12 lines
458 B
Plaintext
12 lines
458 B
Plaintext
|
|
rule Exploit_Win64_Ceilscour_B_MTB{
|
|
meta:
|
|
description = "Exploit:Win64/Ceilscour.B!MTB,SIGNATURE_TYPE_PEHSTR_EXT,02 00 02 00 02 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {0f b6 c3 41 2a c7 24 80 40 32 c6 30 03 49 03 de 48 3b da 72 eb 48 ff c7 49 ff c4 49 ff cd 0f 85 6c ff ff ff } //01 00
|
|
$a_01_1 = {b8 64 86 00 00 66 42 3b 44 3e 04 75 d5 42 8b 54 3e 50 4a 8b 4c 3e 30 41 b9 40 00 00 00 41 b8 00 30 00 00 ff 15 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |