20 lines
1.4 KiB
Plaintext
20 lines
1.4 KiB
Plaintext
|
|
rule Exploit_WinNT_CVE-2012-4681_AUB{
|
|
meta:
|
|
description = "Exploit:WinNT/CVE-2012-4681.AUB,SIGNATURE_TYPE_JAVAHSTR_EXT,0a 00 0a 00 0a 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {01 00 1e 6a 61 76 61 2f 73 65 63 75 72 69 74 79 2f 50 72 6f 74 65 63 74 69 6f 6e 44 6f 6d 61 69 6e } //1
|
|
$a_01_1 = {01 00 19 6a 61 76 61 2f 73 65 63 75 72 69 74 79 2f 50 65 72 6d 69 73 73 69 6f 6e 73 } //1
|
|
$a_01_2 = {01 00 1e 6a 61 76 61 2f 73 65 63 75 72 69 74 79 2f 63 65 72 74 2f 43 65 72 74 69 66 69 63 61 74 65 } //1
|
|
$a_01_3 = {01 00 12 73 65 74 53 65 63 75 72 69 74 79 4d 61 6e 61 67 65 72 } //1
|
|
$a_01_4 = {01 00 03 73 75 6e } //1
|
|
$a_01_5 = {01 00 03 61 77 74 } //1
|
|
$a_01_6 = {01 00 0a 53 75 6e 54 6f 6f 6c 6b 69 74 } //1
|
|
$a_01_7 = {01 00 2e 37 38 39 67 38 37 39 35 65 34 35 36 35 74 35 37 36 35 46 35 36 37 35 35 36 37 69 36 37 36 35 65 37 35 36 35 36 37 6c 35 36 37 64 35 36 37 } //1
|
|
$a_01_8 = {2a 10 08 bc 05 59 03 10 66 55 59 04 10 69 55 59 05 10 6c 55 59 06 10 65 55 59 07 10 3a 55 59 08 10 2f 55 59 10 06 10 2f 55 59 10 07 10 2f 55 b5 00 04 } //1
|
|
$a_01_9 = {2a 12 b7 3a 19 06 bd 59 03 13 53 59 04 13 53 59 05 13 53 b6 3a 19 06 bd 59 03 2a 12 b7 53 59 04 2a b4 53 59 05 04 bd 53 b6 3a 2d 19 19 b6 19 b6 12 03 bd b6 3a } //1
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_01_9 & 1)*1) >=10
|
|
|
|
} |