05496388 00000000 ole32!OleConvertOLESTREAMToIStorage [d:\w7rtm\com\ole32\ole232\ole1\ostm2stg.cpp @ 486]
WARNING: Stack unwind information not available. Following frames may be wrong.

0:000> dd 04313b9c

04313b9c 6a2c78ec 00000001 01bf00dc 00000a49
04313bac 00040010 00000002 00000000 00000000
04313bbc 00000000 00000000 00000000 00000000
04313bcc 00000000 00000000 00000000 00000000
04313bdc 00000000 00000000 00000000 00000000
04313bec 00000000 00000000 00000000 00000000
04313bfc 00000000 00000000 00000000 00000000
04313c0c 00000000 00000000 00000000 00000000

0:000> dc poi(01bf00dc)

03c87e78 00000000 00000002 00000009 32454c4f ............OLE2
03c87e88 6b6e694c 00000000 00000000 000a0000 Link............
03c87e98 11cfd000 1ab1a1e0 000000e1 00000000 ................
03c87ea8 00000000 00000000 03003e00 09fffe00 .........>......
03c87eb8 00000600 00000000 00000000 00000100 ................
03c87ec8 00000100 00000000 00100000 00000200 ................
03c87ed8 00000100 fffffe00 000000ff 00000000 ................
03c87ee8 ffffff00 ffffffff ffffffff ffffffff ................

0:000> .writemem c:\6olelink poi(01bf00dc) la49

Writing a49 bytes..

第七个equation

0:000> kb

ChildEBP RetAddr Args to Child
00164cb8 69d3912e 04313b9c 05497f90 00000000 ole32!OleConvertOLESTREAMToIStorage [d:\w7rtm\com\ole32\ole232\ole1\ostm2stg.cpp @ 486]
WARNING: Stack unwind information not available. Following frames may be wrong.
0:000> dd 04313b9c
04313b9c 6a2c78ec 00000001 01bf00dc 0000124a
04313bac 00040010 00000002 00000000 00000000
04313bbc 00000000 00000000 00000000 00000000
04313bcc 00000000 00000000 00000000 00000000
04313bdc 00000000 00000000 00000000 00000000
04313bec 00000000 00000000 00000000 00000000
04313bfc 00000000 00000000 00000000 00000000
04313c0c 00000000 00000000 00000000 00000000
0:000> dc poi(01bf00dc)
03ccae98 b1a0b139 00000002 0000000b 41757145 9...........EquA
03ccaea8 6e6f6954 0000322e 00000000 00000000 Tion.2..........
03ccaeb8 d000000e a1e011cf 00e11ab1 00000000 ................
03ccaec8 00000000 00000000 3e000000 fe000300 ...........>....
03ccaed8 060009ff 00000000 00000000 01000000 ................
03ccaee8 01000000 00000000 00000000 02000010 ................
03ccaef8 01000000 fe000000 00ffffff 00000000 ................
03ccaf08 ff000000 ffffffff ffffffff ffffffff ................
0:000> .writemem c:\7equation poi(01bf00dc) l124a
Writing 124a bytes...

之后word就正常运行了

登录后可查看完整内容

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

最后于 2019-4-13 13:05 被树梢之上编辑，原因：家里上传mondi.idb,方便随时下载分析

上传的附件：