14 lines
528 B
Plaintext
14 lines
528 B
Plaintext
|
|
rule Exploit_MacOS_Kfd_A_MTB{
|
|
meta:
|
|
description = "Exploit:MacOS/Kfd.A!MTB,SIGNATURE_TYPE_MACHOHSTR_EXT,04 00 04 00 04 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {6c 69 62 6b 66 64 2f 70 75 61 66 2e 68 } //1 libkfd/puaf.h
|
|
$a_01_1 = {70 68 79 73 70 75 70 70 65 74 5f 72 75 6e } //1 physpuppet_run
|
|
$a_01_2 = {66 6f 75 6e 64 5f 74 61 72 67 65 74 5f 68 6f 6c 65 } //1 found_target_hole
|
|
$a_01_3 = {73 6d 69 74 68 5f 72 75 6e } //1 smith_run
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1) >=4
|
|
|
|
} |