Peter M. Groen / oletools

Commit 31b535f357867561489269e04f4804bd91fd6f4e

Authored by decalage2
1 parent 009b32d9

oledir: moved KNOWN_CLSIDs to common.clsid

Inline Side-by-side
Showing 4 changed files with 84 additions and 28 deletions
oletools/common/__init__.py 0 → 100644
  View file @31b535f
oletools/common/clsid.py 0 → 100644
  View file @31b535f
  1 +"""
  2 +clsid.py
  3 +
  4 +Collection of known CLSIDs and related vulnerabilities, for the oletools.
  5 +
  6 +Author: Philippe Lagadec - http://www.decalage.info
  7 +License: BSD, see source code or documentation
  8 +
  9 +clsid is part of the python-oletools package:
  10 +http://www.decalage.info/python/oletools
  11 +"""
  12 +
  13 +#=== LICENSE ==================================================================
  14 +
  15 +# oletools are copyright (c) 2018 Philippe Lagadec (http://www.decalage.info)
  16 +# All rights reserved.
  17 +#
  18 +# Redistribution and use in source and binary forms, with or without modification,
  19 +# are permitted provided that the following conditions are met:
  20 +#
  21 +# * Redistributions of source code must retain the above copyright notice, this
  22 +# list of conditions and the following disclaimer.
  23 +# * Redistributions in binary form must reproduce the above copyright notice,
  24 +# this list of conditions and the following disclaimer in the documentation
  25 +# and/or other materials provided with the distribution.
  26 +#
  27 +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
  28 +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
  29 +# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
  30 +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
  31 +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  32 +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
  33 +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
  34 +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
  35 +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  36 +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  37 +
  38 +#------------------------------------------------------------------------------
  39 +# CHANGELOG:
  40 +# 2018-04-11 v0.53 PL: - added collection of CLSIDs
  41 +# 2018-04-13 PL: - moved KNOWN_CLSIDS from oledir to common.clsid
  42 +# SQ: - several additions by Shiao Qu
  43 +
  44 +__version__ = '0.53dev3'
  45 +
  46 +
  47 +KNOWN_CLSIDS = {
  48 + # MS Office files
  49 + '00020906-0000-0000-C000-000000000046': 'Microsoft Word 97-2003 Document',
  50 + '00020900-0000-0000-C000-000000000046': 'Microsoft Word 6.0-7.0 Document',
  51 + '00020832-0000-0000-C000-000000000046': 'Excel sheet with macro enabled',
  52 + '00020833-0000-0000-C000-000000000046': 'Excel binary sheet with macro enabled',
  53 + # OLE Objects
  54 + '00000300-0000-0000-C000-000000000046': 'StdOleLink (embedded OLE object)',
  55 + '0002CE02-0000-0000-C000-000000000046': 'MS Equation Editor (may trigger CVE-2017-11882 or CVE-2018-0802)',
  56 + 'F20DA720-C02F-11CE-927B-0800095AE340': 'Package (may contain and run any file)',
  57 + '0003000C-0000-0000-C000-000000000046': 'Package (may contain and run any file)',
  58 + 'D27CDB6E-AE6D-11CF-96B8-444553540000': 'Shockwave Flash Object (may trigger many CVEs)',
  59 + 'A08A033D-1A75-4AB6-A166-EAD02F547959': 'otkloadr CWRAssembly Object (may trigger CVE-2015-1641)',
  60 + 'D7053240-CE69-11CD-A777-00DD01143C57': 'Microsoft Forms 2.0 CommandButton',
  61 + # Monikers
  62 + '00000303-0000-0000-C000-000000000046': 'File Moniker (may trigger CVE-2017-0199 or CVE-2017-8570)',
  63 + '00000304-0000-0000-C000-000000000046': 'Item Moniker',
  64 + '00000305-0000-0000-C000-000000000046': 'Anti Moniker',
  65 + '00000306-0000-0000-C000-000000000046': 'Pointer Moniker',
  66 + '00000308-0000-0000-C000-000000000046': 'Packager Moniker',
  67 + '00000309-0000-0000-C000-000000000046': 'Composite Moniker (may trigger CVE-2017-8570)',
  68 + '0000031a-0000-0000-C000-000000000046': 'Class Moniker',
  69 + '0002034c-0000-0000-C000-000000000046': 'OutlookAttachMoniker',
  70 + '0002034e-0000-0000-C000-000000000046': 'OutlookMessageMoniker',
  71 + '79EAC9E0-BAF9-11CE-8C82-00AA004BA90B': 'URL Moniker (may trigger CVE-2017-0199 or CVE-2017-8570)',
  72 + 'ECABB0C7-7F19-11D2-978E-0000F8757E2A': 'SOAP Moniker (may trigger CVE-2017-8759)',
  73 + 'ECABAFC6-7F19-11D2-978E-0000F8757E2A': 'New Moniker',
  74 + # ref: https://justhaifei1.blogspot.nl/2017/07/bypassing-microsofts-cve-2017-0199-patch.html
  75 + '06290BD2-48AA-11D2-8432-006008C3FBFC': 'Factory bindable using IPersistMoniker (scripletfile)',
  76 + '06290BD3-48AA-11D2-8432-006008C3FBFC': 'Script Moniker, aka Moniker to a Windows Script Component (may trigger CVE-2017-0199)',
  77 +
  78 + '3050F4D8-98B5-11CF-BB82-00AA00BDCE0B': 'HTML Application (may trigger CVE-2017-0199)',
  79 +}
  80 +
oletools/oledir.py
  View file @31b535f
@@ -49,8 +49,9 @@ from __future__ import print_function @@ -49,8 +49,9 @@ from __future__ import print_function
49 # 2017-03-08 v0.51 PL: - fixed absolute imports, added optparse 49 # 2017-03-08 v0.51 PL: - fixed absolute imports, added optparse
50 # - added support for zip files and wildcards 50 # - added support for zip files and wildcards
51 # 2018-04-11 v0.53 PL: - added table displaying storage tree and CLSIDs 51 # 2018-04-11 v0.53 PL: - added table displaying storage tree and CLSIDs
  52 +# 2018-04-13 PL: - moved KNOWN_CLSIDS to common.clsid
52 53
53 -__version__ = '0.53dev2' 54 +__version__ = '0.53dev3'
54 55
55 #------------------------------------------------------------------------------ 56 #------------------------------------------------------------------------------
56 # TODO: 57 # TODO:
@@ -89,7 +90,7 @@ if os.name == 'nt': @@ -89,7 +90,7 @@ if os.name == 'nt':
89 from oletools.thirdparty import olefile 90 from oletools.thirdparty import olefile
90 from oletools.thirdparty.tablestream import tablestream 91 from oletools.thirdparty.tablestream import tablestream
91 from oletools.thirdparty.xglob import xglob 92 from oletools.thirdparty.xglob import xglob
92 - 93 +from oletools.common.clsid import KNOWN_CLSIDS
93 94
94 # === CONSTANTS ============================================================== 95 # === CONSTANTS ==============================================================
95 96
@@ -119,31 +120,6 @@ STATUS_COLORS = { @@ -119,31 +120,6 @@ STATUS_COLORS = {
119 'ORPHAN': 'red', 120 'ORPHAN': 'red',
120 } 121 }
121 122
122 -KNOWN_CLSIDS = {  
123 - # MS Office files  
124 - '00020906-0000-0000-C000-000000000046': 'Microsoft Word 97-2003 Document',  
125 - '00020900-0000-0000-C000-000000000046': 'Microsoft Word 6.0-7.0 Document',  
126 - '00020832-0000-0000-C000-000000000046': 'Excel sheet with macro enabled',  
127 - '00020833-0000-0000-C000-000000000046': 'Excel binary sheet with macro enabled',  
128 -  
129 - # OLE Objects  
130 - '00000300-0000-0000-C000-000000000046': 'StdOleLink (embedded OLE object)',  
131 - '0002CE02-0000-0000-C000-000000000046': 'MS Equation Editor (may trigger CVE-2017-11882 or CVE-2018-0802)',  
132 - 'F20DA720-C02F-11CE-927B-0800095AE340': 'Package (may contain and run any file)',  
133 - '0003000C-0000-0000-C000-000000000046': 'Package (may contain and run any file)',  
134 - 'D27CDB6E-AE6D-11CF-96B8-444553540000': 'Shockwave Flash Object (may trigger many CVEs)',  
135 - 'A08A033D-1A75-4AB6-A166-EAD02F547959': 'otkloadr CWRAssembly Object (may trigger CVE-2015-1641)',  
136 - 'D7053240-CE69-11CD-A777-00DD01143C57': 'Microsoft Forms 2.0 CommandButton',  
137 - # Monikers  
138 - '00000303-0000-0000-C000-000000000046': 'File Moniker (may trigger CVE-2017-0199 or CVE-2017-8570)',  
139 - '00000309-0000-0000-C000-000000000046': 'Composite Moniker (may trigger CVE-2017-8570)',  
140 - '0002034c-0000-0000-C000-000000000046': 'OutlookAttachMoniker',  
141 - '0002034e-0000-0000-C000-000000000046': 'OutlookMessageMoniker',  
142 - '79EAC9E0-BAF9-11CE-8C82-00AA004BA90B': 'URL Moniker (may trigger CVE-2017-0199 or CVE-2017-8570)',  
143 - 'ECABB0C7-7F19-11D2-978E-0000F8757E2A': 'SOAP Moniker (may trigger CVE-2017-8759)',  
144 - 'ECABAFC6-7F19-11D2-978E-0000F8757E2A': 'New Moniker',  
145 -}  
146 -  
147 123
148 # === FUNCTIONS ============================================================== 124 # === FUNCTIONS ==============================================================
149 125
setup.py
  View file @31b535f
@@ -43,7 +43,7 @@ import os, fnmatch @@ -43,7 +43,7 @@ import os, fnmatch
43 #--- METADATA ----------------------------------------------------------------- 43 #--- METADATA -----------------------------------------------------------------
44 44
45 name = "oletools" 45 name = "oletools"
46 -version = '0.53dev2' 46 +version = '0.53dev3'
47 desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" 47 desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR"
48 long_desc = open('oletools/README.rst').read() 48 long_desc = open('oletools/README.rst').read()
49 author = "Philippe Lagadec" 49 author = "Philippe Lagadec"