RTF Abuse - SecTor
RTF Abuse:Exploitation, Evasion and CounterMeasuresDevon Greene
\*\author@DasMe DevonMember of Ixia’s Application andThreat Intelligence (ATI) TeamFocus on Malware Analysis, ExploitDevelopment and ProductDevelopment. 3 CTFTime.org & VulnhubChallengesOpinions are my own, not Ixia’s
Inspiration SlideHow I Met RTFWorking on a strike.Created 6 new evasion profiles in Ruby (Not better than Python)
\*\blueTeamPointsKey PointsIdentify malicious RTF documentsEnhance detection capabilitiesSystem hardening techniquesBlue Team
\*\redTeamPointsKey PointsObfuscation TechniquesVulnerability Discovery ApproachesExploitation TechniquesRed Team
To Understand RTF You Must RTFM!
\*\FeaturesInteresting FeaturesFeatures You ExpectAbility to Query DBs / Flat FilesEmbedded FontsHyperlinksPicturesObject Linking and EmbeddingHex / Unicode SupportDocument VariablesMuch moar!Functions and Parameters (limited)
\*\markupComparisonHyper Text Markup Language (HTML)Rich Text Format (RTF)
\*\featureDemo1Let’s PlayBuild an RTF doc from scratchUse an RTF doc to perform a DBqueryQuick look at built-in functions
Exploitation
\*\ExploitationAttack PathsN-Day Vulnerabilities (Automagic)Embedded Font VulnerabilitiesInsecure Library Loading VulnsPackager Objects (CVE-Free)Death From Above!
\*\cveFishCVE20167193
\*\fontembHistorically PowerfulDuQu Malware leveraged 0-Day TTFExploit (CVE-2011-3402)Font engine lives in the WindowsKernelDownside: bloats the file quite a bit.
\*\insecureLibraryLoadingHow It Works
\*\insecureLibraryLoading
\*\noMacros
\*\noMacrosForging ImagesEmbed file in word documentInteresting Packager QuirksPlace any file you want in a users%temp% directorySave as RTFSeriously any file.Copy/Paste \pict objectEmail Providers Don’t Care
\*\exploitDemo1Embedded ObjectsFew Fun TechniquesTake advantage of %temp%Take advantage of local envCompatible with other doc types
\*\exploitDemo2Embedded Font FileNoted earlier, bypasses Packager Checks.Warning: VM gonna go BOOM!Note: this is a packaged font file, not an \embfont tag.
Vulnerability Discovery
\*\fuzzingMutation BasedGeneration BasedResearcher defines how theinput should be formed.
\*\fuzzingTipsSearch for “MUST”
\*\fuzzingDemoBuilt a thorough data model of the RTF specification.Distributed fuzzing amongst 6 machines1 Cycle was approximately 2,189,235 fuzzing iterations500 crashes // 6 unique
\*\foodForThoughtOther TargetsOpen OfficeCorel Word PerfectText WranglerCloud-based documentservicesMS Office on otherPlatforms
Obfuscation Techniques
\*\evasionsJan.01 – Jun.30725 .doc exts100 .rtf exts 10 .docx exts300 other extsGeneration BasedExtensionMS Word2010MS Word2016DOCYYDOCHTMLYNDOTYYDOTHTMLYNWBKYYWIZYY
\*\evasionsMagic File TamperingMS Word respects {\rt as aminimum magic fileheader.MS Wordpad requires {\rtf#Mixed CaseUtilized anywhere#PCDATA is defined.Useful in bypassing staticsignatures
\*\evasionsEncoding ContrastURL EncodingA %41Double URL EncodingA %2541Unicode EscapingA 0x41A \u0041Hex EscapingA 0x41A \’41
\*\evasions
\*\evasionsBin SubstitutionWhitespaceWorks in MS Office OnlySimple and EffectiveDoes not work in MSWordpadChunk up your payloadsand other shady stuff \r \n \t \sSyntax:\bin# ASCII
\*\evasionsFictitious Control WordsDetection SlayerDouble Edged SwordSome AV heuristic checkswill catch this.Syntax:{\*\HELLO WORLD}\*\random
\*\evasions
\*\evasionDemo1Bypassing RTFScan.exeBy applying evasion techniques,can we throw off RTFScan.exe’sanalysis capabilities?
