2024-02-26 04:07:32 -08:00
|
|
|
|
|
|
|
|
rule Exploit_Win64_CVE-2023-21752_C{
|
|
|
|
|
meta:
|
2024-07-06 23:13:08 -07:00
|
|
|
description = "Exploit:Win64/CVE-2023-21752.C,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 03 00 00 "
|
2024-02-26 04:07:32 -08:00
|
|
|
|
|
|
|
|
strings :
|
2024-07-06 23:13:08 -07:00
|
|
|
$a_03_0 = {89 56 30 ff 90 01 05 45 33 c9 45 33 c0 33 d2 48 89 46 50 33 c9 ff 90 01 05 48 89 3e 48 89 46 20 48 83 ff ff 90 01 02 45 33 c0 90 01 07 48 8b d6 ff 90 01 05 48 89 46 58 48 85 c0 90 01 02 48 8b 56 20 45 33 c0 48 8b c8 ff 90 01 05 48 8b 0e 90 01 04 48 89 6c 24 38 44 8b cb 4c 89 64 24 30 ba 40 02 09 00 44 89 6c 24 28 4c 89 7c 24 20 ff 90 01 05 ff 90 01 05 3d e5 03 00 00 90 00 } //1
|
|
|
|
|
$a_03_1 = {45 33 c9 48 89 74 24 30 c7 44 24 28 80 00 00 00 90 01 07 ba 00 00 00 40 c7 44 24 20 02 00 00 00 90 01 04 ff 90 01 05 44 8b 05 a7 58 02 00 45 33 c9 48 8b 15 95 58 02 00 48 8b c8 48 8b d8 48 89 74 24 20 ff 90 01 05 85 c0 90 01 07 48 90 01 06 48 0f 44 ca e8 90 01 04 48 8b cb ff 90 01 05 48 8b cf ff 90 01 05 e8 90 01 04 4c 90 01 06 b9 0f 00 00 00 90 01 07 ff 90 01 05 85 c0 90 00 } //1
|
|
|
|
|
$a_03_2 = {48 33 c4 48 89 44 24 38 33 c9 ff 90 01 05 b9 c8 00 00 00 e8 90 01 04 33 d2 90 01 07 48 8b d8 90 01 07 48 90 01 04 48 89 44 24 20 90 01 04 ff 90 01 05 85 c0 90 00 } //1
|
2024-02-26 04:07:32 -08:00
|
|
|
condition:
|
2024-07-06 23:13:08 -07:00
|
|
|
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1) >=3
|
2024-02-26 04:07:32 -08:00
|
|
|
|
|
|
|
|
}
|
