18 lines
1.3 KiB
Plaintext
18 lines
1.3 KiB
Plaintext
|
|
rule Exploit_Win32_RpcDcom{
|
|
meta:
|
|
description = "Exploit:Win32/RpcDcom,SIGNATURE_TYPE_PEHSTR,05 00 03 00 08 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {74 66 74 70 20 2d 69 20 25 73 20 47 45 54 20 25 73 } //1 tftp -i %s GET %s
|
|
$a_01_1 = {5c 00 5c 00 5c 00 43 00 24 00 5c 00 31 00 32 00 33 00 34 00 35 00 36 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 } //1 \\\C$\123456111111111111
|
|
$a_01_2 = {eb 19 5e 31 c9 81 e9 89 ff ff ff 81 36 80 bf 32 94 81 ee fc ff ff ff e2 f2 eb 05 e8 e2 ff ff ff 03 53 06 1f 74 57 75 95 80 bf bb 92 7f 89 5a 1a } //2
|
|
$a_01_3 = {eb 10 5a 4a 33 c9 66 b9 76 01 80 34 0a 99 e2 fa eb 05 e8 eb ff ff ff 70 61 99 99 99 c3 21 95 69 } //2
|
|
$a_01_4 = {46 00 58 00 4e 00 42 00 46 00 58 00 46 00 58 00 4e 00 42 00 46 00 58 00 46 00 58 00 46 00 58 00 46 00 58 00 ff ff ff ff } //1
|
|
$a_01_5 = {80 34 0a 99 e2 fa eb 05 e8 } //2
|
|
$a_01_6 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 5c 00 49 00 50 00 43 00 24 00 5c 00 45 45 } //2 127.0.0.1\IPC$\䕅
|
|
$a_01_7 = {5c 00 43 00 24 00 5c 00 31 00 32 00 33 00 34 00 35 00 36 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 2e 00 64 00 6f 00 63 } //1
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*2+(#a_01_3 & 1)*2+(#a_01_4 & 1)*1+(#a_01_5 & 1)*2+(#a_01_6 & 1)*2+(#a_01_7 & 1)*1) >=3
|
|
|
|
} |