14 lines
1.8 KiB
Plaintext
14 lines
1.8 KiB
Plaintext
|
|
rule Exploit_Win64_CVE-2021-21551_B_MTB{
|
|
meta:
|
|
description = "Exploit:Win64/CVE-2021-21551.B!MTB,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {48 33 c4 48 89 85 68 01 00 00 48 8d 90 01 05 e8 90 01 04 48 8d 90 01 05 4c 8b f8 e8 90 01 04 49 8b d7 48 8d 90 01 05 4c 8b f0 e8 90 01 04 49 8b d6 48 8d 90 01 05 e8 90 01 04 45 33 ed 48 8d 90 01 05 4c 89 6c 24 30 45 33 c9 44 89 6c 24 28 45 33 c0 c7 44 24 20 03 00 00 00 90 00 } //1
|
|
$a_03_1 = {49 8b d6 48 8d 90 01 05 e8 90 01 04 48 b8 ff ff ff ff ff ff ff 0f 48 8d 90 01 05 4c 23 e0 49 8b d4 e8 90 01 04 45 33 ed 48 89 b5 10 01 00 00 4c 89 6c 24 38 48 8d 90 01 03 48 89 44 24 30 4c 8d 90 01 05 48 8d 90 01 05 c7 44 24 28 20 00 00 00 48 bb 41 41 41 41 41 41 41 41 48 89 44 24 20 45 8d 90 01 02 48 89 9d 08 01 00 00 ba c8 1e 0c 9b 4c 89 ad 18 01 00 00 48 8b cf 4c 89 a5 20 01 00 00 44 89 6c 24 54 ff 15 90 00 } //1
|
|
$a_03_2 = {48 8b d3 48 8d 90 01 05 e8 90 01 04 48 8d 90 01 03 44 89 6c 24 48 b9 34 12 00 00 90 01 02 4c 89 6c 24 38 4c 8d 90 01 05 48 b8 41 41 41 41 41 41 41 41 48 89 b5 50 01 00 00 48 89 85 48 01 00 00 41 b9 20 00 00 00 48 8d 90 01 03 4c 89 ad 58 01 00 00 48 89 44 24 30 ba c8 1e 0c 9b 48 8d 90 01 05 c7 44 24 28 20 00 00 00 48 8b cf 48 89 44 24 20 4c 89 bd 60 01 00 00 44 89 6c 24 44 ff 15 90 00 } //1
|
|
$a_03_3 = {48 89 5c 24 20 55 48 8b ec 48 83 ec 20 48 8b 05 c0 2e 00 00 48 bb 32 a2 df 2d 99 2b 00 00 48 3b c3 90 01 02 48 83 65 18 00 48 8d 90 01 02 ff 15 90 01 04 48 8b 45 18 48 89 45 10 ff 15 90 01 04 8b c0 48 31 45 10 ff 15 90 01 04 8b c0 48 8d 90 01 02 48 31 45 10 ff 15 90 01 04 8b 45 20 48 8d 90 01 02 48 c1 e0 20 48 33 45 20 48 33 45 10 48 33 c1 48 b9 ff ff ff ff ff ff 00 00 48 23 c1 48 b9 33 a2 df 2d 99 2b 00 00 48 3b c3 48 0f 44 c1 90 00 } //1
|
|
condition:
|
|
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1) >=4
|
|
|
|
} |