12 lines
454 B
Plaintext
12 lines
454 B
Plaintext
|
|
rule Exploit_Win32_ShellCode_MR_MTB{
|
|
meta:
|
|
description = "Exploit:Win32/ShellCode.MR!MTB,SIGNATURE_TYPE_PEHSTR_EXT,02 00 02 00 02 00 00 "
|
|
|
|
strings :
|
|
$a_02_0 = {33 d0 c7 05 [0-08] 8b d2 01 15 [0-04] a1 [0-04] 8b 0d [0-04] 89 08 5d c3 90 09 05 00 a1 } //1
|
|
$a_02_1 = {8b f8 03 3d [0-04] 68 [0-04] ff 15 [0-04] 03 [0-05] 8b [0-05] 8a [0-03] 88 [0-03] 8b [0-05] 83 [0-03] 89 [0-05] eb } //1
|
|
condition:
|
|
((#a_02_0 & 1)*1+(#a_02_1 & 1)*1) >=2
|
|
|
|
} |