21 lines
1.6 KiB
Plaintext
21 lines
1.6 KiB
Plaintext
|
|
rule Exploit_iPhoneOS_Kappotoma_E_MTB{
|
|
meta:
|
|
description = "Exploit:iPhoneOS/Kappotoma.E!MTB,SIGNATURE_TYPE_MACHOHSTR_EXT,08 00 08 00 0b 00 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {47 65 74 4b 65 79 63 68 61 69 6e 49 74 65 6d 73 4f 66 53 65 63 43 6c 61 73 73 } //1 GetKeychainItemsOfSecClass
|
|
$a_00_1 = {47 65 74 43 75 72 72 65 6e 74 54 69 6d 65 57 69 74 68 46 6f 72 6d 61 74 } //1 GetCurrentTimeWithFormat
|
|
$a_00_2 = {47 65 74 49 4f 53 56 65 72 73 69 6f 6e } //1 GetIOSVersion
|
|
$a_00_3 = {47 65 74 53 65 72 69 61 6c 4e 75 6d 62 65 72 } //1 GetSerialNumber
|
|
$a_00_4 = {47 65 74 44 65 76 69 63 65 4e 61 6d 65 } //1 GetDeviceName
|
|
$a_00_5 = {49 73 4c 6f 63 6b 73 63 72 65 65 6e 4f 6e } //1 IsLockscreenOn
|
|
$a_00_6 = {50 65 72 66 6f 72 6d 69 6e 67 20 65 78 70 6c 6f 69 74 61 74 69 6f 6e 2e 2e } //1 Performing exploitation..
|
|
$a_00_7 = {45 78 70 6c 6f 69 74 65 64 20 73 75 63 63 65 73 73 66 75 6c 6c 79 } //1 Exploited successfully
|
|
$a_00_8 = {65 78 70 6c 6f 69 74 20 73 74 61 72 74 65 64 } //1 exploit started
|
|
$a_00_9 = {46 69 6e 69 73 68 65 64 20 65 78 70 6c 6f 69 74 61 74 69 6f 6e 2c 20 67 6f 69 6e 67 20 74 6f 20 67 65 74 20 61 64 76 61 6e 63 65 64 20 70 72 69 76 69 6c 65 67 65 73 2e } //1 Finished exploitation, going to get advanced privileges.
|
|
$a_00_10 = {69 50 68 6f 6e 65 20 44 65 76 65 6c 6f 70 65 72 3a 20 69 69 65 64 65 76 40 69 63 6c 6f 75 64 2e 63 6f 6d 20 28 37 46 34 33 46 46 41 55 46 34 29 } //1 iPhone Developer: iiedev@icloud.com (7F43FFAUF4)
|
|
condition:
|
|
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*1+(#a_00_9 & 1)*1+(#a_00_10 & 1)*1) >=8
|
|
|
|
} |