Commit 1016bf9e5e6daf370d1ddddab149e6a94cf270f7
1 parent
02bd7d92
clsid: added more CLSIDs (issue #299), merged and sorted
Showing
1 changed file
with
61 additions
and
43 deletions
oletools/common/clsid.py
| ... | ... | @@ -41,45 +41,19 @@ http://www.decalage.info/python/oletools |
| 41 | 41 | # 2018-04-13 PL: - moved KNOWN_CLSIDS from oledir to common.clsid |
| 42 | 42 | # SQ: - several additions by Shiao Qu |
| 43 | 43 | # 2018-04-18 PL: - added known-bad CLSIDs from Cuckoo sandbox (issue #290) |
| 44 | +# 2018-05-08 PL: - added more CLSIDs (issue #299), merged and sorted | |
| 44 | 45 | |
| 45 | 46 | __version__ = '0.53dev9' |
| 46 | 47 | |
| 47 | 48 | |
| 48 | -KNOWN_CLSIDS = { | |
| 49 | - # MS Office files | |
| 50 | - '00020900-0000-0000-C000-000000000046': 'Microsoft Word 6.0-7.0 Document', | |
| 51 | - '00020906-0000-0000-C000-000000000046': 'Microsoft Word 97-2003 Document', | |
| 52 | - 'F4754C9B-64F5-4B40-8AF4-679732AC0607': 'Microsoft Word Document', | |
| 53 | - | |
| 54 | - '00020820-0000-0000-C000-000000000046': 'Microsoft Excel 97-2003 Worksheet', | |
| 55 | - '00020832-0000-0000-C000-000000000046': 'Excel sheet with macro enabled', | |
| 56 | - '00020833-0000-0000-C000-000000000046': 'Excel binary sheet with macro enabled', | |
| 49 | +# REFERENCES: | |
| 50 | +# Known-bad CLSIDs from Cuckoo Sandbox: | |
| 51 | +# https://github.com/cuckoosandbox/community/blob/master/modules/signatures/windows/office.py#L314 | |
| 52 | +# ref: https://justhaifei1.blogspot.nl/2017/07/bypassing-microsofts-cve-2017-0199-patch.html | |
| 57 | 53 | |
| 58 | - # OLE Objects | |
| 59 | - '00000300-0000-0000-C000-000000000046': 'StdOleLink (embedded OLE object)', | |
| 60 | - '0002CE02-0000-0000-C000-000000000046': 'MS Equation Editor (may trigger CVE-2017-11882 or CVE-2018-0802)', | |
| 61 | - '0003000C-0000-0000-C000-000000000046': 'Package (may contain and run any file)', | |
| 62 | - 'D27CDB6E-AE6D-11CF-96B8-444553540000': 'Shockwave Flash Object (may trigger many CVEs)', | |
| 63 | - 'D7053240-CE69-11CD-A777-00DD01143C57': 'Microsoft Forms 2.0 CommandButton', | |
| 64 | - 'F20DA720-C02F-11CE-927B-0800095AE340': 'Package (may contain and run any file)', | |
| 65 | - # Known-bad CLSIDs from Cuckoo Sandbox: | |
| 66 | - # https://github.com/cuckoosandbox/community/blob/master/modules/signatures/windows/office.py#L314 | |
| 67 | - "00000535-0000-0010-8000-00AA006D2EA4": "ADODB.RecordSet (may trigger CVE-2015-0097)", | |
| 68 | - "05741520-C4EB-440A-AC3F-9643BBC9F847": "otkloadr.WRLoader (may trigger CVE-2015-1641)", | |
| 69 | - "0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC": "MSScriptControl.ScriptControl (may trigger CVE-2015-0097)", | |
| 70 | - "1EFB6596-857C-11D1-B16A-00C0F0283628": "MSCOMCTL.TabStrip (may trigger CVE-2012-1856, CVE-2013-3906 - often used for heap spray)", | |
| 71 | - "44F9A03B-A3EC-4F3B-9364-08E0007F21DF": "Control.TaskSymbol (may trigger CVE-2015-2424)", | |
| 72 | - "4C599241-6926-101B-9992-00000B65C6F9": "Forms.Image (may trigger CVE-2015-2424)", | |
| 73 | - "66833FE6-8583-11D1-B16A-00C0F0283628": "MSCOMCTL.Toolbar (may trigger CVE-2012-1856)", | |
| 74 | - "9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E": "MSCOMCTL.TreeCtrl (may trigger CVE-2012-0158)", | |
| 75 | - "996BF5E0-8044-4650-ADEB-0B013914E99C": "MSCOMCTL.ListViewCtrl (may trigger CVE-2012-0158)", | |
| 76 | - "BDD1F04B-858B-11D1-B16A-00C0F0283628": "MSCOMCTL.ListViewCtrl (may trigger CVE-2012-0158)", | |
| 77 | - "C74190B6-8589-11d1-B16A-00C0F0283628": "MSCOMCTL.TreeCtrl (may trigger CVE-2012-0158)", | |
| 78 | - "DD9DA666-8594-11D1-B16A-00C0F0283628": "MSCOMCTL.ImageComboCtrl (may trigger CVE-2014-1761)", | |
| 79 | - '3050F4D8-98B5-11CF-BB82-00AA00BDCE0B': 'HTML Application (may trigger CVE-2017-0199)', | |
| 80 | - 'A08A033D-1A75-4AB6-A166-EAD02F547959': 'otkloadr WRAssembly Object (may trigger CVE-2015-1641)', | |
| 81 | 54 | |
| 82 | - # Monikers | |
| 55 | +KNOWN_CLSIDS = { | |
| 56 | + '00000300-0000-0000-C000-000000000046': 'StdOleLink (embedded OLE object - Known Related to CVE-2017-0199, CVE-2017-8570 or CVE-2017-8759)', | |
| 83 | 57 | '00000303-0000-0000-C000-000000000046': 'File Moniker (may trigger CVE-2017-0199 or CVE-2017-8570)', |
| 84 | 58 | '00000304-0000-0000-C000-000000000046': 'Item Moniker', |
| 85 | 59 | '00000305-0000-0000-C000-000000000046': 'Anti Moniker', |
| ... | ... | @@ -87,20 +61,64 @@ KNOWN_CLSIDS = { |
| 87 | 61 | '00000308-0000-0000-C000-000000000046': 'Packager Moniker', |
| 88 | 62 | '00000309-0000-0000-C000-000000000046': 'Composite Moniker (may trigger CVE-2017-8570)', |
| 89 | 63 | '0000031a-0000-0000-C000-000000000046': 'Class Moniker', |
| 64 | + '00000535-0000-0010-8000-00AA006D2EA4': 'ADODB.RecordSet (may trigger CVE-2015-0097)', | |
| 90 | 65 | '0002034c-0000-0000-C000-000000000046': 'OutlookAttachMoniker', |
| 91 | 66 | '0002034e-0000-0000-C000-000000000046': 'OutlookMessageMoniker', |
| 67 | + '00020810-0000-0000-C000-000000000046': 'Microsoft Excel.Sheet.5', | |
| 68 | + '00020811-0000-0000-C000-000000000046': 'Microsoft Excel.Chart.5', | |
| 69 | + '00020820-0000-0000-C000-000000000046': 'Microsoft Microsoft Excel 97-2003 Worksheet (Excel.Sheet.8)', | |
| 70 | + '00020821-0000-0000-C000-000000000046': 'Microsoft Excel.Chart.8', | |
| 71 | + '00020830-0000-0000-C000-000000000046': 'Microsoft Excel.Sheet.12', | |
| 72 | + '00020832-0000-0000-C000-000000000046': 'Microsoft Excel sheet with macro enabled (Excel.SheetMacroEnabled.12)', | |
| 73 | + '00020833-0000-0000-C000-000000000046': 'Microsoft Excel binary sheet with macro enabled (Excel.SheetBinaryMacroEnabled.12)', | |
| 74 | + '00020900-0000-0000-C000-000000000046': 'Microsoft Word 6.0-7.0 Document (Word.Document.6)', | |
| 75 | + '00020906-0000-0000-C000-000000000046': 'Microsoft Word 97-2003 Document (Word.Document.8)', | |
| 76 | + '00021700-0000-0000-C000-000000000046': 'Microsoft Equation 2.0 (Known Related to CVE-2017-11882 or CVE-2018-0802)', | |
| 77 | + '0002CE02-0000-0000-C000-000000000046': 'Microsoft Equation 3.0 (Known Related to CVE-2017-11882 or CVE-2018-0802)', | |
| 78 | + '0002CE03-0000-0000-C000-000000000046': 'MathType Equation Object', | |
| 79 | + '0003000C-0000-0000-C000-000000000046': 'OLE Package Object (may contain and run any file)', | |
| 80 | + '048EB43E-2059-422F-95E0-557DA96038AF': 'Microsoft Powerpoint.Slide.12', | |
| 81 | + '05741520-C4EB-440A-AC3F-9643BBC9F847': 'otkloadr.WRLoader (may trigger CVE-2015-1641)', | |
| 82 | + '06290BD2-48AA-11D2-8432-006008C3FBFC': 'Factory bindable using IPersistMoniker (scripletfile)', | |
| 83 | + '06290BD3-48AA-11D2-8432-006008C3FBFC': 'Script Moniker, aka Moniker to a Windows Script Component (may trigger CVE-2017-0199)', | |
| 84 | + '0CF774D0-F077-11D1-B1BC-00C04F86C324': 'scrrun.dll - HTML File Host Encode Object (ProgID: HTML.HostEncode)', | |
| 85 | + '0D43FE01-F093-11CF-8940-00A0C9054228': 'scrrun.dll - FileSystem Object (ProgID: Scripting.FileSystemObject)', | |
| 86 | + '0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC': 'MSScriptControl.ScriptControl (may trigger CVE-2015-0097)', | |
| 87 | + '1EFB6596-857C-11D1-B16A-00C0F0283628': 'MSCOMCTL.TabStrip (may trigger CVE-2012-1856, CVE-2013-3906 - often used for heap spray)', | |
| 88 | + '3050F4D8-98B5-11CF-BB82-00AA00BDCE0B': 'HTML Application (may trigger CVE-2017-0199)', | |
| 89 | + '44F9A03B-A3EC-4F3B-9364-08E0007F21DF': 'Control.TaskSymbol (may trigger CVE-2015-2424)', | |
| 90 | + '46E31370-3F7A-11CE-BED6-00AA00611080': 'Forms.MultiPage', | |
| 91 | + '4C599241-6926-101B-9992-00000B65C6F9': 'Forms.Image (may trigger CVE-2015-2424)', | |
| 92 | + '4D3263E4-CAB7-11D2-802A-0080C703929C': 'AutoCAD 2000-2002 Document', | |
| 93 | + '5E4405B0-5374-11CE-8E71-0020AF04B1D7': 'AutoCAD R14 Document', | |
| 94 | + '64818D10-4F9B-11CF-86EA-00AA00B929E8': 'Microsoft Powerpoint.Show.8', | |
| 95 | + '64818D11-4F9B-11CF-86EA-00AA00B929E8': 'Microsoft Powerpoint.Slide.8', | |
| 96 | + '66833FE6-8583-11D1-B16A-00C0F0283628': 'MSCOMCTL.Toolbar (may trigger CVE-2012-1856)', | |
| 97 | + '6A221957-2D85-42A7-8E19-BE33950D1DEB': 'AutoCAD 2013 Document', | |
| 98 | + '6E182020-F460-11CE-9BCD-00AA00608E01': 'Forms.Frame', | |
| 92 | 99 | '79EAC9E0-BAF9-11CE-8C82-00AA004BA90B': 'URL Moniker (may trigger CVE-2017-0199 or CVE-2017-8570)', |
| 100 | + '7AABBB95-79BE-4C0F-8024-EB6AF271231C': 'AutoCAD 2007-2009 Document', | |
| 101 | + '85131630-480C-11D2-B1F9-00C04F86C324': 'scrrun.dll - JS File Host Encode Object (ProgID: JSFile.HostEncode)', | |
| 102 | + '85131631-480C-11D2-B1F9-00C04F86C324': 'scrrun.dll - VBS File Host Encode Object (ProgID: VBSFile.HostEncode)', | |
| 103 | + '8E75D913-3D21-11D2-85C4-080009A0C626': 'AutoCAD 2004-2006 Document', | |
| 104 | + '9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E': 'MSCOMCTL.TreeCtrl (may trigger CVE-2012-0158)', | |
