23 lines
1.5 KiB
Plaintext
23 lines
1.5 KiB
Plaintext
|
|
rule Exploit_WinNT_CVE-2012-4681_AIM{
|
|
meta:
|
|
description = "Exploit:WinNT/CVE-2012-4681.AIM,SIGNATURE_TYPE_JAVAHSTR_EXT,0d 00 0d 00 0d 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {01 00 07 65 78 65 63 75 74 65 } //1
|
|
$a_01_1 = {01 00 0c 5a 6d 39 79 54 6d 46 74 5a 51 3d 3d } //1
|
|
$a_01_2 = {01 00 10 6a 61 76 61 2f 6c 61 6e 67 2f 4f 62 6a 65 63 74 } //1
|
|
$a_01_3 = {01 00 0f 6a 61 76 61 2f 6c 61 6e 67 2f 43 6c 61 73 73 } //1
|
|
$a_01_4 = {01 00 0e 64 65 66 67 64 31 31 2f 42 61 73 65 36 34 } //1
|
|
$a_01_5 = {01 00 10 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 72 69 6e 67 } //1
|
|
$a_01_6 = {01 00 06 64 65 63 6f 64 65 } //1
|
|
$a_01_7 = {01 00 3a 28 4c 6a 61 76 61 2f 6c 61 6e 67 2f 4f 62 6a 65 63 74 3b 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 72 69 6e 67 3b 5b 4c 6a 61 76 61 2f 6c 61 6e 67 2f 4f 62 6a 65 63 74 3b 29 56 } //1
|
|
$a_01_8 = {01 00 14 28 29 4c 6a 61 76 61 2f 6c 61 6e 67 2f 4f 62 6a 65 63 74 3b } //1
|
|
$a_01_9 = {01 00 15 6a 61 76 61 2f 62 65 61 6e 73 2f 45 78 70 72 65 73 73 69 6f 6e } //1
|
|
$a_01_10 = {01 00 08 67 65 74 56 61 6c 75 65 } //1
|
|
$a_01_11 = {01 00 08 67 65 74 42 79 74 65 73 } //1
|
|
$a_03_12 = {04 bd 00 27 90 09 00 00 04 bd 00 27 4d 2c 03 2b 53 bb 00 63 59 12 65 bb 00 16 59 12 67 b6 00 1a b8 00 1e b7 00 24 2c b7 00 69 4e 2d b6 00 6a 2d b6 00 6b c0 00 65 b0 } //1
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_01_9 & 1)*1+(#a_01_10 & 1)*1+(#a_01_11 & 1)*1+(#a_03_12 & 1)*1) >=13
|
|
|
|
} |