20 lines
2.3 KiB
Plaintext
20 lines
2.3 KiB
Plaintext
|
|
rule Exploit_MacOS_DirtyCow_C_MTB{
|
|
meta:
|
|
description = "Exploit:MacOS/DirtyCow.C!MTB,SIGNATURE_TYPE_MACHOHSTR_EXT,06 00 06 00 0a 00 00 05 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {28 00 80 52 e8 43 03 39 e0 37 40 f9 01 00 80 d2 d0 1d 00 94 60 03 40 b9 e1 87 40 b9 7c 1d 00 94 60 03 40 b9 e1 83 40 b9 79 1d 00 94 60 03 40 b9 e2 3b 40 f9 e1 03 14 aa 2c 1e 00 94 60 03 40 b9 e1 2b 40 f9 e2 3b 40 f9 28 1e 00 94 40 03 40 f9 e9 17 40 f9 e8 1b 40 f9 e8 a7 00 a9 e8 1f 40 f9 e8 03 00 f9 81 ef 03 70 1f 20 03 d5 53 1d 00 94 40 03 40 f9 28 00 80 52 f3 23 00 a9 01 f1 03 70 1f 20 03 d5 } //05 00
|
|
$a_00_1 = {60 03 40 b9 e1 03 01 91 e2 03 14 aa 63 00 80 52 03 08 a0 72 e4 03 16 aa 05 00 80 52 ab 1e 00 94 e8 3b 40 f9 e8 23 00 f9 60 03 40 b9 e1 03 01 91 e2 03 14 aa 23 00 80 52 03 08 a0 72 e4 03 16 aa 05 00 80 52 a1 1e 00 94 e2 23 40 f9 e8 3b 40 f9 5f 00 08 eb 00 01 00 54 43 03 40 f9 40 11 04 70 1f 20 03 d5 a1 02 80 52 22 00 80 52 94 1e 00 94 e2 3b 40 f9 } //01 00
|
|
$a_00_2 = {76 6d 5f 72 65 61 64 5f 6f 76 65 72 77 72 69 74 65 3a 20 4b 45 52 4e 5f 53 55 43 43 45 53 53 3a 25 64 20 4b 45 52 4e 5f 50 52 4f 54 45 43 54 49 4f 4e 5f 46 41 49 4c 55 52 45 3a 25 64 20 6f 74 68 65 72 3a 25 64 } //01 00 vm_read_overwrite: KERN_SUCCESS:%d KERN_PROTECTION_FAILURE:%d other:%d
|
|
$a_00_3 = {2f 75 73 72 2f 62 69 6e 2f 73 65 64 20 2d 65 20 22 73 2f 72 6f 6f 74 6f 6b 2f 70 65 72 6d 69 74 2f 67 22 20 2f 65 74 63 } //01 00 /usr/bin/sed -e "s/rootok/permit/g" /etc
|
|
$a_00_4 = {76 6d 5f 75 6e 61 6c 69 67 6e 65 64 5f 63 6f 70 79 5f 73 77 69 74 63 68 5f 72 61 63 65 } //01 00 vm_unaligned_copy_switch_race
|
|
$a_00_5 = {52 61 6e 20 25 64 20 74 69 6d 65 73 20 69 6e 20 25 6c 64 20 73 65 63 6f 6e 64 73 20 77 69 74 68 20 6e 6f 20 66 61 69 6c 75 72 65 } //01 00 Ran %d times in %ld seconds with no failure
|
|
$a_00_6 = {44 79 6e 61 6d 69 63 43 6f 77 2f 43 6f 6e 74 65 6e 74 56 69 65 77 } //01 00 DynamicCow/ContentView
|
|
$a_00_7 = {63 61 6d 65 72 61 5f 73 68 75 74 74 65 72 5f 62 75 72 73 74 5f 65 6e 64 } //01 00 camera_shutter_burst_end
|
|
$a_00_8 = {63 6f 6d 2e 61 70 70 6c 65 2e 4d 6f 62 69 6c 65 47 65 73 74 61 6c 74 2e 70 6c 69 73 74 } //01 00 com.apple.MobileGestalt.plist
|
|
$a_00_9 = {5f 61 76 61 69 6c 61 62 69 6c 69 74 79 5f 76 65 72 73 69 6f 6e 5f 63 68 65 63 6b } //00 00 _availability_version_check
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |