search

spender-sandbox / cuckoo-modified

Modified edition of cuckoo
395 stars 178 forks source link

Microsoft Publisher files won't launch #420

Closed enzok closed 7 years ago

enzok commented 7 years ago

When sending Microsoft Publisher files to Office 2010/2013 versions of publisher on x86/x64 Windows VMs, Publisher pops-up:

"Publisher cannot find the file you specified. The next dialog box will let you browse to locate the file on your hard disk or floppy disk."

The log shows:

2017-02-22 10:02:23,437 [root] DEBUG: Started auxiliary module Screenshots 2017-02-22 10:02:23,437 [root] DEBUG: Started auxiliary module Usage 2017-02-22 10:02:23,500 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files\Microsoft Office\Office14\MSPUB.EXE" with arguments "/o "C:\Users\x\AppData\Local\Temp\99749e63d4253ce543ed98896aa8250e"" with pid 3864 2017-02-22 10:02:23,500 [lib.api.process] DEBUG: Using QueueUserAPC injection. 2017-02-22 10:02:23,828 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3864 2017-02-22 10:02:25,828 [lib.api.process] INFO: Successfully resumed process with pid 3864 2017-02-22 10:02:25,828 [root] INFO: Added new process to list with pid: 3864 2017-02-22 10:02:25,921 [root] INFO: Cuckoomon successfully loaded in process with pid 3864. 2017-02-22 10:02:25,953 [root] INFO: Disabling sleep skipping. 2017-02-22 10:02:26,280 [root] INFO: Added new file to list with path: C:\Users\x\AppData\Local\Temp\~DF74E83597CEFCF261.TMP 2017-02-22 10:02:26,421 [root] INFO: Added new file to list with path: C:\Users\x\AppData\Local\Temp\~DF80DF99C888392B7D.TMP 2017-02-22 10:02:26,546 [root] INFO: Added new file to list with path: C:\Users\x\AppData\Local\Temp\~Qil1097.tmp 2017-02-22 10:02:26,592 [root] INFO: Added new file to list with path: C:\Users\x\AppData\Local\Temp\~DF88C7ED3F51943F40.TMP 2017-02-22 10:02:26,625 [root] INFO: Added new file to list with path: C:\Users\x\AppData\Local\Temp\~DF07848E2EE594C12B.TMP 2017-02-22 10:02:26,717 [root] INFO: Added new file to list with path: C:\Users\x\AppData\Local\Temp\~DFDF576BBBB4F5A0D7.TMP 2017-02-22 10:02:27,217 [modules.auxiliary.human] INFO: Found button "Next Page", clicking it 2017-02-22 10:02:29,227 [modules.auxiliary.human] INFO: Found button "OK", clicking it 2017-02-22 10:02:30,572 [modules.auxiliary.human] INFO: Found button "Next Page", clicking it 2017-02-22 10:02:32,572 [modules.auxiliary.human] INFO: Found button "&Open", clicking it 2017-02-22 10:02:33,572 [modules.auxiliary.human] INFO: Found button "Next Page", clicking it 2017-02-22 10:02:35,634 [modules.auxiliary.human] INFO: Found button "&Open", clicking it

Repeats until run timeout.

Has anyone experienced this issue, or had publisher work properly? Thanks.

doomedraven commented 7 years ago

works fine with office 2007, did you tried manually open that file in sandbox? can be broken

enzok commented 7 years ago

Yes. If I interact with the VM, and open the file manually it opens.

doomedraven commented 7 years ago

can you share hash for testing?

doomedraven commented 7 years ago

is this no 99749e63d4253ce543ed98896aa8250e ?

enzok commented 7 years ago

yes

doomedraven commented 7 years ago

open fine with office 2007 in cuckoo, should be some command switch change or something

spender-sandbox commented 7 years ago

I believe newer versions require a .pub extension, I'm fixing it now.

-Brad

spender-sandbox commented 7 years ago

Should be fixed now, give that a shot.

-Brad

enzok commented 7 years ago

That did it. Thanks for the quick fix.