15 lines
1.3 KiB
Plaintext
15 lines
1.3 KiB
Plaintext
|
|
rule Exploit_Win32_Senglot_S{
|
|
meta:
|
|
description = "Exploit:Win32/Senglot.S,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 05 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {00 90 90 90 90 5a 64 a1 30 00 00 00 8b 40 0c 8b 70 1c ad 8b 40 08 8b d8 8b 73 3c 8b 74 1e 78 03 f3 8b 7e 20 03 fb 8b 4e 14 33 ed 56 57 51 8b 3f 03 fb 8b f2 6a 0e 59 f3 a6 74 08 59 5f 83 c7 04 } //01 00
|
|
$a_01_1 = {45 e2 e9 59 5f 5e 8b cd 8b 46 24 03 c3 d1 e1 03 c1 33 c9 66 8b 08 8b 46 1c 03 c3 c1 e1 02 03 c1 8b 00 03 c3 8b fa 8b f7 83 c6 0e 8b d0 6a 04 59 e8 6a 00 00 00 83 ee f3 52 56 ff 57 fc 5a 8b d8 6a 01 59 e8 57 00 00 00 83 c6 13 56 46 80 3e 80 } //01 00
|
|
$a_01_2 = {75 fa 80 36 80 5e 83 ec 40 8b dc c7 03 63 6d 64 20 43 43 43 43 66 c7 03 2f 63 43 43 c6 03 20 43 6a 20 53 ff 57 ec c7 04 03 5c 61 2e 65 c7 44 03 04 78 65 00 00 33 c0 50 50 53 56 50 ff 57 fc 8b dc 6a 00 53 ff 57 f0 68 51 24 40 00 58 ff d0 33 } //01 00
|
|
$a_01_3 = {c0 ac 85 c0 75 f9 51 52 56 53 ff d2 5a 59 ab e2 ee 33 c0 c3 e8 0c ff ff ff 47 65 74 50 72 6f 63 41 64 64 72 65 73 73 00 47 65 74 53 79 73 74 65 6d 44 69 72 65 63 74 6f 72 79 41 00 57 69 6e 45 78 65 63 00 45 78 69 74 54 68 72 65 61 64 00 4c } //01 00
|
|
$a_01_4 = {6f 61 64 4c 69 62 72 61 72 79 41 00 75 72 6c 6d 6f 6e 00 55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |