Sneed-Reactivity/yara-Neo23x0/exploit_cve_2017_8759.yar

111 lines
4.4 KiB
Text
Raw Normal View History

/*
Yara Rule Set
Author: Florian Roth
Date: 2017-09-14
Identifier: Detects malicious files in relation with CVE-2017-8759
Reference: https://github.com/Voulnet/CVE-2017-8759-Exploit-sample
*/
/* Rule Set ----------------------------------------------------------------- */
rule CVE_2017_8759_Mal_HTA {
meta:
description = "Detects malicious files related to CVE-2017-8759 - file cmd.hta"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/Voulnet/CVE-2017-8759-Exploit-sample"
date = "2017-09-14"
hash1 = "fee2ab286eb542c08fdfef29fabf7796a0a91083a0ee29ebae219168528294b5"
id = "e53b5149-fc94-5da5-8e35-7f09a9cd79fd"
strings:
$x1 = "Error = Process.Create(\"powershell -nop cmd.exe /c" fullword ascii
condition:
( uint16(0) == 0x683c and filesize < 1KB and all of them )
}
rule CVE_2017_8759_Mal_Doc {
meta:
description = "Detects malicious files related to CVE-2017-8759 - file Doc1.doc"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/Voulnet/CVE-2017-8759-Exploit-sample"
date = "2017-09-14"
modified = "2023-11-21"
hash1 = "6314c5696af4c4b24c3a92b0e92a064aaf04fd56673e830f4d339b8805cc9635"
id = "48587c13-7661-5987-8331-732115f7823b"
strings:
$s1 = "soap:wsdl=http://" ascii wide
$s2 = "soap:wsdl=https://" ascii wide
$s3 = "soap:wsdl=http%3" ascii wide
$s4 = "soap:wsdl=https%3" ascii wide
$c1 = "Project.ThisDocument.AutoOpen" fullword wide
condition:
uint16(0) == 0xcfd0 and filesize < 500KB and ( 1 of ($s*) and $c1 )
}
rule CVE_2017_8759_SOAP_via_JS {
meta:
description = "Detects SOAP WDSL Download via JavaScript"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/buffaloverflow/status/907728364278087680"
date = "2017-09-14"
score = 60
id = "9e96cea3-4282-5f25-ad37-51bd69258790"
strings:
$s1 = "GetObject(\"soap:wsdl=https://" ascii wide nocase
$s2 = "GetObject(\"soap:wsdl=http://" ascii wide nocase
condition:
( filesize < 3KB and 1 of them )
}
rule CVE_2017_8759_SOAP_Excel {
meta:
description = "Detects malicious files related to CVE-2017-8759"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/buffaloverflow/status/908455053345869825"
date = "2017-09-15"
score = 60
id = "940ec910-49a4-5271-97e4-8536db271b80"
strings:
$s1 = "|'soap:wsdl=" ascii wide nocase
condition:
( filesize < 300KB and 1 of them )
}
rule CVE_2017_8759_SOAP_txt {
meta:
description = "Detects malicious file in releation with CVE-2017-8759 - file exploit.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/Voulnet/CVE-2017-8759-Exploit-sample"
date = "2017-09-14"
hash1 = "840ad14e29144be06722aff4cc04b377364eeed0a82b49cc30712823838e2444"
id = "36474420-4fa9-5264-a46b-bb2434624710"
strings:
$s1 = /<soap:address location="http[s]?:\/\/[^"]{8,140}.hta"/ ascii wide
$s2 = /<soap:address location="http[s]?:\/\/[^"]{8,140}mshta.exe"/ ascii wide
condition:
( filesize < 200KB and 1 of them )
}
rule CVE_2017_8759_WSDL_in_RTF {
meta:
description = "Detects malicious RTF file related CVE-2017-8759"
author = "Security Doggo @xdxdxdxdoa"
reference = "https://twitter.com/xdxdxdxdoa/status/908665278199996416"
date = "2017-09-15"
id = "daaa5489-af96-5a69-b2dd-81406c0a1edc"
strings:
$doc = "d0cf11e0a1b11ae1"
$obj = "\\objupdate"
$wsdl = "7700730064006c003d00" nocase
$http1 = "68007400740070003a002f002f00" nocase
$http2 = "680074007400700073003a002f002f00" nocase
$http3 = "6600740070003a002f002f00" nocase
condition:
uint32be(0) == 0x7B5C7274 and $obj and $doc and $wsdl and 1 of ($http*)
}