2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
rule Exploit_MacOS_CVE-2016-4625_A_MTB{
|
|
|
|
meta:
|
2024-07-06 23:13:08 -07:00
|
|
|
description = "Exploit:MacOS/CVE-2016-4625.A!MTB,SIGNATURE_TYPE_MACHOHSTR_EXT,05 00 05 00 05 00 00 "
|
2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
strings :
|
2024-07-06 23:13:08 -07:00
|
|
|
$a_00_0 = {63 68 69 6c 64 20 72 65 63 65 69 76 69 6e 67 20 73 74 6f 6c 65 6e 20 70 6f 72 74 } //1 child receiving stolen port
|
|
|
|
$a_01_1 = {69 6e 73 65 72 74 69 6e 67 20 4d 41 4b 45 5f 53 45 4e 44 20 69 6e 74 6f 20 73 68 61 72 65 64 20 70 6f 72 74 } //1 inserting MAKE_SEND into shared port
|
|
|
|
$a_00_2 = {67 6f 74 20 75 73 65 72 20 63 6c 69 65 6e 74 } //1 got user client
|
|
|
|
$a_00_3 = {67 65 74 74 69 6e 67 20 73 74 61 73 68 65 64 20 70 6f 72 74 } //1 getting stashed port
|
|
|
|
$a_00_4 = {6b 69 6c 6c 65 64 20 63 68 69 6c 64 } //1 killed child
|
2024-02-05 06:12:47 -08:00
|
|
|
condition:
|
2024-07-06 23:13:08 -07:00
|
|
|
((#a_00_0 & 1)*1+(#a_01_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1) >=5
|
2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
}
|