2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
rule Exploit_MacOS_CVE-2016-4625_A_MTB{
|
|
|
|
meta:
|
|
|
|
description = "Exploit:MacOS/CVE-2016-4625.A!MTB,SIGNATURE_TYPE_MACHOHSTR_EXT,05 00 05 00 05 00 00 01 00 "
|
|
|
|
|
|
|
|
strings :
|
2024-02-07 06:09:14 -08:00
|
|
|
$a_00_0 = {63 68 69 6c 64 20 72 65 63 65 69 76 69 6e 67 20 73 74 6f 6c 65 6e 20 70 6f 72 74 } //01 00 child receiving stolen port
|
|
|
|
$a_01_1 = {69 6e 73 65 72 74 69 6e 67 20 4d 41 4b 45 5f 53 45 4e 44 20 69 6e 74 6f 20 73 68 61 72 65 64 20 70 6f 72 74 } //01 00 inserting MAKE_SEND into shared port
|
|
|
|
$a_00_2 = {67 6f 74 20 75 73 65 72 20 63 6c 69 65 6e 74 } //01 00 got user client
|
|
|
|
$a_00_3 = {67 65 74 74 69 6e 67 20 73 74 61 73 68 65 64 20 70 6f 72 74 } //01 00 getting stashed port
|
|
|
|
$a_00_4 = {6b 69 6c 6c 65 64 20 63 68 69 6c 64 } //00 00 killed child
|
2024-02-05 06:12:47 -08:00
|
|
|
condition:
|
|
|
|
any of ($a_*)
|
|
|
|
|
|
|
|
}
|