Which Tool for an xlsx abusing the Equation editor bug?

[yoshimo]

So far this equation editor problem (cve-2017-11882/cve-2017-1182) seems to be done strictly for rtf files in rtfobj
Looking at c83b477c068edd5eb041abd2ee7a89c956dba10d4ce19f44fdba0db4349d8c25 this wouldn't help me due to being a different filetype.
Which of the oletools should cover this kind of filetype&exploit combo?

[decalage2]

Hi, normally this should work with oleobj. If it doesn't work, could you please upload it to a platform that allows downloading, such as app.any.run or similar?

[yoshimo]

https://app.any.run/tasks/4de6cfa6-c15f-498e-a95e-d5034dd3a801 should have it.
https://www.virustotal.com/gui/file/c83b477c068edd5eb041abd2ee7a89c956dba10d4ce19f44fdba0db4349d8c25/detection is the VT scan of it

[decalage2]

Are you sure the file on any.run has the OLE object in it? There is no oleobject.bin file in it, and when I check the XML files there is a reference to /xl/embeddings/oleObject1.bin in [Content_Types].xml but it's not in the XLSX. Maybe the file has been cleaned up by an antivirus before being uploaded to VT and any.run?
However, a few antivirus on VT detect something, so I'm wondering if it's a false positive, or if it's hidden in an unusual place.

[decalage2]

I also see a reference to the same OLE object in sheet1.xml, but the file /xl/embeddings/oleObject1.bin is absent from the XLSX. So I really think it's been cleaned up by an AV, and this sample is innocuous.

[yoshimo]

maybe it was, ill see if i find the mail again.
To the original question, which tool would be the one to use here as the equation bug itself is marked for RTF

[decalage2]

This is oleobj: it should find any OLE object (including equations) in most MS Office files (doc, docx, xls, xlsx, etc). However it is not as well developed as rtfobj, so it will just extract OLE objects and display some info.
AFAIK the equation vulnerability is not related to RTF, it's just a type of OLE object that can be inserted into any MS Office format. But for some reason it has been mostly exploited in RTF files, probably because it's easier to obfuscate.

[yoshimo]

https://app.any.run/tasks/2eace630-7baa-420f-973a-b417acda3754/ is shown with a dns request to host that is dead.

File: 'Transfer slip.xlsx'
extract file embedded in OLE object from stream '\x01oLE10NAtIvE':
Parsing OLE Package
WARNING *** Not an OLE 1.0 Object

[decalage2]

OK, I need to see why the OLE object is not correctly parsed by oleobj, maybe there is a bug. If you extract oleObject1.bin manually from the xlsx and then run oledir on it, the CLSID shows clearly that it is an Equation editor object:

[decalage2]

This is related to issue #542