| 105 | + '996BF5E0-8044-4650-ADEB-0B013914E99C': 'MSCOMCTL.ListViewCtrl (may trigger CVE-2012-0158)', | |
| 106 | + 'A08A033D-1A75-4AB6-A166-EAD02F547959': 'otkloadr WRAssembly Object (may trigger CVE-2015-1641)', | |
| 107 | + 'B54F3741-5B07-11CF-A4B0-00AA004A55E8': 'vbscript.dll - VB Script Language (ProgID: VBS, VBScript)', | |
| 108 | + 'BDD1F04B-858B-11D1-B16A-00C0F0283628': 'MSCOMCTL.ListViewCtrl (may trigger CVE-2012-0158)', | |
| 109 | + 'C62A69F0-16DC-11CE-9E98-00AA00574A4F': 'Forms.Form', | |
| 110 | + 'C74190B6-8589-11d1-B16A-00C0F0283628': 'MSCOMCTL.TreeCtrl (may trigger CVE-2012-0158)', | |
| 111 | + 'C74190B6-8589-11D1-B16A-00C0F0283628': 'MSCOMCTL.TreeCtrl', | |
| 112 | + 'CF4F55F4-8F87-4D47-80BB-5808164BB3F8': 'Microsoft Powerpoint.Show.12', | |
| 113 | + 'D27CDB6E-AE6D-11CF-96B8-444553540000': 'Shockwave Flash Object (may trigger many CVEs)', | |
| 114 | + 'D7053240-CE69-11CD-A777-00DD01143C57': 'Microsoft Forms 2.0 CommandButton', | |
| 115 | + 'D70E31AD-2614-49F2-B0FC-ACA781D81F3E': 'AutoCAD 2010-2012 Document', | |
| 116 | + 'DD9DA666-8594-11D1-B16A-00C0F0283628': 'MSCOMCTL.ImageComboCtrl (may trigger CVE-2014-1761)', | |
| 117 | + 'E5CA59F5-57C4-4DD8-9BD6-1DEEEDD27AF4': 'InkEd.InkEdit', | |
| 93 | 118 | 'ECABAFC6-7F19-11D2-978E-0000F8757E2A': 'New Moniker', |
| 94 | 119 | 'ECABB0C7-7F19-11D2-978E-0000F8757E2A': 'SOAP Moniker (may trigger CVE-2017-8759)', |
| 95 | - # ref: https://justhaifei1.blogspot.nl/2017/07/bypassing-microsofts-cve-2017-0199-patch.html | |
| 96 | - '06290BD2-48AA-11D2-8432-006008C3FBFC': 'Factory bindable using IPersistMoniker (scripletfile)', | |
| 97 | - '06290BD3-48AA-11D2-8432-006008C3FBFC': 'Script Moniker, aka Moniker to a Windows Script Component (may trigger CVE-2017-0199)', | |
| 98 | - | |
| 99 | - "0CF774D0-F077-11D1-B1BC-00C04F86C324": "scrrun.dll - HTML File Host Encode Object (ProgID: HTML.HostEncode)", | |
| 100 | - "0D43FE01-F093-11CF-8940-00A0C9054228": "scrrun.dll - FileSystem Object (ProgID: Scripting.FileSystemObject)", | |
| 101 | - "85131630-480C-11D2-B1F9-00C04F86C324": "scrrun.dll - JS File Host Encode Object (ProgID: JSFile.HostEncode)", | |
| 102 | - "85131631-480C-11D2-B1F9-00C04F86C324": "scrrun.dll - VBS File Host Encode Object (ProgID: VBSFile.HostEncode)", | |
| 103 | - "B54F3741-5B07-11CF-A4B0-00AA004A55E8": "vbscript.dll - VB Script Language (ProgID: VBS, VBScript)", | |
| 104 | - "F414C260-6AC0-11CF-B6D1-00AA00BBBB58": "jscript.dll - JScript Language (ProgID: ECMAScript, JavaScript, JScript, LiveScript)", | |
| 120 | + 'F20DA720-C02F-11CE-927B-0800095AE340': 'OLE Package Object (may contain and run any file)', | |
| 121 | + 'F414C260-6AC0-11CF-B6D1-00AA00BBBB58': 'jscript.dll - JScript Language (ProgID: ECMAScript, JavaScript, JScript, LiveScript)', | |
| 122 | + 'F4754C9B-64F5-4B40-8AF4-679732AC0607': 'Microsoft Word Document (Word.Document.12)', | |
| 105 | 123 | } |
| 106 | 124 | ... | ... |