Update oledir.py

Some of them are not known bad, so removed. "New Moniker" is usually embedded in the "MonikerArray" field of the Composite Moniker, so if Composite Moniker is not parsed, no need to check if this moniker exists. HTA Moniker, Script/Scriptlet Moniker will not appear in documents. These are loaded by checking the "content-type" from the remote server("Media Negotiate" procedure) or extension names from the file("GetClassFile" function), or just from the registry.

Update oledir.py
Some of them are not known bad, so removed. "New Moniker" is usually embedded in the "MonikerArray" field of the Composite Moniker, so if Composite Moniker is not parsed, no need to check if this moniker exists. HTA Moniker, Script/Scriptlet Moniker will not appear in documents. These are loaded by checking the "content-type" from the remote server("Media Negotiate" procedure) or extension names from the file("GetClassFile" function), or just from the registry.
Shiao Qu · GitHub
1 parent 34a66737
Showing 1 changed file with 8 additions and 15 deletions
oletools/oledir.py
@@ -123,32 +123,25 @@ KNOWN_CLSIDS = {
     # MS Office files
     '00020906-0000-0000-C000-000000000046': 'Microsoft Word 97-2003 Document',
     '00020900-0000-0000-C000-000000000046': 'Microsoft Word 6.0-7.0 Document',
+    '00020832-0000-0000-C000-000000000046': 'Excel sheet with macro enabled',
+    '00020833-0000-0000-C000-000000000046': 'Excel binary sheet with macro enabled',
+    
     # OLE Objects
     '00000300-0000-0000-C000-000000000046': 'StdOleLink (embedded OLE object)',
-    '0002CE02-0000-0000-C000-000000000046': 'MS Equation Editor (may trigger CVE-2017-11882)',
+    '0002CE02-0000-0000-C000-000000000046': 'MS Equation Editor (may trigger CVE-2017-11882 or CVE-2018-0802)',
     'F20DA720-C02F-11CE-927B-0800095AE340': 'Package (may contain and run any file)',
     '0003000C-0000-0000-C000-000000000046': 'Package (may contain and run any file)',
     'D27CDB6E-AE6D-11CF-96B8-444553540000': 'Shockwave Flash Object (may trigger many CVEs)',
     'A08A033D-1A75-4AB6-A166-EAD02F547959': 'otkloadr CWRAssembly Object (may trigger CVE-2015-1641)',
     'D7053240-CE69-11CD-A777-00DD01143C57': 'Microsoft Forms 2.0 CommandButton',
     # Monikers
-    '00000303-0000-0000-C000-000000000046': 'File Moniker',
-    '00000304-0000-0000-C000-000000000046': 'Item Moniker',
-    '00000305-0000-0000-C000-000000000046': 'Anti Moniker',
-    '00000306-0000-0000-C000-000000000046': 'Pointer Moniker',
-    '00000308-0000-0000-C000-000000000046': 'Packager Moniker',
+    '00000303-0000-0000-C000-000000000046': 'File Moniker (may trigger CVE-2017-0199 or CVE-2017-8570)',
     '00000309-0000-0000-C000-000000000046': 'Composite Moniker (may trigger CVE-2017-8570)',
-    '0000031a-0000-0000-C000-000000000046': 'Class Moniker',
     '0002034c-0000-0000-C000-000000000046': 'OutlookAttachMoniker',
     '0002034e-0000-0000-C000-000000000046': 'OutlookMessageMoniker',
-    '79EAC9E0-BAF9-11CE-8C82-00AA004BA90B': 'URL Moniker (may trigger CVE-2017-0199)',
-    'ECABB0C7-7F19-11D2-978E-0000F8757E2A': 'SOAP Moniker',
+    '79EAC9E0-BAF9-11CE-8C82-00AA004BA90B': 'URL Moniker (may trigger CVE-2017-0199 or CVE-2017-8570)',
+    'ECABB0C7-7F19-11D2-978E-0000F8757E2A': 'SOAP Moniker (may trigger CVE-2017-8759)',
     'ECABAFC6-7F19-11D2-978E-0000F8757E2A': 'New Moniker',
-    # ref: https://justhaifei1.blogspot.nl/2017/07/bypassing-microsofts-cve-2017-0199-patch.html
-    '06290BD2-48AA-11D2-8432-006008C3FBFC': 'Factory bindable using IPersistMoniker (scripletfile)',
-    '06290BD3-48AA-11D2-8432-006008C3FBFC': 'Script Moniker, aka Moniker to a Windows Script Component (may trigger CVE-2017-0199)',
-
-    '3050F4D8-98B5-11CF-BB82-00AA00BDCE0B': 'HTML Application (may trigger CVE-2017-0199)',
 }
@@ -272,4 +265,4 @@ def main():
 if __name__ == '__main__':
-    main()
 \ No newline at end of file
+    main()