-
Notifications
You must be signed in to change notification settings - Fork 18
/
CVE-2014-4114.lua
145 lines (126 loc) · 4.35 KB
/
CVE-2014-4114.lua
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
--[[
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Detection for CVE-2012-3096 expects DOCX or TIFF
This lua script can be run standalone and verbosely on a Flash file with
echo "run()" | luajit -i <script name> <tiff file|docx file>
Will Metcalf
Chris Wakelin
--]]
susp_class = {
{"\092\092[^%z]-\046[iI][Nn][Ff]%z",1,false,"UNC Path to INF file"},
{"Software\092Microsoft\092Windows\092CurrentVersion\092Run","DefaultInstall","AddReg",3,true,"Embedded INF File"},
{"\000MZ","This program cannot be run in DOS mode",2,true,"Embedded EXE"},
}
require("zip")
function init (args)
local needs = {}
needs["http.response_body"] = tostring(true)
return needs
end
--http://snippets.luacode.org/?p=snippets/String_to_Hex_String_68
function HexDumpString(str,spacer)
return (
string.gsub(str,"(.)",
function (c)
return string.format("%02X%s",string.byte(c), spacer or "\\")
end)
)
end
function match_strings(a,match_set,verbose)
local rtn = 0
local n,m
local num_strings = #match_set - 3
local match_num = match_set[num_strings+1]
local plain = match_set[num_strings+2]
local desc = match_set[num_strings+3]
local cnt=0
local fnd
-- if verbose == 1 then print("Looking for " .. match_num .. " out of " .. num_strings .. " strings : " .. desc) end
for n = 1, num_strings, 1 do
m = match_set[n]
-- if verbose == 1 then print("Looking for string " .. cnt .. " of " .. match_num .. " : " .. m) end
fnd = string.find(a,m,1,plain)
if fnd then
cnt = cnt + 1
-- if verbose == 1 then print("Found string " .. cnt .. " of " .. match_num .. " : " .. m) end
if cnt == match_num then
if verbose == 1 then print("Found " .. desc) end
rtn = 1
break
end
end
end
return rtn
end
function find_ole_with_inf_smb(u,filename,verbose)
local rtn = 0
for l,s in pairs(susp_class) do
if (verbose==1) then print("Looking for " .. s[#s]) end
if match_strings(u,s,verbose) == 1 then
rtn = 1
if (verbose == 0) then
break
end
end
end
if (verbose == 0) then
if rtn == 1 then return 1 end
end
return rtn
end
function ppt_handler(t,verbose)
rtn = 0
tmpname = os.tmpname()
tmp = io.open(tmpname,'w')
tmp:write(t)
tmp:close()
z,err = zip.open(tmpname)
local buffers = {}
if z then
for w in z:files() do
if string.find(w.filename,"ppt/embeddings/oleObject",1,true) then
f = z:open(w.filename);
u = f:read("*all")
f:close()
if (verbose==1) then print("Checking " .. w.filename) end
rtn2 = find_ole_with_inf_smb(u,w.filename,verbose)
if (verbose == 0) then
if rtn2 == 1 then return 1 end
end
if rtn2 == 1 then rtn = rtn2 end
end
end
end
if err then print(err) end
if z then z:close() end
os.remove(tmpname)
return rtn
end
function common(t,o,verbose)
rtn = 0
if string.sub(t,1,4) == "PK\003\004" then
rtn = ppt_handler(t,verbose)
end
return rtn
end
function match(args)
local t = tostring(args["http.response_body"])
local o = args["offset"]
return common(t,o,0)
end
function run()
local f = io.open(arg[1])
local t = f:read("*all")
f:close()
common(t,4,1)
end