\*\evasionDemo2Bypassing AVs?By applying evasion techniques,can we make a bad guysmalicious document harder todetect?
Counter Measures
\*\ruleWritingTips7Focus OnSpecial CasesFile ExtensionsIE: .docNon required paramsIE: \objclassMalformed file headersIE: {\rtvpnEncoding TechniquesIE: \u0041Embedded objectsIE: \objdataMixed CasesIE: \objclass nameUnknown RTF tagsIE: \*\HaiMom
\*\ruleWritingTips1Focus OnThis obvious. Tag Generator tag\*\generator MsftEditObvious is Obvious
\*\systemHardening33 TipsSet Office Killbit on thepackager clsidUpdate ExecutableExtensionsChange .rtf associationback to Wordpad DIY
\*\analysisTools4RTF Analysis ToolsDidier Steven’s rtfdumpDeclage’s rtfobjPhishMe psparser.pyRTFScan.exeFool Proof?
\*\conclusionBlueRecapUpdate your magic fileheader for RTFScrutinize \*\generator tagsFocus on requiredparameters firstLookout for .WIZ and.WBK!Disable Packager ObjectsPunch On!
\*\conclusionRedRecapTake advantage ofobfuscation techniques!Trade warning signs byusing packager objects.Save as other doc-typeswhen necessary!Fuzz the hell out of RTF!Ninja Alert
Questions?
How I Met RTF Working on a strike. Created 6 new evasion profiles in Ruby (Not better than Python) . Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB . header for RTF Scrutinize \*\generator tags Focus on required parameters first Lookout for .WIZ and .WBK! Disable Packager Objects
Fig2.1.rtf Sample Intended Practice Plan Questions Fig3.1.rtf Sample Initial Application Questions Fig3.2.rtf Sample Policy and Procedure: Clinical References Fig3.3.rtf Professional Reference Questionnaire Fig3.4.rtf Sample Policy: Placing the Burden on the Applicant Fig3.5.rtf Notification of Incomplete Application
Blade 330X 2200mAh 3S 11.1V 30 C Li-Po Akku (nur in RTF version) 3S LiPo Balancer Ladegerät (nur in RTF version) DXe Sender (nur in RTF version) 4 AA Batterien (nur in RTF version) Airframe Blade 330 X Motor 440H Brushless Aussenläufer, 4200Kv Empfänger BLH4002 Receiver and Flybarless Controller for 330X ESC 45-Amp .
Jul 17, 2020 · rwc-44lpm-esp * rwc-44lpm-rtf * rwc-56lpm-esp * rwc-56lpm-rtf * rwc-68lpm-esp * rwc-68lpm-rtf * rwc-80lpm-esp * rwc-80lpm-rtf revised 07/17/2020. what’s in the ox? (reessed suite) . figure 10 figure 11. step 5 continued example of installation best to leave hardware loose until bo
Driftwood (RTF) YYYY EDDW Glacier (RTF) YYYY EDGL Thunder (RTF) YYYY EDTH White (RTF) YYYY EDWH H
introduction to using the Rich Text Format (RTF) report generator for creating custom reports from Enterprise Architect (EA). Enterprise Architect supports the definition of reports that are output in RTF.
Working with the RTF Generator Author: Sparx Systems Subject: Enterprise Architect Whitepaper Keywords: Report, Document Generation, Model Documentation, UML, Modeling, RTF, Enterprise Architect Created Date: 12/31/2009 4:44:53 AM
are victims of abuse. 1 › 1 in 10 persons over the age 60 are victims of elder abuse. 2 › Victims of elder financial abuse in U.S. lose close to 3 Billion each year. 3. 1. National Center of Elder Abuse:2005 Elder Abuse Prevalence and Incidence. 2 . National Institute of Justice: Elder Abuse as a Criminal Problem. 3
accounting requirements for preparation of consolidated financial statements. IFRS 10 deals with the principles that should be applied to a business combination (including the elimination of intragroup transactions, consolidation procedures, etc.) from the date of acquisition until date of loss of control. OBJECTIVES/OUTCOMES After you have studied this learning unit, you should be able to .
