DefenderYara/Exploit/WinNT/CVE-2012-0507/Exploit_WinNT_CVE-2012-0507_C.yar

rule Exploit_WinNT_CVE-2012-0507_C{
	meta:
		description = "Exploit:WinNT/CVE-2012-0507.C,SIGNATURE_TYPE_JAVAHSTR_EXT,06 00 06 00 06 00 00 "
		
	strings :
		$a_01_0 = {2f 61 74 6f 6d 69 63 2f 41 74 6f 6d 69 63 52 65 66 65 72 65 6e 63 65 41 72 72 61 79 } //1 /atomic/AtomicReferenceArray
		$a_01_1 = {67 65 74 43 6c 61 73 73 4c 6f 61 64 65 72 } //1 getClassLoader
		$a_01_2 = {4c 6a 61 76 61 78 2f 73 77 69 6e 67 2f 4a 4c 69 73 74 } //1 Ljavax/swing/JList
		$a_01_3 = {6a 61 76 61 2f 69 6f 2f 42 79 74 65 41 72 72 61 79 49 6e 70 75 74 53 74 72 65 61 6d } //1 java/io/ByteArrayInputStream
		$a_01_4 = {4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 72 69 6e 67 42 75 69 6c 64 65 72 } //1 Ljava/lang/StringBuilder
		$a_01_5 = {40 32 63 35 34 36 31 31 35 36 36 62 61 61 39 66 36 38 37 63 66 38 66 66 62 62 61 38 32 63 34 63 } //1 @2c54611566baa9f687cf8ffbba82c4c
	condition:
		((#a_01_0  & 1)*1+(#a_01_1  & 1)*1+(#a_01_2  & 1)*1+(#a_01_3  & 1)*1+(#a_01_4  & 1)*1+(#a_01_5  & 1)*1) >=6
 
}