-
Notifications
You must be signed in to change notification settings - Fork 18
/
CVE-2015-2558.lua
96 lines (87 loc) · 2.94 KB
/
CVE-2015-2558.lua
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
--[[
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Detection for CVE-2015-2558 expects Compressed Office Excel (e.g., xlsx)
This lua script can be run standalone and verbosely on a Flash file with
echo "run()" | luajit -i <script name> <office file>
Darien Huss
--]]
require("zip")
function init (args)
local needs = {}
needs["http.response_body"] = tostring(true)
return needs
end
--http://snippets.luacode.org/?p=snippets/String_to_Hex_String_68
function HexDumpString(str,spacer)
return (
string.gsub(str,"(.)",
function (c)
return string.format("%02X%s",string.byte(c), spacer or "\\")
end)
)
end
function doc_handler(t,verbose)
rtn = 0
tmpname = os.tmpname()
tmp = io.open(tmpname,'w')
tmp:write(t)
tmp:close()
z,err = zip.open(tmpname)
local buffers = {}
if z then
for w in z:files() do
if string.find(w.filename,"xl/workbook.xml",0,true) then
f = z:open(w.filename);
u = f:read("*all")
--convert to lowercase
u = u:lower()
f:close()
if (verbose==1) then print("Checking " .. w.filename) end
if string.find(u,"</fileversion>",0,true) and string.find(u,"<fileversion",0,true) then
for table in string.gmatch(u,"<fileversion[^>]*>(.-)</fileversion>") do
if string.len(table) >= 2625 then
if (verbose==1) then print("Found possible CVE-2015-2558") end
rtn2 = 1
end
end
end
if (verbose == 0) then
if rtn2 == 1 then return 1 end
end
if rtn2 == 1 then rtn = rtn2 end
end
end
end
if err then print(err) end
if z then z:close() end
os.remove(tmpname)
return rtn
end
function common(t,o,verbose)
rtn = 0
if string.sub(t,1,4) == "PK\003\004" then
rtn = doc_handler(t,verbose)
end
return rtn
end
function match(args)
local t = tostring(args["http.response_body"])
local o = args["offset"]
return common(t,o,0)
end
function run()
local f = io.open(arg[1])
local t = f:read("*all")
f:close()
common(t,4,1)
end