oledir: added more CLSIDs

decalage2
1 parent 781e2ad2
Showing 2 changed files with 18 additions and 7 deletions
oletools/oledir.py
setup.py
@@ -50,7 +50,7 @@ from __future__ import print_function
 #                      - added support for zip files and wildcards
 # 2018-04-11 v0.53 PL: - added table displaying storage tree and CLSIDs
  
-__version__ = '0.53dev1'
+__version__ = '0.53dev2'
  
 #------------------------------------------------------------------------------
 # TODO:
@@ -122,22 +122,33 @@ STATUS_COLORS = {
 KNOWN_CLSIDS = {
     # MS Office files
     '00020906-0000-0000-C000-000000000046': 'Microsoft Word 97-2003 Document',
+    '00020900-0000-0000-C000-000000000046': 'Microsoft Word 6.0-7.0 Document',
     # OLE Objects
-    '0002CE02-0000-0000-C000-000000000046': 'MS Equation Editor (may trigger CVE-2017-11882)',
-    # OLE Links
     '00000300-0000-0000-C000-000000000046': 'StdOleLink (embedded OLE object)',
+    '0002CE02-0000-0000-C000-000000000046': 'MS Equation Editor (may trigger CVE-2017-11882)',
+    'F20DA720-C02F-11CE-927B-0800095AE340': 'Package (may contain and run any file)',
+    '0003000C-0000-0000-C000-000000000046': 'Package (may contain and run any file)',
+    'D27CDB6E-AE6D-11CF-96B8-444553540000': 'Shockwave Flash Object (may trigger many CVEs)',
+    'A08A033D-1A75-4AB6-A166-EAD02F547959': 'otkloadr CWRAssembly Object (may trigger CVE-2015-1641)',
+    'D7053240-CE69-11CD-A777-00DD01143C57': 'Microsoft Forms 2.0 CommandButton',
     # Monikers
     '00000303-0000-0000-C000-000000000046': 'File Moniker',
     '00000304-0000-0000-C000-000000000046': 'Item Moniker',
     '00000305-0000-0000-C000-000000000046': 'Anti Moniker',
     '00000306-0000-0000-C000-000000000046': 'Pointer Moniker',
     '00000308-0000-0000-C000-000000000046': 'Packager Moniker',
-    '00000309-0000-0000-C000-000000000046': 'Composite Moniker',
+    '00000309-0000-0000-C000-000000000046': 'Composite Moniker (may trigger CVE-2017-8570)',
     '0000031a-0000-0000-C000-000000000046': 'Class Moniker',
     '0002034c-0000-0000-C000-000000000046': 'OutlookAttachMoniker',
     '0002034e-0000-0000-C000-000000000046': 'OutlookMessageMoniker',
-    '79EAC9E0-BAF9-11CE-8C82-00AA004BA90B': 'URL Moniker',
+    '79EAC9E0-BAF9-11CE-8C82-00AA004BA90B': 'URL Moniker (may trigger CVE-2017-0199)',
     'ECABB0C7-7F19-11D2-978E-0000F8757E2A': 'SOAP Moniker',
+    'ECABAFC6-7F19-11D2-978E-0000F8757E2A': 'New Moniker',
+    # ref: https://justhaifei1.blogspot.nl/2017/07/bypassing-microsofts-cve-2017-0199-patch.html
+    '06290BD2-48AA-11D2-8432-006008C3FBFC': 'Factory bindable using IPersistMoniker (scripletfile)',
+    '06290BD3-48AA-11D2-8432-006008C3FBFC': 'Script Moniker, aka Moniker to a Windows Script Component (may trigger CVE-2017-0199)',
+
+    '3050F4D8-98B5-11CF-BB82-00AA00BDCE0B': 'HTML Application (may trigger CVE-2017-0199)',
 }
  
  
@@ -153,7 +164,7 @@ def clsid_display(clsid):
     if clsid in KNOWN_CLSIDS:
         clsid += '\n%s' % KNOWN_CLSIDS[clsid]
     color = 'yellow'
-    if 'CVE-' in clsid:
+    if 'CVE' in clsid:
         color = 'red'
     return (clsid, color)
  
@@ -43,7 +43,7 @@ import os, fnmatch
 #--- METADATA -----------------------------------------------------------------
  
 name         = "oletools"
-version      = '0.53dev1'
+version      = '0.53dev2'
 desc         = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR"
 long_desc    = open('oletools/README.rst').read()
 author       = "Philippe Lagadec"