15 lines
1.1 KiB
Plaintext
15 lines
1.1 KiB
Plaintext
|
|
rule Exploit_MacOS_CVE-2021-4034_C_MTB{
|
|
meta:
|
|
description = "Exploit:MacOS/CVE-2021-4034.C!MTB,SIGNATURE_TYPE_MACHOHSTR_EXT,04 00 04 00 05 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {2f 76 75 6c 2f 70 6f 63 2d 63 76 65 2d 32 30 32 31 2d 34 30 33 34 2d 6d 61 69 6e } //01 00 /vul/poc-cve-2021-4034-main
|
|
$a_00_1 = {73 79 73 63 61 6c 6c 2e 6c 69 62 63 5f 65 78 65 63 76 65 5f 74 72 61 6d 70 6f 6c 69 6e 65 } //01 00 syscall.libc_execve_trampoline
|
|
$a_00_2 = {5f 63 67 6f 65 78 70 5f 35 38 39 34 62 62 39 65 62 30 66 61 5f 67 63 6f 6e 76 } //02 00 _cgoexp_5894bb9eb0fa_gconv
|
|
$a_00_3 = {6d 61 69 6e 2e 67 63 6f 6e 76 5f 69 6e 69 74 } //03 00 main.gconv_init
|
|
$a_00_4 = {65 48 8b 0c 25 30 00 00 00 48 8d 44 24 f0 48 3b 41 10 0f 86 4b 01 00 00 48 81 ec 90 00 00 00 48 89 ac 24 88 00 00 00 48 8d ac 24 88 00 00 00 48 8d 05 2a 76 05 00 48 89 04 24 48 8b 84 24 a0 00 00 00 48 89 44 24 08 48 89 44 24 10 e8 cf 93 f6 ff 48 8b 44 24 18 48 8b 8c 24 a0 00 00 00 66 90 48 85 c9 0f 8e f5 00 00 00 48 89 44 24 30 48 8b 94 24 98 00 00 00 31 db } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |