19 lines
1.5 KiB
Plaintext
19 lines
1.5 KiB
Plaintext
|
|
rule Exploit_AndroidOS_CVE-2011-1823{
|
|
meta:
|
|
description = "Exploit:AndroidOS/CVE-2011-1823,SIGNATURE_TYPE_ELFHSTR_EXT,08 00 07 00 09 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {2f 73 79 73 74 65 6d 2f 62 69 6e 2f 76 6f 6c 64 } //1 /system/bin/vold
|
|
$a_01_1 = {2f 70 72 6f 63 2f 6e 65 74 2f 6e 65 74 6c 69 6e 6b } //1 /proc/net/netlink
|
|
$a_01_2 = {2f 70 72 6f 63 2f 25 64 2f 63 6d 64 6c 69 6e 65 } //1 /proc/%d/cmdline
|
|
$a_01_3 = {2f 65 74 63 2f 76 6f 6c 64 2e 66 73 74 61 62 } //1 /etc/vold.fstab
|
|
$a_01_4 = {67 69 6e 67 65 72 62 72 65 61 6b 2f 66 69 6c 65 73 2f 62 6f 6f 6d 73 68 } //1 gingerbreak/files/boomsh
|
|
$a_01_5 = {64 65 76 69 63 65 73 2f 70 6c 61 74 66 6f 72 6d 2f 6d 73 6d 5f 73 64 63 63 2e 32 2f 6d 6d 63 5f 68 6f 73 74 2f 6d 6d 63 31 } //1 devices/platform/msm_sdcc.2/mmc_host/mmc1
|
|
$a_01_6 = {41 43 54 49 4f 4e 3d 61 64 64 25 63 53 55 42 53 59 53 54 45 4d 3d 62 6c 6f 63 6b 25 63 44 45 56 50 41 54 48 3d 25 73 25 63 4d 41 4a 4f 52 3d 31 37 39 25 63 4d 49 4e 4f 52 3d 25 64 25 63 44 45 56 54 59 50 45 3d 68 61 72 64 65 72 25 63 50 41 52 54 4e } //1 ACTION=add%cSUBSYSTEM=block%cDEVPATH=%s%cMAJOR=179%cMINOR=%d%cDEVTYPE=harder%cPARTN
|
|
$a_00_7 = {41 6e 64 72 6f 69 64 20 45 78 70 6c 6f 69 64 20 43 72 65 77 } //1 Android Exploid Crew
|
|
$a_01_8 = {47 69 6e 67 65 72 62 72 65 61 6b 2f 48 6f 6e 65 79 62 6f 6d 62 } //1 Gingerbreak/Honeybomb
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_00_7 & 1)*1+(#a_01_8 & 1)*1) >=7
|
|
|
|
} |