14 lines
974 B
Plaintext
14 lines
974 B
Plaintext
|
|
rule Exploit_O97M_CVE-2017-11882_MUT_MTB{
|
|
meta:
|
|
description = "Exploit:O97M/CVE-2017-11882.MUT!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,04 00 04 00 04 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {6d 75 33 38 73 77 69 66 32 20 3d 20 6d 75 33 38 73 77 69 66 32 20 26 20 22 76 72 68 35 6b 72 79 79 6a 34 6b 69 77 71 36 75 69 20 3d 20 22 22 } //1 mu38swif2 = mu38swif2 & "vrh5kryyj4kiwq6ui = ""
|
|
$a_03_1 = {2b 20 76 62 43 72 4c 66 90 0c 02 00 6d 75 33 38 73 77 69 66 32 20 3d 20 6d 75 33 38 73 77 69 66 32 20 26 20 22 76 72 68 35 6b 72 79 79 6a 34 6b 69 77 71 36 75 69 20 3d 20 22 22 } //1
|
|
$a_03_2 = {2b 20 76 62 43 72 4c 66 90 0c 02 00 6d 75 33 38 73 77 69 66 32 20 3d 20 6d 75 33 38 73 77 69 66 32 20 26 20 22 62 67 66 6a 65 72 79 68 6a 35 37 72 36 75 6a 35 35 6a 72 79 36 6a 72 20 3d 20 22 22 } //1
|
|
$a_01_3 = {2b 20 22 22 61 73 65 22 22 22 20 2b 20 76 62 43 72 4c 66 } //1 + ""ase""" + vbCrLf
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_01_3 & 1)*1) >=4
|
|
|
|
} |