16 lines
1010 B
Plaintext
16 lines
1010 B
Plaintext
|
|
rule Exploit_MacOS_CVE-2017-5753_A_xp{
|
|
meta:
|
|
description = "Exploit:MacOS/CVE-2017-5753.A!xp,SIGNATURE_TYPE_MACHOHSTR_EXT,04 00 04 00 05 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {5f 76 69 63 74 69 6d 5f 66 75 6e 63 74 69 6f 6e } //01 00 _victim_function
|
|
$a_00_1 = {52 65 61 64 69 6e 67 20 61 74 20 6d 61 6c 69 63 69 6f 75 73 5f 78 20 3d 20 25 70 } //01 00 Reading at malicious_x = %p
|
|
$a_00_2 = {72 65 61 64 4d 65 6d 6f 72 79 42 79 74 65 } //01 00 readMemoryByte
|
|
$a_02_3 = {48 63 45 d4 48 3d 00 00 02 00 0f 83 1d 00 00 00 48 8d 05 90 01 02 00 00 48 63 4d d4 c6 04 08 01 8b 45 d4 83 c0 01 89 45 d4 e9 d3 ff ff ff 90 00 } //01 00
|
|
$a_02_4 = {f7 f9 83 ea 01 81 e2 00 00 ff ff 48 63 f2 48 89 75 b0 48 8b 75 b0 48 8b 7d b0 48 c1 ef 10 48 09 fe 48 89 75 b0 48 8b 75 b8 48 8b 7d b0 4c 8b 45 e8 4c 33 45 b8 4c 21 c7 48 31 fe 48 89 75 b0 48 8b 7d b0 e8 90 01 01 78 46 45 ff ff 8b 45 cc 83 c0 ff 89 45 cc e9 90 01 01 ff ff ff 90 00 } //00 00
|
|
$a_00_5 = {5d 04 00 } //00 e8
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |