17 lines
1.5 KiB
Plaintext
17 lines
1.5 KiB
Plaintext
|
|
rule Exploit_MacOS_CVE-2016-4625_A_xp{
|
|
meta:
|
|
description = "Exploit:MacOS/CVE-2016-4625.A!xp,SIGNATURE_TYPE_MACHOHSTR_EXT,05 00 05 00 07 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {2f 75 73 72 2f 73 62 69 6e 2f 74 72 61 63 65 72 6f 75 74 65 36 } //01 00 /usr/sbin/traceroute6
|
|
$a_00_1 = {61 6c 6c 6f 63 61 74 65 64 20 73 68 65 6c 6c 63 6f 64 65 20 69 6e 20 74 61 72 67 65 74 20 61 74 20 25 6c 6c 78 } //01 00 allocated shellcode in target at %llx
|
|
$a_00_2 = {69 6e 73 65 72 74 69 6e 67 20 4d 41 4b 45 5f 53 45 4e 44 20 69 6e 74 6f 20 73 68 61 72 65 64 20 70 6f 72 74 } //01 00 inserting MAKE_SEND into shared port
|
|
$a_00_3 = {8b 85 2c ff ff ff 83 f8 00 0f 85 2c 00 00 00 be fe 1b 00 00 b9 01 00 00 80 41 b8 0d 00 00 00 8b bd 48 ff ff ff 8b 95 44 ff ff ff e8 91 07 00 00 89 85 2c ff ff ff e9 c5 ff ff ff } //01 00
|
|
$a_00_4 = {5f 73 70 6c 6f 69 74 5f 63 68 69 6c 64 } //01 00 _sploit_child
|
|
$a_00_5 = {5f 73 70 6c 6f 69 74 5f 70 61 72 65 6e 74 } //01 00 _sploit_parent
|
|
$a_00_6 = {48 8d 45 c8 b9 86 52 49 00 ba dc 75 25 00 be 60 cf fe 8c 48 8b 3d 29 0e 00 00 45 31 c0 41 b9 28 00 00 00 45 89 ca 49 89 c3 48 89 7d c0 4c 89 df 89 75 bc 44 89 c6 89 55 b8 4c 89 d2 48 89 45 b0 89 4d ac e8 45 08 00 00 c7 45 cc 28 00 00 00 8b 4d f4 89 4d d4 8b 4d fc 89 4d d0 c7 45 c8 13 15 00 80 c7 45 e0 01 00 00 00 48 8b 45 c0 8b 08 89 4d e4 8b 4d ec 8b 75 bc 81 c6 9f 30 02 72 21 f1 8b 75 b8 81 ee dc 75 12 00 09 f1 89 4d ec 8b 4d ec 8b 75 ac 44 6b c6 03 44 21 c1 89 4d ec 48 8b 7d b0 e8 b6 07 00 00 89 45 f8 83 7d f8 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |