CVE-2017-11882 by John Davison

yara/exploit_cve_2017_11882.yar

@@ -0,0 +1,37 @@
+rule rtf_cve2017_11882_ole : malicious exploit cve_2017_11882 {
+    meta:
+        author = "John Davison"
+        description = "Attempts to identify the exploit CVE 2017 11882"
+        reference = "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about"
+        sample = "51cf2a6c0c1a29abca9fd13cb22421da"
+        score = 60
+        //file_name = "re:^stream_[0-9]+_[0-9]+.dat$"
+    strings:
+        $headers = { 1c 00 00 00 02 00 ?? ?? a9 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 03 01 01 03 ?? }
+        $font = { 0a 01 08 5a 5a } // <-- I think that 5a 5a is the trigger for the buffer overflow
+        //$code = /[\x01-\x7F]{44}/
+        $winexec = { 12 0c 43 00 }
+    condition:
+        all of them and @font > @headers and @winexec == @font + 5 + 44
+}
+
+// same as above but for RTF documents
+rule rtf_cve2017_11882 : malicious exploit cve_2017_1182 {
+    meta:
+        author = "John Davison"
+        description = "Attempts to identify the exploit CVE 2017 11882"
+        reference = "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about"
+        sample = "51cf2a6c0c1a29abca9fd13cb22421da"
+        score = 60
+        //file_ext = "rtf"
+    strings:
+        $headers = { 31 63 30 30 30 30 30 30  30 32 30 30 ?? ?? ?? ??
+                     61 39 30 30 30 30 30 30  ?? ?? ?? ?? ?? ?? ?? ??
+                     ?? ?? ?? ?? ?? ?? ?? ??  ?? ?? ?? ?? ?? ?? ?? ??
+                     ?? ?? ?? ?? ?? ?? ?? ??  30 33 30 31 30 31 30 33
+                     ?? ?? }
+        $font = { 30 61 30 31 30 38 35 61  35 61 }
+        $winexec = { 31 32 30 63 34 33 30 30 }
+    condition:
+        all of them and @font > @headers and @winexec == @font + ((5 + 44) * 2)
+}