08e8d462fe
RED PILL 🔴 💊
101 lines
4.3 KiB
Text
101 lines
4.3 KiB
Text
rule rtf_cve2017_11882_ole : malicious exploit cve_2017_11882 {
|
|
meta:
|
|
author = "John Davison"
|
|
description = "Attempts to identify the exploit CVE 2017 11882"
|
|
reference = "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about"
|
|
sample = "51cf2a6c0c1a29abca9fd13cb22421da"
|
|
score = 60
|
|
//file_name = "re:^stream_[0-9]+_[0-9]+.dat$"
|
|
id = "b6c59cf1-52e4-5c9e-b3c3-d973d52736e3"
|
|
strings:
|
|
$headers = { 1c 00 00 00 02 00 ?? ?? a9 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 03 01 01 03 ?? }
|
|
$font = { 0a 01 08 5a 5a } // <-- I think that 5a 5a is the trigger for the buffer overflow
|
|
//$code = /[\x01-\x7F]{44}/
|
|
$winexec = { 12 0c 43 00 }
|
|
condition:
|
|
all of them and @font > @headers and @winexec == @font + 5 + 44
|
|
}
|
|
|
|
// same as above but for RTF documents
|
|
rule rtf_cve2017_11882 : malicious exploit cve_2017_1182 {
|
|
meta:
|
|
author = "John Davison"
|
|
description = "Attempts to identify the exploit CVE 2017 11882"
|
|
reference = "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about"
|
|
sample = "51cf2a6c0c1a29abca9fd13cb22421da"
|
|
score = 60
|
|
//file_ext = "rtf"
|
|
id = "b6c59cf1-52e4-5c9e-b3c3-d973d52736e3"
|
|
strings:
|
|
$headers = { 31 63 30 30 30 30 30 30 30 32 30 30 ?? ?? ?? ??
|
|
61 39 30 30 30 30 30 30 ?? ?? ?? ?? ?? ?? ?? ??
|
|
?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
|
|
?? ?? ?? ?? ?? ?? ?? ?? 30 33 30 31 30 31 30 33
|
|
?? ?? }
|
|
$font = { 30 61 30 31 30 38 35 61 35 61 }
|
|
$winexec = { 31 32 30 63 34 33 30 30 }
|
|
condition:
|
|
all of them and @font > @headers and @winexec == @font + ((5 + 44) * 2)
|
|
}
|
|
|
|
rule packager_cve2017_11882 {
|
|
meta:
|
|
author = "Rich Warren"
|
|
description = "Attempts to exploit CVE-2017-11882 using Packager"
|
|
reference = "https://github.com/rxwx/CVE-2017-11882/blob/master/packager_exec_CVE-2017-11882.py"
|
|
score = 60
|
|
id = "57ff395e-e56a-5e63-bde6-f3cef038fcd6"
|
|
strings:
|
|
$font = { 30 61 30 31 30 38 35 61 35 61 }
|
|
$equation = { 45 71 75 61 74 69 6F 6E 2E 33 }
|
|
$package = { 50 61 63 6b 61 67 65 }
|
|
$header_and_shellcode = /03010[0,1][0-9a-fA-F]{108}00/ ascii nocase
|
|
condition:
|
|
uint32be(0) == 0x7B5C7274 // RTF header
|
|
and all of them
|
|
}
|
|
|
|
rule CVE_2017_11882_RTF {
|
|
meta:
|
|
description = "Detects suspicious Microsoft Equation OLE contents as used in CVE-2017-11882"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "Internal Research"
|
|
date = "2018-02-13"
|
|
score = 60
|
|
id = "400689ff-e856-5cbf-a7fa-93f6a8d8dbb9"
|
|
strings:
|
|
$x1 = "4d534854412e4558452068747470" /* MSHTA.EXE http */
|
|
$x2 = "6d736874612e6578652068747470" /* mshta.exe http */
|
|
$x3 = "6d736874612068747470" /* mshta http */
|
|
$x4 = "4d534854412068747470" /* MSHTA http */
|
|
|
|
$s1 = "4d6963726f736f6674204571756174696f6e20332e30" ascii /* Microsoft Equation 3.0 */
|
|
$s2 = "4500710075006100740069006f006e0020004e00610074006900760065" ascii /* Equation Native */
|
|
$s3 = "2e687461000000000000000000000000000000000000000000000" /* .hta .... */
|
|
condition:
|
|
( uint32be(0) == 0x7B5C7274 or uint32be(0) == 0x7B5C2A5C ) /* RTF */
|
|
and filesize < 300KB and
|
|
( 1 of ($x*) or 2 of them )
|
|
}
|
|
|
|
rule EXP_potential_CVE_2017_11882 {
|
|
meta:
|
|
author = "ReversingLabs"
|
|
reference = "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html"
|
|
id = "199710e0-5094-5940-ad29-f01383d5d8c2"
|
|
strings:
|
|
$docfilemagic = { D0 CF 11 E0 A1 B1 1A E1 }
|
|
$equation1 = "Equation Native" wide ascii
|
|
$equation2 = "Microsoft Equation 3.0" wide ascii
|
|
$mshta = "mshta"
|
|
$http = "http://"
|
|
$https = "https://"
|
|
$cmd = "cmd" fullword
|
|
$pwsh = "powershell"
|
|
$exe = ".exe"
|
|
$address = { 12 0C 43 00 }
|
|
condition:
|
|
uint16(0) == 0xcfd0 and $docfilemagic at 0 and
|
|
any of ($mshta, $http, $https, $cmd, $pwsh, $exe) and any of ($equation1, $equation2) and $address
|
|
}
|