qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Exploit/WinNT/CVE-2011-3521/Exploit_WinNT_CVE-2011-3521...

19 lines
1022 B
Plaintext
Raw Permalink Blame History

rule Exploit_WinNT_CVE-2011-3521_gen_A{
meta:
description = "Exploit:WinNT/CVE-2011-3521.gen!A,SIGNATURE_TYPE_JAVAHSTR_EXT,1e 00 1e 00 09 00 00 "
strings :
$a_01_0 = {6f 72 67 2f 6f 6d 67 2f 43 4f 52 42 41 } //5 org/omg/CORBA
$a_01_1 = {6a 61 76 61 2f 69 6f 2f 53 65 72 69 61 6c 69 7a 61 62 6c 65 } //5 java/io/Serializable
$a_01_2 = {6a 61 76 61 2f 6c 61 6e 67 2f 45 78 63 65 70 74 69 6f 6e } //5 java/lang/Exception
$a_01_3 = {6a 61 76 61 2f 6c 61 6e 67 2f 72 65 66 6c 65 63 74 2f 46 69 65 6c 64 } //5 java/lang/reflect/Field
$a_00_4 = {49 6e 70 75 74 53 74 72 65 61 6d } //2 InputStream
$a_00_5 = {72 65 61 64 5f 4f 62 6a 65 63 74 } //2 read_Object
$a_00_6 = {72 65 61 64 5f 54 79 70 65 43 6f 64 65 } //2 read_TypeCode
$a_00_7 = {72 65 61 64 5f 73 74 72 69 6e 67 } //2 read_string
$a_01_8 = {b8 59 b3 a7 b2 12 } //4
condition:
((#a_01_0 & 1)*5+(#a_01_1 & 1)*5+(#a_01_2 & 1)*5+(#a_01_3 & 1)*5+(#a_00_4 & 1)*2+(#a_00_5 & 1)*2+(#a_00_6 & 1)*2+(#a_00_7 & 1)*2+(#a_01_8 & 1)*4) >=30
}
Reference in New Issue View Git Blame Copy Permalink