Commit 876de10e2a717a495b37cb37bbb28bfde9ca8006
Committed by
GitHub
GitHub
Merge pull request #460 from Maijin/urlcarver
Add URL carver for CVE-2017-0199 Fix #163
Showing
1 changed file
with
17 additions
and
1 deletions
oletools/rtfobj.py
| ... | ... | @@ -907,7 +907,23 @@ def process_file(container, filename, data, output_dir=None, save_object=False): |
| 907 | 907 | # http://www.kb.cert.org/vuls/id/921560 |
| 908 | 908 | if rtfobj.class_name == b'OLE2Link': |
| 909 | 909 | ole_color = 'red' |
| 910 | - ole_column += '\nPossibly an exploit for the OLE2Link vulnerability (VU#921560, CVE-2017-0199)' | |
| 910 | + ole_column += '\nPossibly an exploit for the OLE2Link vulnerability (VU#921560, CVE-2017-0199)\n' | |
| 911 | + # https://bitbucket.org/snippets/Alexander_Hanel/7Adpp | |
| 912 | + found_list = re.findall(r'[a-fA-F0-9\x0D\x0A]{128,}',data) | |
| 913 | + urls = [] | |
| 914 | + for item in found_list: | |
| 915 | + try: | |
| 916 | + temp = item.replace("\x0D\x0A","").decode("hex") | |
| 917 | + except: | |
| 918 | + continue | |
| 919 | + pat = re.compile(r'(?:[\x20-\x7E][\x00]){3,}') | |
| 920 | + words = [w.decode('utf-16le') for w in pat.findall(temp)] | |
| 921 | + for w in words: | |
| 922 | + if "http" in w: | |
| 923 | + urls.append(w) | |
| 924 | + urls = sorted(set(urls)) | |
| 925 | + if urls: | |
| 926 | + ole_column += 'URL extracted: ' + ', '.join(urls) | |
| 911 | 927 | # Detect Equation Editor exploit |
| 912 | 928 | # https://www.kb.cert.org/vuls/id/421280/ |
| 913 | 929 | elif rtfobj.class_name.lower() == b'equation.3': | ... | ... |