关联漏洞
标题:
Microsoft Office 安全漏洞
(CVE-2017-0199)
描述:Microsoft Office是美国微软(Microsoft)公司开发的一款办公软件套件产品。常用组件有Word、Excel、Access、Powerpoint、FrontPage等。 多款Microsoft产品中存在远程代码执行漏洞。远程攻击者可借助特制的文本文件利用该漏洞执行任意代码。以下产品和版本受到影响:Microsoft Office 2007 SP3;Microsoft Office 2010 SP2;Microsoft Office 2013 SP1;Microsoft Office 20
描述
RTF de-obfuscator for CVE-2017-0199 documents to find URLs statically.
介绍
# RTF-Cleaner
RTF de-obfuscator for CVE-2017-0199 documents to find URLs statically.
Use this tool to statically find URLs in obfuscated RTF documents.
Usage: .\rtfCleanerUniversal.ps1 path-to-file
Example: .\rtfCleanerUniversal.ps1 'C:\Users\yams\Downloads\invoiceForYams.doc'
If the built in regexers don't find anything just enter what you find in the rtf file, IE pntxtb, lchars, etc...
Looking to build in functionality to find these and do it automatically. Its manual for now though.
This works for any file type that contains {\parameters} to clean.
Use at your own risk! Tested on Windows and PowerShell for MacOS.
How it works:
1. Removes all parameters that break up hex code (built in and custom ones)
2. Converts relevant hex to readable strings
3. Removes Null Characters
4. Finds and provides URL to HTA
Output if a URL is found:
PS /Users/yammer/Documents/PowerShell/RTF-Cleaner> ./rtfCleanerUniversal.ps1 ../RTFs/invoice.doc
Analyzing: ../RTFs/invoice.doc
180 of \{\\lchars\s*([^}]*?)\s*} Found!
URL Found!
https[:]//malicious[.]site/fake/directory/payload[.]hta
文件快照
[4.0K] /data/pocs/c9232c962ecea6383ebbc234e311e5cea0eba7ea
├── [1.1K] README.md
└── [3.4K] rtfCleanerUniversal.ps1
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。