24 lines
1.8 KiB
Plaintext
24 lines
1.8 KiB
Plaintext
|
|
rule Exploit_WinNT_CVE-2008-5353_gen_A{
|
|
meta:
|
|
description = "Exploit:WinNT/CVE-2008-5353.gen!A,SIGNATURE_TYPE_JAVAHSTR_EXT,0e 00 0e 00 0e 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {28 29 4c 6a 61 76 61 2f 69 6f 2f 49 6e 70 75 74 53 74 72 65 61 6d 3b } //1 ()Ljava/io/InputStream;
|
|
$a_01_1 = {28 29 4c 6a 61 76 61 2f 6c 61 6e 67 2f 52 75 6e 74 69 6d 65 3b } //1 ()Ljava/lang/Runtime;
|
|
$a_01_2 = {28 29 4c 6a 61 76 61 2f 6e 65 74 2f 55 52 4c 43 6f 6e 6e 65 63 74 69 6f 6e 3b } //1 ()Ljava/net/URLConnection;
|
|
$a_01_3 = {28 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 72 69 6e 67 3b 29 49 } //1 (Ljava/lang/String;)I
|
|
$a_01_4 = {3d 28 4c 6a 61 76 61 2f 73 65 63 75 72 69 74 79 2f 50 72 69 76 69 6c 65 67 65 64 45 78 63 65 70 74 69 6f 6e 41 63 74 69 6f 6e 3b 29 4c 6a 61 76 61 2f 6c 61 6e 67 2f 4f 62 6a 65 63 74 3b } //1 =(Ljava/security/PrivilegedExceptionAction;)Ljava/lang/Object;
|
|
$a_01_5 = {64 6f 50 72 69 76 69 6c 65 67 65 64 } //1 doPrivileged
|
|
$a_01_6 = {67 65 74 52 75 6e 74 69 6d 65 } //1 getRuntime
|
|
$a_01_7 = {6a 61 76 61 2f 69 6f 2f 46 69 6c 65 } //1 java/io/File
|
|
$a_01_8 = {6a 61 76 61 2f 6c 61 6e 67 2f 43 68 61 72 61 63 74 65 72 } //1 java/lang/Character
|
|
$a_01_9 = {6a 61 76 61 2f 6c 61 6e 67 2f 4d 61 74 68 } //1 java/lang/Math
|
|
$a_01_10 = {6a 61 76 61 2f 6c 61 6e 67 2f 50 72 6f 63 65 73 73 } //1 java/lang/Process
|
|
$a_01_11 = {6a 61 76 61 2f 73 65 63 75 72 69 74 79 2f 41 63 63 65 73 73 43 6f 6e 74 72 6f 6c 6c 65 72 } //1 java/security/AccessController
|
|
$a_01_12 = {6f 70 65 6e 43 6f 6e 6e 65 63 74 69 6f 6e } //1 openConnection
|
|
$a_01_13 = {6f 70 65 6e 53 74 72 65 61 6d } //1 openStream
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_01_9 & 1)*1+(#a_01_10 & 1)*1+(#a_01_11 & 1)*1+(#a_01_12 & 1)*1+(#a_01_13 & 1)*1) >=14
|
|
|
|
} |