YARA rules for CVE-2017-11882
2 rules · scoped to cve · back to CVE-2017-11882
YARA rules whose family, name, or description matches this cve or its tooling. Use these for binary-pattern hunts.
rule packager_cve2017_11882 {
meta:
author = "Rich Warren"
description = "Attempts to exploit CVE-2017-11882 using Packager"
reference = "https://github.com/rxwx/CVE-2017-11882/blob/master/packager_exec_CVE-2017-11882.py"
score = 60
id = "57ff395e-e56a-5e63-bde6-f3cef038fcd6"
strings:
$font = { 30 61 30 31 30 38 35 61 35 61 }
$equation = { 45 71 75 61 74 69 6F 6E 2E 33 }
$package = { 50 61 63 6b 61 67 65 }
$header_and_shellcode = /03010[0,1][0-9a-fA-F]{108}00/ ascii nocase
condition:
uint32be(0) == 0x7B5C7274 // RTF header
and all of them
}
rule CVE_2017_11882_RTF {
meta:
description = "Detects suspicious Microsoft Equation OLE contents as used in CVE-2017-11882"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-02-13"
score = 60
id = "400689ff-e856-5cbf-a7fa-93f6a8d8dbb9"
strings:
$x1 = "4d534854412e4558452068747470" /* MSHTA.EXE http */
$x2 = "6d736874612e6578652068747470" /* mshta.exe http */
$x3 = "6d736874612068747470" /* mshta http */
$x4 = "4d534854412068747470" /* MSHTA http */
$s1 = "4d6963726f736f6674204571756174696f6e20332e30" ascii /* Microsoft Equation 3.0 */
$s2 = "4500710075006100740069006f006e0020004e00610074006900760065" ascii /* Equation Native */
$s3 = "2e687461000000000000000000000000000000000000000000000" /* .hta .... */
condition:
( uint32be(0) == 0x7B5C7274 or uint32be(0) == 0x7B5C2A5C ) /* RTF */
and filesize < 300KB and
( 1 of ($x*) or 2 of them )
}