CVE-2017–11882 RTF

__fastcall
Apr 24, 2018 · 5 min read

Looking for an OLE

RTF Hide & Seek
rtfdump.py
No OLE objects detected to rtfdump
rtfobj
One OLE object instance identified

Analyzing the OLE

CLSID related to Equation Editor
OLE CLSID
OLE Native Stream

Return to stack

Shellcode map
Windbg return to stack

Analyzing the shellcode

from binascii import hexlify
import struct
import ctypes
from ctypes import *
def run():
startPos = 0x4013fe
xored = 0
index = 0
for index in range (startPos,startPos + 0x389, 4):
xored = xored * 0x22A76047
xored = xored + 0x2698B12D
for i in range (0,4):
patched_byte = ord(struct.pack('<I',c_uint(xored).value)[i]) ^ Byte(index+i)
PatchByte(index+i, patched_byte)
Bytes before and after the decryption
Before the decryption
After the decryption

TL;DR

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade