15 lines
701 B
Plaintext
15 lines
701 B
Plaintext
|
|
rule Exploit_MacOS_CVE-2021-30937_B_MTB{
|
|
meta:
|
|
description = "Exploit:MacOS/CVE-2021-30937.B!MTB,SIGNATURE_TYPE_MACHOHSTR_EXT,05 00 05 00 05 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {69 6e 73 74 61 6c 6c 2d 74 72 6f 6c 6c 73 74 6f 72 65 } //01 00 install-trollstore
|
|
$a_01_1 = {6b 68 65 61 70 5f 64 61 74 61 5f 69 64 78 3a } //01 00 kheap_data_idx:
|
|
$a_01_2 = {2f 70 72 69 76 61 74 65 2f 70 72 65 62 6f 6f 74 2f 74 6d 70 } //01 00 /private/preboot/tmp
|
|
$a_01_3 = {45 78 70 6c 6f 69 74 69 6e 67 } //01 00 Exploiting
|
|
$a_01_4 = {52 75 6e 20 65 78 70 6c 6f 69 74 20 6f 6e 6c 79 20 6f 6e 63 65 20 70 65 72 20 62 6f 6f 74 } //00 00 Run exploit only once per boot
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |