首页
论坛
课程
招聘
[原创]CVE-2015-1641拼凑笔记
2020-5-31 11:53 4822

[原创]CVE-2015-1641拼凑笔记

2020-5-31 11:53
4822

想起PatchworkAPT很有特色,该组织武器库都是来自于开源平台(包括黑市场),披露时候命名为拼凑物。历史数据来看,他们也挺擅长玩office_cve_exp。

有足够的时间当大自然的搬运工,Patchwork寓意同样适用于该文章。

1) 下载Poc:

EXP:

a69f778d1f511268019b1080f5e3b98b

8bb066160763ba4a0b65ae86d3cfedff8102e2eacbf4e83812ea76ea5ab61a31


APT28:

03cb76bdc619fac422d2b954adfa511e7ecabc106adce804b1834581b5913bca

已上传论坛附件


2) 配置环境:

Windowsx32


Office: cn_office_professional_2007_cd_X12-42319

msdn我告诉你-可以下载

 


3) 触发漏洞:

利用rtfobj.py(github下载oeltools工具),查看Poc数据:

 

 

rtfobj.py -s [id] Poc.docx提取上述id=2文档,文档会触发漏洞:

 

 

windbg附加WINWORD.exe,word打开提取的id=2_docx,虚拟机运行测试是否崩溃,如下所示:

 


4) 定位崩溃:

触发wwlib!DllGetClassObject+0x50e6-位置没问题,[ecx]内存地址没问题,拷贝wwlib.dll到本机,IDA打开定位:

 

 

IDA定位崩溃地址,如下所示:

 


5) 了解漏洞:

ida来看,[ecx]变量引发的异常,mov ecx,[eax],所以是二级指针。windbg触发崩溃之前栈情况,上一层是DLLCanUnLoadNow+偏移,IDA来上面回溯的两层,因为不熟悉整WORD标签解析处理,看了也没太明白......,梳理不出来前因后果:

 


漏洞引发根本原因是类型混乱,smartTag 标签引起的,这里引用图片如下:

来源:https://paper.seebug.org/351/#2

 

 


类型混乱那就是A类型当作类同的B类型解析,解析错误自然就会非法访问。结合poc指针中保存了0x7c38bd50,这本该是有效对象,至于加载标签的流程也没有研究过,不过善于百度/谷歌,引用如下:

来源:https://www.anquanke.com/post/id/171343


按照上述说法粗略理解WORD在解析文档过程中,没有验证customXML对象,所以可以传入类似对象smarTag。虽然明白字面咋回事,但不算理解最好借助代码熟悉结构和解析XML过程(可以参考msdn),很多的好的资料可以参考。

来源:https://bbs.pediy.com/thread-134518.htm


话说2007格式比2003简单一些,有xml数据存储。将样本提取id=2_Poc后缀改成.Zip,解压后word目录下会有document.xml,打开文件查询类型混淆地址,如下所示:

 

w:smartTag.w:element解析出错,虽然loudy代码中未解析该标签,但是学习了一些结构体很有帮助。半熟半懂等于没懂,不过根据IDA先在脑海中脑补一下就好了。

最好把可以执行exp单步跟踪两回以上,认真的观察略加思考,用不了太长时间


6) 熟悉漏洞

手动提取rtf百度教程很多,这里引用文章-如何手动提取,如下所示:

参考:https://www.jianshu.com/p/f0be451c93ea


 


文中说msvcr71.dll通过otkloadr.wRAssembly.1导入,老办法Poc找第一个对象,添加构造如下:



为什么这样就可以引入MSVC7呢?需要官网找找,知道了ProgID对应着CLSID关系,根据上文加载OTK-会导入MSvsr7,其它的请查资料:

{\object11\objocx                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      {\please wait file is loading*\objdata

180115000  --OLEVersion

002000000  --FormatID  

16000000   --ProgID

6f746b6c6f6164722e5752417373656d626c792e31   --otkloadr.WRAssembly

00000000000000000001000000400105000000000000}}

 

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-oleds/3395d95d-97f0-49ff-b792-28d331f254f1

 

多刷帖缓解溢出攻击引入方案之一ASLR,针对ASLR有好几种办法可绕过(利弊),比如我除了概念,绕过实现都不会。

 

https://bbs.pediy.com/thread-139241.htm

 


测试下断bp wwlib+0x9d30是否成功,运行构造的Poc.rtf,第一阶段问题不大,如下图所示:

 


word附加粘贴同样会命中崩溃点,这是正常操作不会出异常。

 


下述会调用拷贝函数(崩溃取值是参数,下面是call),IDA跟进去看参数执行流程,需要了解下述两个函数,如下所示:

 


Poc加载ms.dll之后,[ecx]不会崩溃,因为地址已被加载单步跟踪。进入函数后,发现两个call,以图中函数名为准,其中sub_31249DA0返回计算后的地址,如下所示:



返回值0x7c38bd74-接下来就是拷贝了,如下所示:



拷贝后内存数据变成了0xffffe696,后续会按照公式继续解析标签继续拷贝:

0x7c38bd68 + ffffe696 +6*7 = 0x7c38a428

这个是重点,需要多单步几遍,明白sub_31249DA0函数构造地址然后拷贝。所以是两两成对,实现两次msvcr71.dll地址改写。

 

上述个人对标签结构体学习不够,没有深入的研究。推荐一篇精彩好文,讲解透彻,不容错过:

https://www.cnblogs.com/goabout2/p/8832855.html


第一次构造覆盖,通过执行0x7c376fc3/ret跳转执行0x9000808执行,如下所示:

 

 


堆喷学习请参考:

https://bbs.pediy.com/thread-151381.htm

泉哥翻译的精华帖子入门到进阶完全足够,虽然我也不会,听说是精准布局shllcode,个人在虚拟机执行跑样本,内存不足喷不出......,后来内存分了3g(原来1g)/比较耗资源。

虽说堆喷技术比较老/资源耗费大,仍是兵家必争之地。据说有玄学成功率分高低,看道行深与浅,应该是寻址稳定的问题。

ROP和shellcode相对简单了,打PWN/ROP是基本功,win下用来过掉DEP思路一致,win下小配件可以用工具ImmunityDebugger+mona来找。

shellcode套路,动态寻址fs/gs,实现getprocaddress(),hash求api,执行操作的代码,github上shellcode生成框架也很多。熟悉漏洞后,利用只需要在样本中修改shellcode功能函数即可,必须要熟悉漏洞,否则用都不会用......

 

 


【看雪培训】《Adroid高级研修班》2022年夏季班招生中!

最后于 2020-5-31 11:57 被一半人生编辑 ,原因:
上传的附件:
收藏
点赞2
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回