search

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
http://www.decalage.info/python/oletools
Other
2.91k stars 561 forks source link

oledir: add more known-bad CLSIDs #290

Closed decalage2 closed 6 years ago

decalage2 commented 6 years ago

source: https://github.com/docbleach/DocBleach/issues/23

and https://blog.talosintelligence.com/2017/03/how-malformed-rtf-defeats-security.html

ghost commented 6 years ago

I checked these CLSIDs in the registry, and some of them were wrong or inappropriate. The modules related to these CLSIDs are attached below:

"{BDD1F04B-858B-11D1-B16A-00C0F0283628}": "MSCOMCTL.ListViewCtrl (Known Vulnerable)", "{C74190B6-8589-11D1-B16A-00C0F0283628}": "MSCOMCTL.TreeCtrl (Known Vulnerable)", "{1EFB6596-857C-11D1-B16A-00C0F0283628}": "MSCOMCTL.TabStrip (Known Vulnerable)", "{66833FE6-8583-11D1-B16A-00C0F0283628}": "MSCOMCTL.Toolbar (Known Vulnerable)", "{DD9DA666-8594-11D1-B16A-00C0F0283628}": "MSCOMCTL.ImageComboCtrl (Known Vulnerable)", "{00000535-0000-0010-8000-00AA006D2EA4}": "ADODB.RecordSet (Known Vulnerable)", "{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}": "MSScriptControl.ScriptControl (Known Vulnerable)", "{05741520-C4EB-440A-AC3F-9643BBC9F847}": "otkloadr.WRLoader (Known Vulnerable)", "{A08A033D-1A75-4AB6-A166-EAD02F547959}": "otkloadr.WRAssembly (Known Vulnerable)", "{4C599241-6926-101B-9992-00000B65C6F9}": "Forms.Image (Known Vulnerable)", "{44F9A03B-A3EC-4F3B-9364-08E0007F21DF}": "Control.TaskSymbol (Known Vulnerable)"

ghost commented 6 years ago

"F414C260-6AC0-11CF-B6D1-00AA00BBBB58": "jscript.dll - JScript Language (ProgID: ECMAScript, JavaScript, JScript, LiveScript)", "B54F3741-5B07-11CF-A4B0-00AA004A55E8": "vbscript.dll - VB Script Language (ProgID: VBS, VBScript)", "85131630-480C-11D2-B1F9-00C04F86C324": "scrrun.dll - JS File Host Encode Object (ProgID: JSFile.HostEncode)", "85131631-480C-11D2-B1F9-00C04F86C324": "scrrun.dll - VBS File Host Encode Object (ProgID: VBSFile.HostEncode)", "0CF774D0-F077-11D1-B1BC-00C04F86C324": "scrrun.dll - HTML File Host Encode Object (ProgID: HTML.HostEncode)", "0D43FE01-F093-11CF-8940-00A0C9054228": "scrrun.dll - FileSystem Object (ProgID: Scripting.FileSystemObject)",

Found them when searching ProgIDs.