Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
R
rules
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
fact-depend
rules
Commits
fe63a2f8
Unverified
Commit
fe63a2f8
authored
Jan 16, 2018
by
mmorenog
Committed by
GitHub
Jan 16, 2018
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #292 from mikesxrs/patch-9
Create CVE-2017-11882.yar
parents
b7754af5
4aa59b33
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
62 additions
and
0 deletions
+62
-0
CVE-2017-11882.yar
CVE_Rules/CVE-2017-11882.yar
+62
-0
No files found.
CVE_Rules/CVE-2017-11882.yar
0 → 100644
View file @
fe63a2f8
rule potential_CVE_2017_11882
{
meta:
author = "ReversingLabs"
reference = "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html"
strings:
$docfilemagic = { D0 CF 11 E0 A1 B1 1A E1 }
$equation1 = "Equation Native" wide ascii
$equation2 = "Microsoft Equation 3.0" wide ascii
$mshta = "mshta"
$http = "http://"
$https = "https://"
$cmd = "cmd"
$pwsh = "powershell"
$exe = ".exe"
$address = { 12 0C 43 00 }
condition:
$docfilemagic at 0 and any of ($mshta, $http, $https, $cmd, $pwsh, $exe) and any of ($equation1, $equation2) and $address
}
rule rtf_cve2017_11882_ole : malicious exploit cve_2017_11882 {
meta:
author = "John Davison"
description = "Attempts to identify the exploit CVE 2017 11882"
reference = "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about"
sample = "51cf2a6c0c1a29abca9fd13cb22421da"
score = 60
//file_name = "re:^stream_[0-9]+_[0-9]+.dat$"
strings:
$headers = { 1c 00 00 00 02 00 ?? ?? a9 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 03 01 01 03 ?? }
$font = { 0a 01 08 5a 5a } // <-- I think that 5a 5a is the trigger for the buffer overflow
//$code = /[\x01-\x7F]{44}/
$winexec = { 12 0c 43 00 }
condition:
all of them and @font > @headers and @winexec == @font + 5 + 44
}
// same as above but for RTF documents
rule rtf_cve2017_11882 : malicious exploit cve_2017_1182 {
meta:
author = "John Davison"
description = "Attempts to identify the exploit CVE 2017 11882"
reference = "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about"
sample = "51cf2a6c0c1a29abca9fd13cb22421da"
score = 60
//file_ext = "rtf"
strings:
$headers = { 31 63 30 30 30 30 30 30 30 32 30 30 ?? ?? ?? ??
61 39 30 30 30 30 30 30 ?? ?? ?? ?? ?? ?? ?? ??
?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
?? ?? ?? ?? ?? ?? ?? ?? 30 33 30 31 30 31 30 33
?? ?? }
$font = { 30 61 30 31 30 38 35 61 35 61 }
$winexec = { 31 32 30 63 34 33 30 30 }
condition:
all of them and @font > @headers and @winexec == @font + ((5 + 44) * 2)
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
