15 lines
846 B
Plaintext
15 lines
846 B
Plaintext
|
|
rule Exploit_Win32_ShellCode_gen_B{
|
|
meta:
|
|
description = "Exploit:Win32/ShellCode.gen!B,SIGNATURE_TYPE_PEHSTR_EXT,02 00 02 00 05 00 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {81 e9 aa aa aa aa d9 ee d9 74 24 f4 5b 80 73 0e ?? 43 e2 f9 90 09 05 00 b9 ?? ?? aa aa } //1
|
|
$a_01_1 = {00 5c 00 2e 00 2e 00 5c 00 2e 00 2e 00 5c 00 90 90 90 90 90 90 90 90 } //1
|
|
$a_03_2 = {e8 01 00 00 00 90 90 58 8b d8 2b dc 85 db 79 05 83 ec ?? eb f3 fc 6a ?? 4d e8 ?? ff ff ff 60 8b 6c 24 24 } //1
|
|
$a_03_3 = {8b 34 8b 03 f5 33 c0 99 ac 84 c0 74 07 c1 ca ?? 03 d0 eb f4 3b 54 24 28 75 ?? 8b 5f 24 03 dd } //1
|
|
$a_03_4 = {64 a1 30 00 00 00 8b 40 0c 8b 70 1c ad 8b 58 08 5e 68 8e 4e 0e ec ?? ff d6 68 6f 6e 00 00 68 75 72 6c 6d 54 ff ?? 68 36 1a 2f 70 50 ff } //2
|
|
condition:
|
|
((#a_03_0 & 1)*1+(#a_01_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_03_4 & 1)*2) >=2
|
|
|
|
} |