Sneed-Reactivity/yara-Neo23x0/exploit_cve_2017_11882.yar

102 lines
4.3 KiB
Text
Raw Normal View History

rule rtf_cve2017_11882_ole : malicious exploit cve_2017_11882 {
meta:
author = "John Davison"
description = "Attempts to identify the exploit CVE 2017 11882"
reference = "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about"
sample = "51cf2a6c0c1a29abca9fd13cb22421da"
score = 60
//file_name = "re:^stream_[0-9]+_[0-9]+.dat$"
id = "b6c59cf1-52e4-5c9e-b3c3-d973d52736e3"
strings:
$headers = { 1c 00 00 00 02 00 ?? ?? a9 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 03 01 01 03 ?? }
$font = { 0a 01 08 5a 5a } // <-- I think that 5a 5a is the trigger for the buffer overflow
//$code = /[\x01-\x7F]{44}/
$winexec = { 12 0c 43 00 }
condition:
all of them and @font > @headers and @winexec == @font + 5 + 44
}
// same as above but for RTF documents
rule rtf_cve2017_11882 : malicious exploit cve_2017_1182 {
meta:
author = "John Davison"
description = "Attempts to identify the exploit CVE 2017 11882"
reference = "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about"
sample = "51cf2a6c0c1a29abca9fd13cb22421da"
score = 60
//file_ext = "rtf"
id = "b6c59cf1-52e4-5c9e-b3c3-d973d52736e3"
strings:
$headers = { 31 63 30 30 30 30 30 30 30 32 30 30 ?? ?? ?? ??
61 39 30 30 30 30 30 30 ?? ?? ?? ?? ?? ?? ?? ??
?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
?? ?? ?? ?? ?? ?? ?? ?? 30 33 30 31 30 31 30 33
?? ?? }
$font = { 30 61 30 31 30 38 35 61 35 61 }
$winexec = { 31 32 30 63 34 33 30 30 }
condition:
all of them and @font > @headers and @winexec == @font + ((5 + 44) * 2)
}
rule packager_cve2017_11882 {
meta:
author = "Rich Warren"
description = "Attempts to exploit CVE-2017-11882 using Packager"
reference = "https://github.com/rxwx/CVE-2017-11882/blob/master/packager_exec_CVE-2017-11882.py"
score = 60
id = "57ff395e-e56a-5e63-bde6-f3cef038fcd6"
strings:
$font = { 30 61 30 31 30 38 35 61 35 61 }
$equation = { 45 71 75 61 74 69 6F 6E 2E 33 }
$package = { 50 61 63 6b 61 67 65 }
$header_and_shellcode = /03010[0,1][0-9a-fA-F]{108}00/ ascii nocase
condition:
uint32be(0) == 0x7B5C7274 // RTF header
and all of them
}
rule CVE_2017_11882_RTF {
meta:
description = "Detects suspicious Microsoft Equation OLE contents as used in CVE-2017-11882"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-02-13"
score = 60
id = "400689ff-e856-5cbf-a7fa-93f6a8d8dbb9"
strings:
$x1 = "4d534854412e4558452068747470" /* MSHTA.EXE http */
$x2 = "6d736874612e6578652068747470" /* mshta.exe http */
$x3 = "6d736874612068747470" /* mshta http */
$x4 = "4d534854412068747470" /* MSHTA http */
$s1 = "4d6963726f736f6674204571756174696f6e20332e30" ascii /* Microsoft Equation 3.0 */
$s2 = "4500710075006100740069006f006e0020004e00610074006900760065" ascii /* Equation Native */
$s3 = "2e687461000000000000000000000000000000000000000000000" /* .hta .... */
condition:
( uint32be(0) == 0x7B5C7274 or uint32be(0) == 0x7B5C2A5C ) /* RTF */
and filesize < 300KB and
( 1 of ($x*) or 2 of them )
}
rule EXP_potential_CVE_2017_11882 {
meta:
author = "ReversingLabs"
reference = "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html"
id = "199710e0-5094-5940-ad29-f01383d5d8c2"
strings:
$docfilemagic = { D0 CF 11 E0 A1 B1 1A E1 }
$equation1 = "Equation Native" wide ascii
$equation2 = "Microsoft Equation 3.0" wide ascii
$mshta = "mshta"
$http = "http://"
$https = "https://"
$cmd = "cmd" fullword
$pwsh = "powershell"
$exe = ".exe"
$address = { 12 0C 43 00 }
condition:
uint16(0) == 0xcfd0 and $docfilemagic at 0 and
any of ($mshta, $http, $https, $cmd, $pwsh, $exe) and any of ($equation1, $equation2) and $address
}