mirror of
https://github.com/valitydev/signature-base.git
synced 2024-11-07 02:25:19 +00:00
65 lines
2.1 KiB
Plaintext
65 lines
2.1 KiB
Plaintext
rule malrtf_ole2link : exploit {
|
|
meta:
|
|
author = "@h3x2b <tracker _AT h3x.eu>"
|
|
description = "Detect weaponized RTF documents with OLE2Link exploit"
|
|
strings:
|
|
//having objdata structure
|
|
$rtf_olelink_01 = "\\objdata" nocase
|
|
//hex encoded OLE2Link
|
|
$rtf_olelink_02 = "4f4c45324c696e6b" nocase
|
|
//hex encoded docfile magic - doc file albilae
|
|
$rtf_olelink_03 = "d0cf11e0a1b11ae1" nocase
|
|
//hex encoded "http://"
|
|
$rtf_payload_01 = "68007400740070003a002f002f00" nocase
|
|
//hex encoded "https://"
|
|
$rtf_payload_02 = "680074007400700073003a002f002f00" nocase
|
|
//hex encoded "ftp://"
|
|
$rtf_payload_03 = "6600740070003a002f002f00" nocase
|
|
condition:
|
|
uint32be(0) == 0x7B5C7274
|
|
and all of ($rtf_olelink_*)
|
|
and any of ($rtf_payload_*)
|
|
}
|
|
|
|
rule exploit_ole_stdolelink {
|
|
meta:
|
|
author = "David Cannings"
|
|
description = "StdOleLink, potential 0day in April 2017"
|
|
score = 55
|
|
strings:
|
|
// Parsers will open files without the full 'rtf'
|
|
$header_rtf = "{\\rt" nocase
|
|
$header_office = { D0 CF 11 E0 }
|
|
$header_xml = "<?xml version=" nocase wide ascii
|
|
|
|
// Marks of embedded data (reduce FPs)
|
|
// RTF format
|
|
$embedded_object = "\\object" nocase
|
|
$embedded_objdata = "\\objdata" nocase
|
|
$embedded_ocx = "\\objocx" nocase
|
|
$embedded_objclass = "\\objclass" nocase
|
|
$embedded_oleclass = "\\oleclsid" nocase
|
|
|
|
// XML Office documents
|
|
$embedded_axocx = "<ax:ocx" nocase wide ascii
|
|
$embedded_axclassid = "ax:classid" nocase wide ascii
|
|
|
|
// OLE format
|
|
$embedded_root_entry = "Root Entry" wide
|
|
$embedded_comp_obj = "Comp Obj" wide
|
|
$embedded_obj_info = "Obj Info" wide
|
|
$embedded_ole10 = "Ole10Native" wide
|
|
|
|
$data0 = "00000300-0000-0000-C000-000000000046" nocase wide ascii
|
|
$data2 = "OLE2Link" nocase wide ascii
|
|
$data3 = "4f4c45324c696e6b" nocase wide ascii
|
|
$data4 = "StdOleLink" nocase wide ascii
|
|
$data5 = "5374644f6c654c696e6b" nocase wide ascii
|
|
|
|
condition:
|
|
// Mandatory header plus sign of embedding, then any of the others
|
|
for any of ($header*) : ( @ == 0 ) and 1 of ($embedded*)
|
|
and (1 of ($data*))
|
|
and extension != ".msi"
|
|
}
|