搜索

[19403] 2018-08-28_CVE-2015-1641Office类型混淆漏洞及shellcode分析

文档创建者:s7ckTeam
浏览次数:42
最后更新:2025-01-18
2018-08-28_CVE-2015-1641Office类型混淆漏洞及shellcode分析 C V E - 2 0 1 5 - 1 6 4 1   O f f i c e s h e l l c o d e i   2 0 1 8 - 0 8 - 2 8 s a a n i W i n 7 _ 3 2 O f f i c e 2 0 0 7 W i n d b g O D U l t r a E d i t o l e t o o l s w o r d d o c x d i s p l a c e d B y C u s t o m X M L c u s t o m X M L w o r d R T F d i s p l a c e d B y C u s t o m X M L h a s h 8 b b 0 6 6 1 6 0 7 6 3 b a 4 a 0 b 6 5 a e 8 6 d 3 c f e d f f 8 1 0 2 e 2 e a c b f 4 e 8 3 8 1 2 e a 7 6 e a 5 a b 6 1 a 3 1 h t t p s : / / g i t h u b . c o m / h o u j i n g y i 2 3 3 /   . . .   7 6 e a 5 a b 6 1 a 3 1 . b i n . g z R T F 使 o l e t o o l s r t f o b j . p y c a a . d o c c m d r t f o b j . p y c a a . d o c r t f o b j . p y c   a a . d o c , i d 0 o t k l o a d r . w R A s s e m b l y . 1 O T K L O A D R . D L L   O L E i d r t f o b j . p y c - s   [ i d ]   a a . d o c . d o c
i d 2 " a a . d o c _ o b j e c t _ 0 0 0 2 0 4 2 c . d o c " . d o c x , w o r d O L E R T F 使 西 c r a s h R T F r t f     o b j d a t a     r t f o b j . p y     i d   i d   r t f   R T F O L E n o t e p a d + + o b j d a t a   O L E O L E i d 2 O L E O E L O L E O L E . r t f { r t f } O L E
R T F w o r d O L E W i n d b g W i n w o r d . e x e W i n w o r d . e x e O L E 0 x 6 7 C 3 9 d 3 0 [ E C X ] [ 7 C 3 8 B D 5 0 ] O L E d o c u m e n t . x m l E C X s m a r t t T a g e l e m e n t m a r t T a g d i s p l a c e d B y C u m t o m X m l c u s t o m x m l n e x t p r e v s m a r t T a g e l e m e n t 0 x 7 C 3 8 B D 5 0 W o r d d o c x d i s p l a c e d B y C u s t o m X M L c u s t o m X M L s m a r t T a g O L E   M S V C R 7 1 . D L L D L L O L E o t k l o a d r . w R A s s e m b l y . 1 O L E { o b j e c t o b j o c x { * o b j d a t a 0 1 0 5 0 0 0 0 0 2 0 0 0 0 0 0 1 6 0 0 0 0 0 0 6 f 7 4 6 b 6 c 6 f 6 1 6 4 7 2 2 e 5 7 5 2 4 1 7 3 7 3 6 5 6 d 6 2 6 c 7 9 2 e 3 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 4 1 0 1 0 5 0 0 0 0 0 0 0 0 0 0 0 0 } } O L E R T F , w i n d b g c r a s h 0 x 7 C 3 8 B D 5 0 b p   w w l i b ! D l l G e t C l a s s O b j e c t + 0 x 5 0 e 6 " . i f ( e c x = 7 c 3 8 B D 5 0 ) { } . e l s e { g c } "
0 x 7 C 3 8 B D 5 0 s m a r t T a g e l e m e n t 0 x F F F F E 6 9 6 4 2 9 4 9 6 0 7 9 0 m o v e F r o m R a n g e S t a r t 0 x 7 C 3 8 B D 7 4 s m a r t T a g s m a r t T a g e l e m e n t 0 x 7 C 3 8 B D 6 8 m o v e F r o m R a n g e S t a r t 0 x 7 C 3 7 6 F C 3 2 0 8 4 0 0 7 8 7 5 0 x 7 C 3 8 A 4 2 8 m e m c p y 0 x 7 C 3 7 6 F C 3 0 x 7 C 3 8 A 4 2 8 0 x 7 C 3 8 A 4 2 8 7 C 3 8 A 4 2 8 k e r n e l 3 2 ! F l s G e t V a l u e 0 x 7 c 3 8 a 4 2 8 便
7 C 3 4 2 4 0 4 r e t R O P s h e l l c o d e i d 1 O L E a c t i v e X 1 . b i n n o p R O P h e a p s p a r y 使 0 x 7 c 3 4 2 4 0 4   r e t - s l e d X M L a c t i v e X L . b i n R O P r e t   s l e d s h e l l c o d e M S V C R 7 1 . d l l u f   7 C 3 4 2 3 0 4   M S V C R 7 1 ! c a l l o c + 0 x b 1 b d F 1 0 0 x 7 C 3 4 2 4 0 4 0 x 7 C 3 4 2 4 0 4 M e m o r y V i r t u a l E S P , 2 G r o p r e t R O P 0 x 7 C 3 4 2 4 0 4 r e t 便 R O P F 1 0 N O P s h e l l c o d e W i n d b g s h e l l c o d e O D 0 x 7 C 3 4 2 4 0 4 : O D W i n w o r d . e x e O D W i n w o r d . e x e w o r d s h e l l c o d e 0 x 7 C 3 4 2 4 0 4 R O P W i n d b g R O P 0 x 7 C 3 6 5 1 E B 0 x 7 C 3 4 2 4 0 4 F 9 便 R O P R O P V i r t u a l P r o t e c t 0 x 0 9 0 0 0 8 b 4 D E P 0 x 0 9 0 0 0 8 b 4 n o p + s h e l l c o d e
k e r n e l 3 2 . d l l A P I h a s h A P I s h e l l c o d e V i r t u a l A l l o c s h e l l c o d e   G e t F i l e S i z e C r e a t e F i l e M a p p i n g M a p V i e w O f F i l e
{ r t 0 x f e f e f e f e 0 x f e 0 x f f f f f f f f s h e l l c o d e V i r t u a l A l l o c s h e l l c o d e W i n d b g s h e l l c o e d { r t 0 x f e f e f e f e 0 x f e 0 x f f f f f f f f s h e l l c o d e V i r t u a l A l l o c 0 x 0 9 0 0 0 9 F 9 0 x 0 9 F 9 O D W i n d b g W i n w o r d . e x e W i n d b g W i n w o r d . e x e 0 x 7 C 3 4 2 4 0 4 r e t W i n w o r d . e x e r e t 0 x 7 C 3 6 5 1 E B R O P b d   0 R O P s h e l l c o d e 0 x 0 9 F 9 b c   0 b c   1 0 x 0 9 0 0 0 9 F 9 s h e l l c o d e 4 K B   s h e l l c o d e   V i r t u a l A l l o c   s h e l l c o d e 0 x 2 e s h e l l c o d e 0 x 3 C C 0 x B A B A B A B A B A p a y l o a d x o r   0 x C A F E B A B E p a y l o a d 0 x B B B B B B B B
p a y l o a d A P I U E s v c h o s t . e x e W i n E x e c s v c h o s t . e x e W i n E x e c ( ) p a y l o a d   使 w o r d , 0 x B B 0 x B C B C ,
w o r d w o r d ~
回复

举报

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver| 手机版| 小黑屋|
Powered by Discuz! X3.4 Copyright © 2001-2020, Tencent Cloud. 商业源码建议获取授权,如侵犯您的权益,请联系客服处理