Hello loyal readers!
Sorry for the delay in posts, I’ve just been busy with life. Anywho, I got some code to share. A lil script I put together for scanning office documents for the Sandworm exploit. aka Microsoft Security Bulletin MS14-060.
For those of you who don’t know / live under a rock, its a recent vulnerability in PowerPoint that can be used to run code and it DOESN’T require shellcode making it highly favorable / reliable for malware people.
The way it works is a specially crafted PPT document allows a malicious user to load an INF file. INF files are quite powerful in what they allow you to do – load files, mess with the registry, etc. Here’s what one such INF file looks like:
In the above sample, the INF file would add a certain exe to auto-run the next time the computer is rebooted.
So how do we detect such an attack in a PPT document? Easily. Search for INF file artifacts!
Code in action:
All my code does is search a binary stream for an OLE header, then searches for the gzip header, then extracts the data, then looks for the artifacts. Simplicity is golden.
Stay safe out there!