Commit 876de10e2a717a495b37cb37bbb28bfde9ca8006
Committed by
GitHub
GitHub
Merge pull request #460 from Maijin/urlcarver
Add URL carver for CVE-2017-0199 Fix #163
Showing
1 changed file
with
17 additions
and
1 deletions
oletools/rtfobj.py
| @@ -907,7 +907,23 @@ def process_file(container, filename, data, output_dir=None, save_object=False): | @@ -907,7 +907,23 @@ def process_file(container, filename, data, output_dir=None, save_object=False): | ||
| 907 | # http://www.kb.cert.org/vuls/id/921560 | 907 | # http://www.kb.cert.org/vuls/id/921560 |
| 908 | if rtfobj.class_name == b'OLE2Link': | 908 | if rtfobj.class_name == b'OLE2Link': |
| 909 | ole_color = 'red' | 909 | ole_color = 'red' |
| 910 | - ole_column += '\nPossibly an exploit for the OLE2Link vulnerability (VU#921560, CVE-2017-0199)' | 910 | + ole_column += '\nPossibly an exploit for the OLE2Link vulnerability (VU#921560, CVE-2017-0199)\n' |
| 911 | + # https://bitbucket.org/snippets/Alexander_Hanel/7Adpp | ||
| 912 | + found_list = re.findall(r'[a-fA-F0-9\x0D\x0A]{128,}',data) | ||
| 913 | + urls = [] | ||
| 914 | + for item in found_list: | ||
| 915 | + try: | ||
| 916 | + temp = item.replace("\x0D\x0A","").decode("hex") | ||
| 917 | + except: | ||
| 918 | + continue | ||
| 919 | + pat = re.compile(r'(?:[\x20-\x7E][\x00]){3,}') | ||
| 920 | + words = [w.decode('utf-16le') for w in pat.findall(temp)] | ||
| 921 | + for w in words: | ||
| 922 | + if "http" in w: | ||
| 923 | + urls.append(w) | ||
| 924 | + urls = sorted(set(urls)) | ||
| 925 | + if urls: | ||
| 926 | + ole_column += 'URL extracted: ' + ', '.join(urls) | ||
| 911 | # Detect Equation Editor exploit | 927 | # Detect Equation Editor exploit |
| 912 | # https://www.kb.cert.org/vuls/id/421280/ | 928 | # https://www.kb.cert.org/vuls/id/421280/ |
| 913 | elif rtfobj.class_name.lower() == b'equation.3': | 929 | elif rtfobj.class_name.lower() == b'equation.3': |