15 lines
1.4 KiB
Plaintext
15 lines
1.4 KiB
Plaintext
|
|
rule Exploit_Win32_Senglot_T{
|
|
meta:
|
|
description = "Exploit:Win32/Senglot.T,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 05 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {81 ef 22 10 40 00 fc 33 c0 64 8b 40 30 85 c0 78 0c 8b 40 0c 8b 70 1c ad 8b 40 08 eb 09 8b 40 34 8d 40 7c 8b 40 3c e8 0b 00 00 00 0b c0 74 06 6a 00 ff d0 eb 01 c3 55 8b ec 81 c4 68 fe ff ff 89 } //1
|
|
$a_01_1 = {7d f8 89 45 fc 96 33 c0 83 c6 3c 66 ad 03 45 fc 96 ad 3d 50 45 00 00 0f 85 8e 02 00 00 8b 46 74 03 45 fc 96 83 c6 18 ad 89 45 f0 ad 89 45 ec ad 89 45 e8 ad 89 45 e4 c7 45 c0 04 49 32 d3 e8 6c 02 00 00 89 45 d4 c7 45 c0 8e 4e 0e ec e8 5d 02 } //1
|
|
$a_01_2 = {00 00 89 45 cc c7 45 c0 aa fc 0d 7c e8 4e 02 00 00 89 45 d0 c7 45 c0 0a 39 f7 56 e8 3f 02 00 00 89 45 d8 c7 45 c0 72 fe b3 16 e8 30 02 00 00 89 45 e0 c7 45 c0 b0 49 2d db e8 21 02 00 00 89 45 c8 c7 45 c0 7e d8 e2 73 e8 12 02 00 00 89 45 dc } //1
|
|
$a_01_3 = {e8 0b 00 00 00 55 52 4c 4d 4f 4e 2e 44 4c 4c 00 8b 45 d4 ff d0 0b c0 75 15 e8 0b 00 00 00 55 52 4c 4d 4f 4e 2e 44 4c 4c 00 8b 45 cc ff d0 e8 18 00 00 00 55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 43 61 63 68 65 46 69 6c 65 41 00 50 8b 45 d0 ff } //1
|
|
$a_01_4 = {d0 89 45 c4 c7 45 f4 04 00 00 00 c6 85 bc fe ff ff 00 68 d0 07 00 00 8b 45 c8 ff d0 6a 00 6a 00 68 04 01 00 00 8d 85 bc fe ff ff 50 e8 04 01 00 } //1
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1) >=5
|
|
|
|
} |