Last active
August 19, 2022 16:01
-
-
Save decalage2/a87b02581c28013d51585639cd21bfd0 to your computer and use it in GitHub Desktop.
Simple script to detect CVE-2021-40444 URLs using oletools
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # simple script to detect CVE-2021-40444 exploits in DOCX using oletools | |
| # v0.01 Philippe Lagadec 2021-09-09 | |
| # IMPORTANT NOTE: this script detects the few samples identified so far, by looking for "mhtml:" in remote objects URLs. | |
| # But it is not confirmed yet if this detection is generic enough, for example if "mhtml:" is not mandatory. | |
| # Moreover, for now only Office 2007+ files are supported. | |
| # Detection for other file types (RTF, Office 97-2003, ...) will be implemented later. | |
| import sys, zipfile | |
| from oletools import oleobj, ooxml | |
| filename = sys.argv[1] | |
| if zipfile.is_zipfile(filename): | |
| xml_parser = ooxml.XmlParser(filename) | |
| for relationship, target in oleobj.find_external_relationships(xml_parser): | |
| print("Found relationship '%s' with external link %s" % (relationship, target)) | |
| if target.startswith('mhtml:'): | |
| print("Potential exploit for CVE-2021-40444") | |
| else: | |
| print("This is not an Office 2007+ file.") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Good