16 lines
602 B
Plaintext
16 lines
602 B
Plaintext
|
|
rule Exploit_WinNT_CVE-2012-0507_B{
|
|
meta:
|
|
description = "Exploit:WinNT/CVE-2012-0507.B,SIGNATURE_TYPE_JAVAHSTR_EXT,04 00 04 00 06 00 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {43 41 46 45 42 41 42 45 } //1 CAFEBABE
|
|
$a_01_1 = {06 61 2e 54 69 6d 65 } //1
|
|
$a_01_2 = {0b 28 4c 61 2f 48 65 6c 70 3b 29 } //1
|
|
$a_03_3 = {3a 05 19 05 b6 00 ?? c0 00 ?? 3a 09 } //1
|
|
$a_01_4 = {be 19 b6 3a 19 b6 c0 3a a7 4c b1 } //2
|
|
$a_03_5 = {10 b8 07 78 2a 1c (04 60|) b6 10 b8 60 91 54 84 a7 } //1
|
|
condition:
|
|
((#a_00_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_03_3 & 1)*1+(#a_01_4 & 1)*2+(#a_03_5 & 1)*1) >=4
|
|
|
|
} |