Commit 009b32d9d9843bb34934196a342f22034e406f9a
Committed by
GitHub
GitHub
Merge pull request #282 from ShiaoQu17/master
Update oledir.py
Showing
1 changed file
with
8 additions
and
15 deletions
oletools/oledir.py
| ... | ... | @@ -123,32 +123,25 @@ KNOWN_CLSIDS = { |
| 123 | 123 | # MS Office files |
| 124 | 124 | '00020906-0000-0000-C000-000000000046': 'Microsoft Word 97-2003 Document', |
| 125 | 125 | '00020900-0000-0000-C000-000000000046': 'Microsoft Word 6.0-7.0 Document', |
| 126 | + '00020832-0000-0000-C000-000000000046': 'Excel sheet with macro enabled', | |
| 127 | + '00020833-0000-0000-C000-000000000046': 'Excel binary sheet with macro enabled', | |
| 128 | + | |
| 126 | 129 | # OLE Objects |
| 127 | 130 | '00000300-0000-0000-C000-000000000046': 'StdOleLink (embedded OLE object)', |
| 128 | - '0002CE02-0000-0000-C000-000000000046': 'MS Equation Editor (may trigger CVE-2017-11882)', | |
| 131 | + '0002CE02-0000-0000-C000-000000000046': 'MS Equation Editor (may trigger CVE-2017-11882 or CVE-2018-0802)', | |
| 129 | 132 | 'F20DA720-C02F-11CE-927B-0800095AE340': 'Package (may contain and run any file)', |
| 130 | 133 | '0003000C-0000-0000-C000-000000000046': 'Package (may contain and run any file)', |
| 131 | 134 | 'D27CDB6E-AE6D-11CF-96B8-444553540000': 'Shockwave Flash Object (may trigger many CVEs)', |
| 132 | 135 | 'A08A033D-1A75-4AB6-A166-EAD02F547959': 'otkloadr CWRAssembly Object (may trigger CVE-2015-1641)', |
| 133 | 136 | 'D7053240-CE69-11CD-A777-00DD01143C57': 'Microsoft Forms 2.0 CommandButton', |
| 134 | 137 | # Monikers |
| 135 | - '00000303-0000-0000-C000-000000000046': 'File Moniker', | |
| 136 | - '00000304-0000-0000-C000-000000000046': 'Item Moniker', | |
| 137 | - '00000305-0000-0000-C000-000000000046': 'Anti Moniker', | |
| 138 | - '00000306-0000-0000-C000-000000000046': 'Pointer Moniker', | |
| 139 | - '00000308-0000-0000-C000-000000000046': 'Packager Moniker', | |
| 138 | + '00000303-0000-0000-C000-000000000046': 'File Moniker (may trigger CVE-2017-0199 or CVE-2017-8570)', | |
| 140 | 139 | '00000309-0000-0000-C000-000000000046': 'Composite Moniker (may trigger CVE-2017-8570)', |
| 141 | - '0000031a-0000-0000-C000-000000000046': 'Class Moniker', | |
| 142 | 140 | '0002034c-0000-0000-C000-000000000046': 'OutlookAttachMoniker', |
| 143 | 141 | '0002034e-0000-0000-C000-000000000046': 'OutlookMessageMoniker', |
| 144 | - '79EAC9E0-BAF9-11CE-8C82-00AA004BA90B': 'URL Moniker (may trigger CVE-2017-0199)', | |
| 145 | - 'ECABB0C7-7F19-11D2-978E-0000F8757E2A': 'SOAP Moniker', | |
| 142 | + '79EAC9E0-BAF9-11CE-8C82-00AA004BA90B': 'URL Moniker (may trigger CVE-2017-0199 or CVE-2017-8570)', | |
| 143 | + 'ECABB0C7-7F19-11D2-978E-0000F8757E2A': 'SOAP Moniker (may trigger CVE-2017-8759)', | |
| 146 | 144 | 'ECABAFC6-7F19-11D2-978E-0000F8757E2A': 'New Moniker', |
| 147 | - # ref: https://justhaifei1.blogspot.nl/2017/07/bypassing-microsofts-cve-2017-0199-patch.html | |
| 148 | - '06290BD2-48AA-11D2-8432-006008C3FBFC': 'Factory bindable using IPersistMoniker (scripletfile)', | |
| 149 | - '06290BD3-48AA-11D2-8432-006008C3FBFC': 'Script Moniker, aka Moniker to a Windows Script Component (may trigger CVE-2017-0199)', | |
| 150 | - | |
| 151 | - '3050F4D8-98B5-11CF-BB82-00AA00BDCE0B': 'HTML Application (may trigger CVE-2017-0199)', | |
| 152 | 145 | } |
| 153 | 146 | |
| 154 | 147 | |
| ... | ... | @@ -272,4 +265,4 @@ def main(): |
| 272 | 265 | |
| 273 | 266 | |
| 274 | 267 | if __name__ == '__main__': |
| 275 | - main() | |
| 276 | 268 | \ No newline at end of file |
| 269 | + main() | ... | ... |