DefenderYara/Exploit/MacOS/CVE-2016-4625/Exploit_MacOS_CVE-2016-4625_A_MTB.yar

rule Exploit_MacOS_CVE-2016-4625_A_MTB{
	meta:
		description = "Exploit:MacOS/CVE-2016-4625.A!MTB,SIGNATURE_TYPE_MACHOHSTR_EXT,05 00 05 00 05 00 00 01 00 "
		
	strings :
		$a_00_0 = {63 68 69 6c 64 20 72 65 63 65 69 76 69 6e 67 20 73 74 6f 6c 65 6e 20 70 6f 72 74 } //01 00  child receiving stolen port
		$a_01_1 = {69 6e 73 65 72 74 69 6e 67 20 4d 41 4b 45 5f 53 45 4e 44 20 69 6e 74 6f 20 73 68 61 72 65 64 20 70 6f 72 74 } //01 00  inserting MAKE_SEND into shared port
		$a_00_2 = {67 6f 74 20 75 73 65 72 20 63 6c 69 65 6e 74 } //01 00  got user client
		$a_00_3 = {67 65 74 74 69 6e 67 20 73 74 61 73 68 65 64 20 70 6f 72 74 } //01 00  getting stashed port
		$a_00_4 = {6b 69 6c 6c 65 64 20 63 68 69 6c 64 } //00 00  killed child
	condition:
		any of ($a_*)
 
}