18 lines
1.5 KiB
Plaintext
18 lines
1.5 KiB
Plaintext
|
|
rule Exploit_Win32_Shellcode_AF_{
|
|
meta:
|
|
description = "Exploit:Win32/Shellcode.AF!!Shellcode.gen!A,SIGNATURE_TYPE_ARHSTR_EXT,03 00 03 00 08 00 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {65 78 70 6c c7 44 24 ?? 6f 72 65 72 c7 44 24 ?? 2e 65 78 65 c6 44 24 ?? 00 e8 ?? ?? 00 00 8b f0 85 f6 0f 84 ?? ?? 00 00 e8 ?? ?? 00 00 56 6a 00 68 ff ff 1f 00 ff 54 24 30 } //1
|
|
$a_03_1 = {57 69 6e 49 c7 45 ?? 6e 65 74 2e c7 45 ?? 64 6c 6c 00 c7 45 ?? 47 45 54 00 c7 45 ?? 2a 2f 2a 00 89 45 ?? e8 ?? ?? 00 00 b9 58 a4 53 e5 } //1
|
|
$a_03_2 = {44 6c 6c 50 8b c8 c7 45 fc 72 6f 63 00 e8 ?? ?? 00 00 85 c0 74 02 ff d0 85 f6 74 0b 68 00 80 00 00 6a 00 56 ff 55 f4 } //2
|
|
$a_03_3 = {52 f3 e2 51 8b d8 e8 ?? ?? ff ff 8d 4d fc 51 6a 20 ff d0 } //1
|
|
$a_03_4 = {65 78 70 6c c7 45 ?? 6f 72 65 72 c7 45 ?? 2e 65 78 65 c6 45 ?? 00 e8 ?? ?? 00 00 8b d8 85 c0 0f 84 dd 00 00 00 e8 ?? ?? 00 00 44 8b c3 33 d2 b9 ff ff 1f 00 ff d6 48 8b d8 48 85 c0 0f 84 ?? ?? 00 00 4c 8d 87 24 03 00 00 c7 44 24 20 40 00 00 00 33 d2 41 b9 00 30 00 00 48 8b c8 8b f7 ff 55 6f } //1
|
|
$a_03_5 = {6e 65 74 2e 41 8b f5 c7 45 ?? 64 6c 6c 00 44 0f b7 f2 c7 45 ?? 47 45 54 00 c7 45 ?? 2a 2f 2a 00 e8 ?? ?? 00 00 b9 58 a4 53 e5 } //1
|
|
$a_03_6 = {44 6c 6c 50 48 8b c8 c7 44 24 ?? 72 6f 63 00 e8 ?? ?? 00 00 48 85 c0 74 02 ff d0 48 85 db 74 0e 33 d2 41 b8 00 80 00 00 48 8b cb 41 ff d7 } //2
|
|
$a_03_7 = {52 f3 e2 51 48 8b f0 e8 ?? ?? ff ff ff d0 } //1
|
|
condition:
|
|
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*2+(#a_03_3 & 1)*1+(#a_03_4 & 1)*1+(#a_03_5 & 1)*1+(#a_03_6 & 1)*2+(#a_03_7 & 1)*1) >=3
|
|
|
|
} |