14 lines
1.0 KiB
Plaintext
14 lines
1.0 KiB
Plaintext
|
|
rule Exploit_O97M_CVE-2017-11882_CNG_MTB{
|
|
meta:
|
|
description = "Exploit:O97M/CVE-2017-11882.CNG!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,04 00 04 00 04 00 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {53 75 62 20 41 75 74 6f 5f 4f 70 65 6e 28 29 90 0c 02 00 44 69 6d 20 63 6e 67 66 6a 6d 64 65 74 74 74 67 64 65 6a 74 6a 65 74 68 74 28 32 30 30 29 20 41 73 20 53 74 72 69 6e 67 } //1
|
|
$a_01_1 = {63 6e 67 66 6a 6d 64 65 74 74 74 67 64 65 6a 74 6a 65 74 68 74 28 33 29 20 3d 20 22 65 47 59 49 4f 43 4a 49 68 47 4a 45 4f 47 63 49 4f 43 4a 61 63 46 4a 61 50 20 3d 20 70 22 } //1 cngfjmdetttgdejtjetht(3) = "eGYIOCJIhGJEOGcIOCJacFJaP = p"
|
|
$a_01_2 = {63 6e 67 66 6a 6d 64 65 74 74 74 67 64 65 6a 74 6a 65 74 68 74 28 33 35 29 20 3d 20 22 } //1 cngfjmdetttgdejtjetht(35) = "
|
|
$a_01_3 = {3d 20 43 72 65 61 74 65 50 72 6f 63 65 73 73 41 28 30 26 2c 20 63 6d 64 6c 69 6e 65 24 2c 20 30 26 2c 20 30 26 2c 20 31 26 2c 20 5f } //1 = CreateProcessA(0&, cmdline$, 0&, 0&, 1&, _
|
|
condition:
|
|
((#a_03_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1) >=4
|
|
|
|
} |