2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
rule Exploit_BAT_CVE-2013-0074_G{
|
|
|
|
meta:
|
2024-07-06 23:13:08 -07:00
|
|
|
description = "Exploit:BAT/CVE-2013-0074.G,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 06 00 00 "
|
2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
strings :
|
2024-07-06 23:13:08 -07:00
|
|
|
$a_01_0 = {78 3a 43 6c 61 73 73 3d 22 68 73 61 79 74 76 78 77 31 37 2e 41 70 70 22 } //1 x:Class="hsaytvxw17.App"
|
|
|
|
$a_01_1 = {68 73 61 79 74 76 78 77 31 37 2e 67 2e 72 65 73 6f 75 72 63 65 73 } //1 hsaytvxw17.g.resources
|
|
|
|
$a_01_2 = {78 6d 6c 6e 73 3a 6c 6f 63 61 6c 3d 22 75 73 69 6e 67 3a 41 6c 61 72 6d 50 72 6f 22 } //1 xmlns:local="using:AlarmPro"
|
|
|
|
$a_01_3 = {75 00 72 00 69 00 61 00 2e 00 70 00 6f 00 6f 00 68 00 } //1 uria.pooh
|
|
|
|
$a_01_4 = {70 00 65 00 64 00 65 00 35 00 } //1 pede5
|
|
|
|
$a_01_5 = {2f 00 68 00 73 00 61 00 79 00 74 00 76 00 78 00 77 00 31 00 37 00 3b 00 63 00 6f 00 6d 00 70 00 6f 00 6e 00 65 00 6e 00 74 00 2f 00 4d 00 61 00 69 00 6e 00 50 00 61 00 67 00 65 00 2e 00 78 00 61 00 6d 00 6c 00 } //1 /hsaytvxw17;component/MainPage.xaml
|
2024-02-05 06:12:47 -08:00
|
|
|
condition:
|
2024-07-06 23:13:08 -07:00
|
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1) >=5
|
2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
}
|