13 lines
652 B
Plaintext
13 lines
652 B
Plaintext
|
|
rule Exploit_Win32_CVE-2020-0796_MTB{
|
|
meta:
|
|
description = "Exploit:Win32/CVE-2020-0796!MTB,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 03 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {4c 8d 85 00 01 00 00 ba 20 00 00 00 48 8b c8 ff 15 c3 18 00 00 48 8b b5 00 01 00 00 b8 14 00 00 00 } //1
|
|
$a_01_1 = {e9 9c 00 00 00 33 d2 c7 44 24 20 40 00 00 00 41 b9 00 30 00 00 41 b8 00 10 00 00 48 8b cb ff 15 41 1c 00 00 48 8b f8 48 85 c0 75 09 48 8d 0d 1a 20 00 00 } //1
|
|
$a_01_2 = {eb 6c 48 89 b4 24 00 02 00 00 4c 8d 45 70 33 f6 48 8b d7 48 8b cb 48 89 74 24 20 44 8d 4e 6c ff 15 fd 1b 00 00 } //1
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1) >=3
|
|
|
|
} |