Sandworm detection

Hello loyal readers!

Sorry for the delay in posts, I’ve just been busy with life. Anywho, I got some code to share. A lil script I put together for scanning office documents for the Sandworm exploit. aka Microsoft Security Bulletin MS14-060.

For those of you who don’t know / live under a rock, its a recent vulnerability in PowerPoint that can be used to run code and it DOESN’T require shellcode making it highly favorable / reliable for malware people.

The way it works is a specially crafted PPT document allows a malicious user to load an INF file. INF files are quite powerful in what they allow you to do – load files, mess with the registry, etc. Here’s what one such INF file looks like:

; 61883.INF

[Version]
Signature = "$CHICAGO$"
class=61883
ClasGuid=%Msft%
DriverVer=0/21/2006,61.7600.16385

[DestinationDirs]
DefaultDestDir = 1

[DefaultInstall]
RenFiles = RxRename
AddReg = RxStart

[RxRename]
penguin.exe, cedt370r(3).exe
[RxStart]
HKLM,Software\Microsoft\Windows\CurrentVersion\RunOnce,Install,,%1%\penguin.exe

In the above sample, the INF file would add a certain exe to auto-run the next time the computer is rebooted.

So how do we detect such an attack in a PPT document? Easily. Search for INF file artifacts!

import struct
import sys
import zlib

ole_object_header = "\x10\x00\x11\x10"
gzip_header = '\x1f\x8b\x08' + '\x00' * 7

with open(sys.argv[1], "rb") as f:
    data = f.read()

    n_objs = data.count(ole_object_header)

    print "%d objs found" % n_objs

    pos = -1
    for i in range(n_objs):
        d = zlib.decompressobj(zlib.MAX_WBITS | 32)
        pos = pos+1 + data[pos+1:].find(ole_object_header)
        compressed_len = struct.unpack("I", data[pos+4:pos+8])[0]
        try:
            obj = d.decompress(gzip_header + data[pos+12:pos+12+compressed_len-4])
        except zlib.error:
            obj = '(zlib error)'
        # find INF file artifacts within ole_objects
        look1 = "\[Version\]"
        look2 = "DriverVer"
        if look1 and look2 in obj:
            print "found inf file in stream # ",  i
        else:
            print "Found no inf in stream # ",  i

Code in action:

dddk

 

 

All my code does is search a binary stream for an OLE header, then searches for the gzip header, then extracts the data, then looks for the artifacts. Simplicity is golden.

Stay safe out there!

 

1433860762983

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.