DefenderYara/Exploit/MacOS/Kfd/Exploit_MacOS_Kfd_A_MTB.yar


rule Exploit_MacOS_Kfd_A_MTB{
	meta:
		description = "Exploit:MacOS/Kfd.A!MTB,SIGNATURE_TYPE_MACHOHSTR_EXT,04 00 04 00 04 00 00 "
		
	strings :
		$a_01_0 = {6c 69 62 6b 66 64 2f 70 75 61 66 2e 68 } //1 libkfd/puaf.h
		$a_01_1 = {70 68 79 73 70 75 70 70 65 74 5f 72 75 6e } //1 physpuppet_run
		$a_01_2 = {66 6f 75 6e 64 5f 74 61 72 67 65 74 5f 68 6f 6c 65 } //1 found_target_hole
		$a_01_3 = {73 6d 69 74 68 5f 72 75 6e } //1 smith_run
	condition:
		((#a_01_0  & 1)*1+(#a_01_1  & 1)*1+(#a_01_2  & 1)*1+(#a_01_3  & 1)*1) >=4
 
}
init 2024-02-05 06:12:47 -08:00
			`rule Exploit_MacOS_Kfd_A_MTB{`
			`meta:`
fix condition 2024-07-06 23:13:08 -07:00			`description = "Exploit:MacOS/Kfd.A!MTB,SIGNATURE_TYPE_MACHOHSTR_EXT,04 00 04 00 04 00 00 "`
init 2024-02-05 06:12:47 -08:00
			`strings :`
fix condition 2024-07-06 23:13:08 -07:00			`$a_01_0 = {6c 69 62 6b 66 64 2f 70 75 61 66 2e 68 } //1 libkfd/puaf.h`
			`$a_01_1 = {70 68 79 73 70 75 70 70 65 74 5f 72 75 6e } //1 physpuppet_run`
			`$a_01_2 = {66 6f 75 6e 64 5f 74 61 72 67 65 74 5f 68 6f 6c 65 } //1 found_target_hole`
			`$a_01_3 = {73 6d 69 74 68 5f 72 75 6e } //1 smith_run`
init 2024-02-05 06:12:47 -08:00			`condition:`
fix condition 2024-07-06 23:13:08 -07:00			`((#a_01_0 & 1)1+(#a_01_1 & 1)1+(#a_01_2 & 1)1+(#a_01_3 & 1)1) >=4`
init 2024-02-05 06:12:47 -08:00
			`}`