DefenderYara/Exploit/WinNT/CVE-2012-1723/Exploit_WinNT_CVE-2012-1723_P.yar

rule Exploit_WinNT_CVE-2012-1723_P{
	meta:
		description = "Exploit:WinNT/CVE-2012-1723.P,SIGNATURE_TYPE_JAVAHSTR_EXT,02 00 02 00 02 00 00 "
		
	strings :
		$a_03_0 = {15 08 12 0b a2 00 10 19 06 01 b6 00 ?? 57 84 08 01 a7 ff ef } //1
		$a_01_1 = {75 72 30 6c 30 } //1 ur0l0
	condition:
		((#a_03_0  & 1)*1+(#a_01_1  & 1)*1) >=2
 
}
rule Exploit_WinNT_CVE-2012-1723_P_2{
	meta:
		description = "Exploit:WinNT/CVE-2012-1723.P,SIGNATURE_TYPE_JAVAHSTR_EXT,03 00 03 00 03 00 00 "
		
	strings :
		$a_03_0 = {1c 12 05 a2 00 0f 2b 01 b6 00 ?? 57 84 02 01 a7 ff f1 } //1
		$a_00_1 = {63 6f 6e 66 75 73 65 } //1 confuse
		$a_00_2 = {43 6f 6e 66 75 73 69 6e 67 43 6c 61 73 73 4c 6f 61 64 65 72 } //1 ConfusingClassLoader
	condition:
		((#a_03_0  & 1)*1+(#a_00_1  & 1)*1+(#a_00_2  & 1)*1) >=3
 
}