signature-base/yara/exploit_cve_2017_11882.yar

rule rtf_cve2017_11882_ole : malicious exploit cve_2017_11882 {
    meta:
        author = "John Davison"
        description = "Attempts to identify the exploit CVE 2017 11882"
        reference = "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about"
        sample = "51cf2a6c0c1a29abca9fd13cb22421da"
        score = 60
        //file_name = "re:^stream_[0-9]+_[0-9]+.dat$"
    strings:
        $headers = { 1c 00 00 00 02 00 ?? ?? a9 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 03 01 01 03 ?? }
        $font = { 0a 01 08 5a 5a } // <-- I think that 5a 5a is the trigger for the buffer overflow
        //$code = /[\x01-\x7F]{44}/
        $winexec = { 12 0c 43 00 }
    condition:
        all of them and @font > @headers and @winexec == @font + 5 + 44
}

// same as above but for RTF documents
rule rtf_cve2017_11882 : malicious exploit cve_2017_1182 {
    meta:
        author = "John Davison"
        description = "Attempts to identify the exploit CVE 2017 11882"
        reference = "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about"
        sample = "51cf2a6c0c1a29abca9fd13cb22421da"
        score = 60
        //file_ext = "rtf"
    strings:
        $headers = { 31 63 30 30 30 30 30 30  30 32 30 30 ?? ?? ?? ??
                     61 39 30 30 30 30 30 30  ?? ?? ?? ?? ?? ?? ?? ??
                     ?? ?? ?? ?? ?? ?? ?? ??  ?? ?? ?? ?? ?? ?? ?? ??
                     ?? ?? ?? ?? ?? ?? ?? ??  30 33 30 31 30 31 30 33
                     ?? ?? }
        $font = { 30 61 30 31 30 38 35 61  35 61 }
        $winexec = { 31 32 30 63 34 33 30 30 }
    condition:
        all of them and @font > @headers and @winexec == @font + ((5 + 44) * 2)
}

rule packager_cve2017_11882 {
   meta:
      author = "Rich Warren"
      description = "Attempts to exploit CVE-2017-11882 using Packager"
      reference = "https://github.com/rxwx/CVE-2017-11882/blob/master/packager_exec_CVE-2017-11882.py"
      score = 60
   strings:
      $font = { 30 61 30 31 30 38 35 61  35 61 }
      $equation = { 45 71 75 61 74 69 6F 6E 2E 33 }
      $package = { 50 61 63 6b 61 67 65 }
      $header_and_shellcode = /03010[0,1][0-9a-fA-F]{108}00/ ascii nocase
   condition:
      uint32be(0) == 0x7B5C7274 // RTF header
      and all of them
}
CVE-2017-11882 by John Davison 2017-11-23 19:33:58 +00:00			`rule rtf_cve2017_11882_ole : malicious exploit cve_2017_11882 {`
			`meta:`
			`author = "John Davison"`
			`description = "Attempts to identify the exploit CVE 2017 11882"`
			`reference = "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about"`
			`sample = "51cf2a6c0c1a29abca9fd13cb22421da"`
			`score = 60`
			`//file_name = "re:^stream_[0-9]+_[0-9]+.dat$"`
			`strings:`
			`$headers = { 1c 00 00 00 02 00 ?? ?? a9 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 03 01 01 03 ?? }`
			`$font = { 0a 01 08 5a 5a } // <-- I think that 5a 5a is the trigger for the buffer overflow`
			`//$code = /[\x01-\x7F]{44}/`
			`$winexec = { 12 0c 43 00 }`
			`condition:`
			`all of them and @font > @headers and @winexec == @font + 5 + 44`
			`}`

			`// same as above but for RTF documents`
			`rule rtf_cve2017_11882 : malicious exploit cve_2017_1182 {`
			`meta:`
			`author = "John Davison"`
			`description = "Attempts to identify the exploit CVE 2017 11882"`
			`reference = "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about"`
			`sample = "51cf2a6c0c1a29abca9fd13cb22421da"`
			`score = 60`
			`//file_ext = "rtf"`
			`strings:`
			`$headers = { 31 63 30 30 30 30 30 30 30 32 30 30 ?? ?? ?? ??`
			`61 39 30 30 30 30 30 30 ?? ?? ?? ?? ?? ?? ?? ??`
			`?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??`
			`?? ?? ?? ?? ?? ?? ?? ?? 30 33 30 31 30 31 30 33`
			`?? ?? }`
			`$font = { 30 61 30 31 30 38 35 61 35 61 }`
			`$winexec = { 31 32 30 63 34 33 30 30 }`
			`condition:`
			`all of them and @font > @headers and @winexec == @font + ((5 + 44) * 2)`
			`}`
YARA rule for CVE-2017-11882 by Rich Warren https://github.com/rxwx/CVE-2018-0802/tree/master/yara 2018-01-14 12:49:40 +00:00
			`rule packager_cve2017_11882 {`
			`meta:`
			`author = "Rich Warren"`
			`description = "Attempts to exploit CVE-2017-11882 using Packager"`
			`reference = "https://github.com/rxwx/CVE-2017-11882/blob/master/packager_exec_CVE-2017-11882.py"`
			`score = 60`
			`strings:`
			`$font = { 30 61 30 31 30 38 35 61 35 61 }`
			`$equation = { 45 71 75 61 74 69 6F 6E 2E 33 }`
			`$package = { 50 61 63 6b 61 67 65 }`
			`$header_and_shellcode = /03010[0,1][0-9a-fA-F]{108}00/ ascii nocase`
			`condition:`
			`uint32be(0) == 0x7B5C7274 // RTF header`
			`and all of them`
			`}`