DefenderYara/Exploit/WinNT/CVE-2013-0422/Exploit_WinNT_CVE-2013-0422.yar

rule Exploit_WinNT_CVE-2013-0422{
	meta:
		description = "Exploit:WinNT/CVE-2013-0422,SIGNATURE_TYPE_JAVAHSTR_EXT,17 00 17 00 07 00 00 05 00 "
		
	strings :
		$a_01_0 = {6a 61 76 61 2f 69 6f 2f 42 79 74 65 41 72 72 61 79 4f 75 74 70 75 74 53 74 72 65 61 6d } //05 00  java/io/ByteArrayOutputStream
		$a_01_1 = {6a 61 76 61 78 2f 6d 61 6e 61 67 65 6d 65 6e 74 2f 4d 42 65 61 6e 53 65 72 76 65 72 } //05 00  javax/management/MBeanServer
		$a_01_2 = {6a 61 76 61 2f 6c 61 6e 67 2f 43 6c 61 73 73 4c 6f 61 64 65 72 } //02 00  java/lang/ClassLoader
		$a_01_3 = {6e 65 77 43 6c 61 73 73 } //02 00  newClass
		$a_03_4 = {54 65 6d 70 90 02 10 6f 70 65 6e 90 00 } //02 00 
		$a_03_5 = {54 65 6d 70 90 02 10 65 78 65 70 75 74 90 00 } //02 00 
		$a_01_6 = {62 6f 74 72 34 34 34 7a 61 6e 6f 35 } //00 00  botr444zano5
		$a_00_7 = {bf f2 00 00 1e 00 1e 00 0b 00 00 05 00 18 01 6a 61 76 61 2f 69 } //6f 2f 
	condition:
		any of ($a_*)
 
}
rule Exploit_WinNT_CVE-2013-0422_2{
	meta:
		description = "Exploit:WinNT/CVE-2013-0422,SIGNATURE_TYPE_JAVAHSTR_EXT,1e 00 1e 00 0b 00 00 05 00 "
		
	strings :
		$a_01_0 = {6a 61 76 61 2f 69 6f 2f 46 69 6c 65 4f 75 74 70 75 74 53 74 72 65 61 6d } //05 00  java/io/FileOutputStream
		$a_01_1 = {6a 61 76 61 2f 6c 61 6e 67 2f 72 65 66 6c 65 63 74 2f 4d 65 74 68 6f 64 } //05 00  java/lang/reflect/Method
		$a_01_2 = {6a 61 76 61 2f 6e 69 6f 2f 63 68 61 6e 6e 65 6c 73 2f 46 69 6c 65 43 68 61 6e 6e 65 6c } //05 00  java/nio/channels/FileChannel
		$a_01_3 = {6a 61 76 61 2f 6c 61 6e 67 2f 52 75 6e 74 69 6d 65 } //02 00  java/lang/Runtime
		$a_03_4 = {72 65 66 6c 65 63 74 90 01 01 43 6f 6e 73 74 72 75 63 74 6f 72 90 00 } //02 00 
		$a_03_5 = {43 6f 6e 73 74 72 75 63 74 6f 72 90 02 10 6e 65 77 49 6e 73 74 61 6e 63 65 90 00 } //02 00 
		$a_03_6 = {2e 70 68 70 90 02 10 3f 77 68 6f 6c 65 3d 90 00 } //02 00 
		$a_01_7 = {67 65 74 52 75 6e 74 69 6d 65 } //01 00  getRuntime
		$a_01_8 = {2e 74 6d 70 } //01 00  .tmp
		$a_01_9 = {2f 74 65 6d 70 2f } //01 00  /temp/
		$a_01_10 = {68 74 74 70 3a 2f 2f } //00 00  http://
		$a_00_11 = {bf 03 01 00 19 00 19 00 0d 00 00 05 00 25 01 6a 61 76 61 2f 6c 61 6e 67 2f } //69 6e 
	condition:
		any of ($a_*)
 
}
rule Exploit_WinNT_CVE-2013-0422_3{
	meta:
		description = "Exploit:WinNT/CVE-2013-0422,SIGNATURE_TYPE_JAVAHSTR_EXT,19 00 19 00 0d 00 00 05 00 "
		
	strings :
		$a_01_0 = {6a 61 76 61 2f 6c 61 6e 67 2f 69 6e 76 6f 6b 65 2f 4d 65 74 68 6f 64 48 61 6e 64 6c 65 73 24 4c 6f 6f 6b 75 70 } //05 00  java/lang/invoke/MethodHandles$Lookup
		$a_01_1 = {6a 61 76 61 2f 6c 61 6e 67 2f 69 6e 76 6f 6b 65 2f 4d 65 74 68 6f 64 54 79 70 65 } //05 00  java/lang/invoke/MethodType
		$a_01_2 = {6a 61 76 61 2f 6c 61 6e 67 2f 43 6c 61 73 73 4c 6f 61 64 65 72 } //02 00  java/lang/ClassLoader
		$a_03_3 = {54 65 6d 70 90 02 10 65 78 65 70 75 74 90 00 } //02 00 
		$a_01_4 = {6c 6f 63 61 6c 4d 65 74 68 6f 64 48 61 6e 64 6c 65 } //01 00  localMethodHandle
		$a_01_5 = {70 75 62 6c 69 63 4c 6f 6f 6b 75 70 } //01 00  publicLookup
		$a_01_6 = {66 69 6e 64 56 69 72 74 75 61 6c } //01 00  findVirtual
		$a_01_7 = {6c 6f 63 61 6c 43 6c 61 73 73 31 } //01 00  localClass1
		$a_01_8 = {6c 6f 63 61 6c 4d 65 74 68 6f 64 54 79 70 65 31 } //02 00  localMethodType1
		$a_01_9 = {62 6f 74 72 34 34 34 7a 61 6e 6f 35 } //02 00  botr444zano5
		$a_01_10 = {2e 74 6d 70 } //02 00  .tmp
		$a_01_11 = {2f 74 65 6d 70 2f } //01 00  /temp/
		$a_01_12 = {68 74 74 70 3a 2f 2f } //00 00  http://
		$a_00_13 = {5d 04 00 00 9c f9 02 80 5c 21 00 00 9d f9 02 80 00 00 01 00 08 } //00 0b 
	condition:
		any of ($a_*)
 
}