def test_iprange():
privates = ["10.10.10.10", "10.80.10.30",
"172.16.16.16", "172.22.22.22", "172.30.30.30",
"192.168.0.1", "192.168.245.245"]
reserved = ["0.1.1.1", "100.64.0.1", "127.0.0.1", "169.254.1.1", "192.0.0.1", "192.0.2.0", "192.88.99.1",
"198.19.1.1", "198.51.100.33", "203.0.113.20", "241.0.0.1", "225.1.1.1", "255.255.255.255"]
public = ["44.33.44.33", "192.1.1.1", "111.111.111.111", "203.203.203.203", "199.199.199.199", "223.223.223.223"]
for ip in privates:
assert is_ip_private(ip)
for ip in reserved:
assert is_ip_reserved(ip)
for ip in public:
assert not is_ip_reserved(ip) and not is_ip_private(ip)
def validate_url(url):
try:
parsed = urlparse(url)
except Exception:
raise InvalidUrlException('Url provided is invalid.')
host = parsed.hostname or parsed.netloc
try:
cur_ip = socket.gethostbyname(host)
except socket.gaierror:
cur_ip = '127.0.0.1'
if is_ip_reserved(cur_ip) or cur_ip == MYIP:
raise ForbiddenLocation("Location '%s' cannot be resolved." % host)
def parse_uri(self, check_uri):
m = self.uri_re.match(check_uri)
if m is None:
return False
else:
full_uri = m.group(0)
proto, uri = full_uri.split('://', 1)
if proto == 'file':
return False
scorable = False
if "http://purl.org/" not in full_uri and \
"http://xml.org/" not in full_uri and \
".openxmlformats.org/" not in full_uri and \
".oasis-open.org/" not in full_uri and \
".xmlsoap.org/" not in full_uri and \
".microsoft.com/" not in full_uri and \
".w3.org/" not in full_uri and \
".gc.ca/" not in full_uri and \
".mil.ca/" not in full_uri:
self.ole_result.add_tag(TAG_TYPE.NET_FULL_URI,
full_uri,
TAG_WEIGHT.MED,
usage=TAG_USAGE.CORRELATION)
scorable = True
domain = self.domain_re.match(uri)
ip = self.ip_re.match(uri)
if ip:
ip_str = ip.group(1)
if not is_ip_reserved(ip_str):
self.ole_result.add_tag(TAG_TYPE.NET_IP,
ip_str,
TAG_WEIGHT.HIGH,
usage=TAG_USAGE.CORRELATION)
elif domain:
dom_str = domain.group(1)
self.ole_result.add_tag(TAG_TYPE.NET_DOMAIN_NAME,
dom_str,
TAG_WEIGHT.HIGH,
usage=TAG_USAGE.CORRELATION)
return scorable
def macro_scorer(self, text):
self.log.debug("Macro scorer running")
score_section = None
try:
vba_scanner = VBA_Scanner(text)
vba_scanner.scan(include_decoded_strings=True)
for string in self.ADDITIONAL_SUSPICIOUS_KEYWORDS:
if re.search(string, text, re.IGNORECASE):
# play nice with detect_suspicious from olevba.py
vba_scanner.suspicious_keywords.append((string, 'May download files from the Internet'))
stringcount = len(vba_scanner.autoexec_keywords) + len(vba_scanner.suspicious_keywords) + \
len(vba_scanner.iocs)
if stringcount > 0:
score_section = ResultSection(SCORE.NULL, "Interesting macro strings found")
if len(vba_scanner.autoexec_keywords) > 0:
subsection = ResultSection(min(self.MAX_STRING_SCORE,
SCORE.LOW * len(vba_scanner.autoexec_keywords)),
"Autoexecution strings")
for keyword, description in vba_scanner.autoexec_keywords:
subsection.add_line(keyword)
subsection.add_tag(TAG_TYPE.OLE_MACRO_SUSPICIOUS_STRINGS,
keyword, TAG_WEIGHT.HIGH,
usage=TAG_USAGE.IDENTIFICATION)
score_section.add_section(subsection)
if len(vba_scanner.suspicious_keywords) > 0:
subsection = ResultSection(min(self.MAX_STRING_SCORE,
SCORE.MED * len(vba_scanner.suspicious_keywords)),
"Suspicious strings or functions")
for keyword, description in vba_scanner.suspicious_keywords:
subsection.add_line(keyword)
subsection.add_tag(TAG_TYPE.OLE_MACRO_SUSPICIOUS_STRINGS,
keyword, TAG_WEIGHT.HIGH,
usage=TAG_USAGE.IDENTIFICATION)
score_section.add_section(subsection)
if len(vba_scanner.iocs) > 0:
subsection = ResultSection(min(500, SCORE.MED * len(vba_scanner.iocs)),
"Potential host or network IOCs")
scored_macro_uri = False
for keyword, description in vba_scanner.iocs:
# olevba seems to have swapped the keyword for description during iocs extraction
# this holds true until at least version 0.27
subsection.add_line("{}: {}".format(keyword, description))
desc_ip = self.ip_re.match(description)
if self.parse_uri(description) is True:
scored_macro_uri = True
elif desc_ip:
ip_str = desc_ip.group(1)
if not is_ip_reserved(ip_str):
scored_macro_uri = True
subsection.add_tag(TAG_TYPE.NET_IP,
ip_str,
TAG_WEIGHT.HIGH,
usage=TAG_USAGE.CORRELATION)
score_section.add_section(subsection)
if scored_macro_uri and self.scored_macro_uri is False:
self.scored_macro_uri = True
scored_uri_section = ResultSection(score=500,
title_text="Found network indicator(s) within macros")
self.ole_result.add_section(scored_uri_section)
except Exception as e:
self.log.debug("OleVBA VBA_Scanner constructor failed: {}".format(str(e)))
return score_section