rule Exploit_WinNT_CVE-2013-0422{
	meta:
		description = "Exploit:WinNT/CVE-2013-0422,SIGNATURE_TYPE_JAVAHSTR_EXT,17 00 17 00 07 00 00 "
		
	strings :
		$a_01_0 = {6a 61 76 61 2f 69 6f 2f 42 79 74 65 41 72 72 61 79 4f 75 74 70 75 74 53 74 72 65 61 6d } //5 java/io/ByteArrayOutputStream
		$a_01_1 = {6a 61 76 61 78 2f 6d 61 6e 61 67 65 6d 65 6e 74 2f 4d 42 65 61 6e 53 65 72 76 65 72 } //5 javax/management/MBeanServer
		$a_01_2 = {6a 61 76 61 2f 6c 61 6e 67 2f 43 6c 61 73 73 4c 6f 61 64 65 72 } //5 java/lang/ClassLoader
		$a_01_3 = {6e 65 77 43 6c 61 73 73 } //2 newClass
		$a_03_4 = {54 65 6d 70 [0-10] 6f 70 65 6e } //2
		$a_03_5 = {54 65 6d 70 [0-10] 65 78 65 70 75 74 } //2
		$a_01_6 = {62 6f 74 72 34 34 34 7a 61 6e 6f 35 } //2 botr444zano5
	condition:
		((#a_01_0  & 1)*5+(#a_01_1  & 1)*5+(#a_01_2  & 1)*5+(#a_01_3  & 1)*2+(#a_03_4  & 1)*2+(#a_03_5  & 1)*2+(#a_01_6  & 1)*2) >=23
 
}
rule Exploit_WinNT_CVE-2013-0422_2{
	meta:
		description = "Exploit:WinNT/CVE-2013-0422,SIGNATURE_TYPE_JAVAHSTR_EXT,1e 00 1e 00 0b 00 00 "
		
	strings :
		$a_01_0 = {6a 61 76 61 2f 69 6f 2f 46 69 6c 65 4f 75 74 70 75 74 53 74 72 65 61 6d } //5 java/io/FileOutputStream
		$a_01_1 = {6a 61 76 61 2f 6c 61 6e 67 2f 72 65 66 6c 65 63 74 2f 4d 65 74 68 6f 64 } //5 java/lang/reflect/Method
		$a_01_2 = {6a 61 76 61 2f 6e 69 6f 2f 63 68 61 6e 6e 65 6c 73 2f 46 69 6c 65 43 68 61 6e 6e 65 6c } //5 java/nio/channels/FileChannel
		$a_01_3 = {6a 61 76 61 2f 6c 61 6e 67 2f 52 75 6e 74 69 6d 65 } //5 java/lang/Runtime
		$a_03_4 = {72 65 66 6c 65 63 74 ?? 43 6f 6e 73 74 72 75 63 74 6f 72 } //2
		$a_03_5 = {43 6f 6e 73 74 72 75 63 74 6f 72 [0-10] 6e 65 77 49 6e 73 74 61 6e 63 65 } //2
		$a_03_6 = {2e 70 68 70 [0-10] 3f 77 68 6f 6c 65 3d } //2
		$a_01_7 = {67 65 74 52 75 6e 74 69 6d 65 } //2 getRuntime
		$a_01_8 = {2e 74 6d 70 } //1 .tmp
		$a_01_9 = {2f 74 65 6d 70 2f } //1 /temp/
		$a_01_10 = {68 74 74 70 3a 2f 2f } //1 http://
	condition:
		((#a_01_0  & 1)*5+(#a_01_1  & 1)*5+(#a_01_2  & 1)*5+(#a_01_3  & 1)*5+(#a_03_4  & 1)*2+(#a_03_5  & 1)*2+(#a_03_6  & 1)*2+(#a_01_7  & 1)*2+(#a_01_8  & 1)*1+(#a_01_9  & 1)*1+(#a_01_10  & 1)*1) >=30
 
}
rule Exploit_WinNT_CVE-2013-0422_3{
	meta:
		description = "Exploit:WinNT/CVE-2013-0422,SIGNATURE_TYPE_JAVAHSTR_EXT,19 00 19 00 0d 00 00 "
		
	strings :
		$a_01_0 = {6a 61 76 61 2f 6c 61 6e 67 2f 69 6e 76 6f 6b 65 2f 4d 65 74 68 6f 64 48 61 6e 64 6c 65 73 24 4c 6f 6f 6b 75 70 } //5 java/lang/invoke/MethodHandles$Lookup
		$a_01_1 = {6a 61 76 61 2f 6c 61 6e 67 2f 69 6e 76 6f 6b 65 2f 4d 65 74 68 6f 64 54 79 70 65 } //5 java/lang/invoke/MethodType
		$a_01_2 = {6a 61 76 61 2f 6c 61 6e 67 2f 43 6c 61 73 73 4c 6f 61 64 65 72 } //5 java/lang/ClassLoader
		$a_03_3 = {54 65 6d 70 [0-10] 65 78 65 70 75 74 } //2
		$a_01_4 = {6c 6f 63 61 6c 4d 65 74 68 6f 64 48 61 6e 64 6c 65 } //2 localMethodHandle
		$a_01_5 = {70 75 62 6c 69 63 4c 6f 6f 6b 75 70 } //1 publicLookup
		$a_01_6 = {66 69 6e 64 56 69 72 74 75 61 6c } //1 findVirtual
		$a_01_7 = {6c 6f 63 61 6c 43 6c 61 73 73 31 } //1 localClass1
		$a_01_8 = {6c 6f 63 61 6c 4d 65 74 68 6f 64 54 79 70 65 31 } //1 localMethodType1
		$a_01_9 = {62 6f 74 72 34 34 34 7a 61 6e 6f 35 } //2 botr444zano5
		$a_01_10 = {2e 74 6d 70 } //2 .tmp
		$a_01_11 = {2f 74 65 6d 70 2f } //2 /temp/
		$a_01_12 = {68 74 74 70 3a 2f 2f } //1 http://
	condition:
		((#a_01_0  & 1)*5+(#a_01_1  & 1)*5+(#a_01_2  & 1)*5+(#a_03_3  & 1)*2+(#a_01_4  & 1)*2+(#a_01_5  & 1)*1+(#a_01_6  & 1)*1+(#a_01_7  & 1)*1+(#a_01_8  & 1)*1+(#a_01_9  & 1)*2+(#a_01_10  & 1)*2+(#a_01_11  & 1)*2+(#a_01_12  & 1)*1) >=25
 
}