forked from Yara-Rules/rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCVE-2017-11882.yar
66 lines (58 loc) · 2.61 KB
/
CVE-2017-11882.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule potential_CVE_2017_11882
{
meta:
author = "ReversingLabs"
reference = "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html"
strings:
$docfilemagic = { D0 CF 11 E0 A1 B1 1A E1 }
$equation1 = "Equation Native" wide ascii
$equation2 = "Microsoft Equation 3.0" wide ascii
$mshta = "mshta"
$http = "http://"
$https = "https://"
$cmd = "cmd"
$pwsh = "powershell"
$exe = ".exe"
$address = { 12 0C 43 00 }
condition:
$docfilemagic at 0 and any of ($mshta, $http, $https, $cmd, $pwsh, $exe) and any of ($equation1, $equation2) and $address
}
rule rtf_cve2017_11882_ole : malicious exploit cve_2017_11882 {
meta:
author = "John Davison"
description = "Attempts to identify the exploit CVE 2017 11882"
reference = "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about"
sample = "51cf2a6c0c1a29abca9fd13cb22421da"
score = 60
//file_name = "re:^stream_[0-9]+_[0-9]+.dat$"
strings:
$headers = { 1c 00 00 00 02 00 ?? ?? a9 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 03 01 01 03 ?? }
$font = { 0a 01 08 5a 5a } // <-- I think that 5a 5a is the trigger for the buffer overflow
//$code = /[\x01-\x7F]{44}/
$winexec = { 12 0c 43 00 }
condition:
all of them and @font > @headers and @winexec == @font + 5 + 44
}
// same as above but for RTF documents
rule rtf_cve2017_11882 : malicious exploit cve_2017_1182 {
meta:
author = "John Davison"
description = "Attempts to identify the exploit CVE 2017 11882"
reference = "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about"
sample = "51cf2a6c0c1a29abca9fd13cb22421da"
score = 60
//file_ext = "rtf"
strings:
$headers = { 31 63 30 30 30 30 30 30 30 32 30 30 ?? ?? ?? ??
61 39 30 30 30 30 30 30 ?? ?? ?? ?? ?? ?? ?? ??
?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
?? ?? ?? ?? ?? ?? ?? ?? 30 33 30 31 30 31 30 33
?? ?? }
$font = { 30 61 30 31 30 38 35 61 35 61 }
$winexec = { 31 32 30 63 34 33 30 30 }
condition:
all of them and @font > @headers and @winexec == @font + ((5 + 44) * 2)
}