14 lines
1.4 KiB
Plaintext
14 lines
1.4 KiB
Plaintext
|
|
rule Exploit_MacOS_CVE-2016-1757_A_xp{
|
|
meta:
|
|
description = "Exploit:MacOS/CVE-2016-1757.A!xp,SIGNATURE_TYPE_MACHOHSTR_EXT,04 00 04 00 04 00 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {72 6d 20 2d 72 66 20 2f 6c 69 62 72 61 72 79 2f 65 78 74 65 6e 73 69 6f 6e 73 2f 61 63 73 36 78 2e 6b 65 78 74 } //1 rm -rf /library/extensions/acs6x.kext
|
|
$a_02_1 = {c7 85 74 ff ff ff 09 00 00 00 c7 85 70 ff ff ff 00 00 00 00 48 c7 85 68 ff ff ff 00 10 00 00 48 c7 85 38 ff ff ff 00 00 00 00 48 [0-10] 24 b9 09 00 00 00 44 89 ff 48 8d b5 38 ff ff ff [0-08] 4d 89 e8 4d 89 f1 e8 ?? 02 00 00 48 8b 9d 38 ff ff ff 48 8b 85 60 ff ff ff 48 89 d9 48 c1 e9 21 75 ?? 48 39 c3 74 ?? 48 03 1d ?? 0b 00 00 ?? 8b 35 ?? 0b 00 00 [0-03] 31 c9 41 b8 07 00 00 00 44 89 ff 48 89 de [0-03] e8 ?? 02 00 00 48 8b 15 ?? 0b 00 00 44 89 ff 48 89 de 44 89 f1 e8 ?? 02 00 00 48 81 c4 a8 00 00 00 5b } //1
|
|
$a_00_2 = {63 68 69 6c 64 20 72 65 73 74 6f 72 65 64 20 73 74 6f 6c 65 6e 20 70 6f 72 74 } //1 child restored stolen port
|
|
$a_00_3 = {48 8d 3d 4c 0c 00 00 e8 17 07 00 00 0f 57 c0 0f 29 45 c0 0f 29 45 b0 0f 29 45 a0 44 8b 45 f0 c7 04 24 00 00 00 00 48 8d 7d a0 be 02 00 00 00 31 d2 b9 30 00 00 00 45 31 c9 e8 af 06 00 00 85 c0 75 48 8b 55 bc 85 d2 74 4a 8b 3b be 04 00 00 00 e8 e6 06 00 00 85 c0 75 50 48 8d 3d 33 0c 00 00 e8 be 06 00 00 8b 45 f4 48 83 c4 68 5b 5d c3 } //1
|
|
condition:
|
|
((#a_00_0 & 1)*1+(#a_02_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4
|
|
|
|
} |