{"id":1142,"date":"2015-07-10T05:04:06","date_gmt":"2015-07-10T05:04:06","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=1142"},"modified":"2015-07-10T05:04:06","modified_gmt":"2015-07-10T05:04:06","slug":"sandworm-detection","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2015\/07\/sandworm-detection\/","title":{"rendered":"Sandworm detection"},"content":{"rendered":"

Hello loyal readers!<\/p>\n

Sorry for the delay in posts, I’ve just been busy with life. Anywho, I got some code to share. A lil script I put together for scanning office documents for the Sandworm exploit<\/a>. aka Microsoft Security Bulletin MS14-060.<\/p>\n

For those of you who don’t know \/ live under a rock, its a recent vulnerability in PowerPoint that can be used to run code and it DOESN’T require shellcode making it highly favorable \/ reliable for malware people.<\/p>\n

The way it works is a specially crafted PPT document allows a malicious user to load an INF file. INF files are quite powerful in what they allow you to do – load files, mess with the registry, etc. Here’s what one such INF file looks like:<\/p>\n

<\/p>\n

\n
; 61883.INF\r\n\r\n[Version]\r\nSignature = "$CHICAGO$"\r\nclass=61883\r\nClasGuid=%Msft%\r\nDriverVer=0\/21\/2006,61.7600.16385\r\n\r\n[DestinationDirs]\r\nDefaultDestDir = 1\r\n\r\n[DefaultInstall]\r\nRenFiles = RxRename\r\nAddReg = RxStart\r\n\r\n[RxRename]\r\npenguin.exe, cedt370r(3).exe\r\n[RxStart]\r\nHKLM,Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce,Install,,%1%\\penguin.exe\r\n<\/pre>\n<\/div>\n
In the above sample, the INF file would add a certain exe to auto-run the next time the computer is rebooted.<\/p>\n
So how do we detect such an attack in a PPT document? Easily. Search for INF file artifacts!<\/p>\n
<\/p>\n
\n
import<\/span> struct<\/span>\r\nimport<\/span> sys<\/span>\r\nimport<\/span> zlib<\/span>\r\n\r\nole_object_header<\/span> =<\/span> "\\x10\\x00\\x11\\x10"<\/span>\r\ngzip_header<\/span> =<\/span> '\\x1f\\x8b\\x08'<\/span> +<\/span> '\\x00'<\/span> *<\/span> 7<\/span>\r\n\r\nwith<\/span> open(sys.argv[<\/span>1<\/span>],<\/span> "rb"<\/span>)<\/span> as<\/span> f:<\/span>\r\n    data<\/span> =<\/span> f.read()<\/span>\r\n\r\n    n_objs<\/span> =<\/span> data.count(ole_object_header)<\/span>\r\n\r\n    print<\/span> "%d objs found"<\/span> %<\/span> n_objs<\/span>\r\n\r\n    pos<\/span> =<\/span> -<\/span>1<\/span>\r\n    for<\/span> i<\/span> in<\/span> range(n_objs):<\/span>\r\n        d<\/span> =<\/span> zlib.decompressobj(zlib.MAX_WBITS<\/span> |<\/span> 32<\/span>)<\/span>\r\n        pos<\/span> =<\/span> pos+<\/span>1<\/span> +<\/span> data[pos+<\/span>1<\/span>:].find(ole_object_header)<\/span>\r\n        compressed_len<\/span> =<\/span> struct.unpack(<\/span>"I"<\/span>,<\/span> data[pos+<\/span>4<\/span>:pos+<\/span>8<\/span>])[<\/span>0<\/span>]<\/span>\r\n        try<\/span>:<\/span>\r\n            obj<\/span> =<\/span> d.decompress(gzip_header<\/span> +<\/span> data[pos+<\/span>12<\/span>:pos+<\/span>12<\/span>+compressed_len-<\/span>4<\/span>])<\/span>\r\n        except<\/span> zlib.error:<\/span>\r\n            obj<\/span> =<\/span> '(zlib error)'<\/span>\r\n        # find INF file artifacts within ole_objects<\/span>\r\n        look1<\/span> =<\/span> "\\[Version\\]"<\/span>\r\n        look2<\/span> =<\/span> "DriverVer"<\/span>\r\n        if<\/span> look1<\/span> and<\/span> look2<\/span> in<\/span> obj:<\/span>\r\n            print<\/span> "found inf file in stream # "<\/span>,<\/span>  i<\/span>\r\n        else<\/span>:<\/span>\r\n            print<\/span> "Found no inf in stream # "<\/span>,<\/span>  i<\/span>\r\n<\/pre>\n<\/div>\n
Code in action:<\/p>\n
\"dddk\"<\/a><\/p>\n
 <\/p>\n
 <\/p>\n
All my code does is search a binary stream for an OLE header, then searches for the gzip header, then extracts the data, then looks for the artifacts. Simplicity is golden.<\/p>\n
Stay safe out there!<\/p>\n
 <\/p>\n
\"1433860762983\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Hello loyal readers! Sorry for the delay in posts, I’ve just been busy with life. Anywho, I got some code to share. A lil script I put together for scanning office documents for the Sandworm exploit. aka Microsoft Security Bulletin MS14-060. For those of you who don’t know \/ live under a rock, its a […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,7],"tags":[],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1142"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=1142"}],"version-history":[{"count":2,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1142\/revisions"}],"predecessor-version":[{"id":1146,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1142\/revisions\/1146"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=1142"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=1142"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=1142"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}