Davy Douhine 2 min

One year ago we found that using the Word 2003 XML format could by very usefull for pentesters/redteamers/attackers as a standard VBA meterpreter payload was scoring 1/57 on VT (instead of 20/57 using the Office OpenXML format). AV vendors made their homeworks, VT score is now 14/54

Anyway another very simple trick can help a lot: by embedding the exact same file (xmhell.xml) in a new word document and saving it as a Word 2003 XML again you’ve got a 0/54 on VT ! Oh yeah !

Image : vt_babushka

Update (2016-03-31):

2 months after submitting our payload on VT, the file still scores 0/56

It seems that AV don’t like russians dolls, even Kaspersky and yet it contains a straight meterpreter payload (without encoding) which is normally catched.

Ok, but pwning a victim by this trick is not so obvious:

  1. the victim has to open the babushka.xml file:

Image : word_babushka 2. then open the xmlhell.xml file that is embedded and then accept a first warning:

Image : enable_editing 3. and another one:

Image : enable_content

And then:

Image : meterpreter

But users are… users ! They will click and click again.

What about sandbox analysis ?

The excellent Payload Security VxStream sandbox [flags] (https://www.hybrid-analysis.com/sample/84ccff8e97cbb57c74615748d9c340d8cfe2363bf9b432b251013d5ad7f6909d?environmentId=1) our original xmhell file:

hybrid_xmhell

But not the babushka variant:

hybrid_babushka

What about a quick and dirty static analysis with olevba and oledump ?

Oledump catches VBA in xmhell.xml but we already knew that:

oledump_xmhell

Olevba works very well too:

olevba_xmhell

But that’s not the same story for babushka.xml:

olevba_babushka

oledump_babushka

That’s all for now, happy hunting and happy pwning !

Categories

0day (15)

Bugbounty (2)

Conference (32)

Ctf (4)

General (6)

Gestion de crise (1)

Pentest (30)

Publications (15)

Responsible disclosure (17)

Spyware (1)

Swift (1)

Training (15)

Workshop (1)

Writeup (1)

Tags

Pentest
XML
Microsoft Word
Antivirus