Skip to main content


Showing posts from September, 2017

Signature Dev using for RTF zero day CVE-2017-8759

After reading the FireEye blog on  CVE-2017-8759  we decided to quickly write a signature for the new (though not yet widely used, and now patched) zero day. We decided to use , naturally. First we searched for the FireEye reported hash  fe5c4d6bb78e170abf5cf3741868ea4c in The first hex block looks interesting: Clicking the sha256 link brings up the hex view, it's a OLE document embedded in the RTF. We can see a wsdl link and the highlighted hex turns out to be part of the class id, rendered as c7b0abec-197f-d211-978e-0000f8757e2a . Reversing the first three block's byte order comes out to the SoapMoniker class ID  ECABB0C7-7F19-11D2-978E-0000F8757E2A This handy list reveals the SoapMoniker class: After some testing, we pushed out a CVE-2017-8759 signature to and the free open source version .