17 lines
1.2 KiB
Plaintext
17 lines
1.2 KiB
Plaintext
|
|
rule Exploit_MacOS_LimeRain_B_MTB{
|
|
meta:
|
|
description = "Exploit:MacOS/LimeRain.B!MTB,SIGNATURE_TYPE_MACHOHSTR_EXT,08 00 08 00 06 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {69 50 77 6e 64 65 72 33 32 } //01 00 iPwnder32
|
|
$a_00_1 = {5f 6c 69 6d 65 72 61 31 6e 5f 65 78 70 6c 6f 69 74 } //01 00 _limera1n_exploit
|
|
$a_00_2 = {5f 67 65 74 5f 65 78 70 6c 6f 69 74 5f 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e } //02 00 _get_exploit_configuration
|
|
$a_03_3 = {48 8b bd 48 f7 ff ff e8 e1 86 05 00 bf e8 03 00 00 e8 17 89 05 00 89 85 e8 f4 ff ff 48 8d 3d da b4 05 00 b0 00 e8 07 88 05 00 48 8b bd d0 f7 ff ff 89 85 e4 f4 ff ff e8 6d ac ff ff c7 85 dc f7 ff ff 90 02 05 89 85 e0 f4 ff ff 90 00 } //02 00
|
|
$a_03_4 = {8b 85 ec f7 ff ff 48 8b 0d 9c 11 07 00 48 8b 09 48 8b 55 f8 48 39 d1 89 85 f0 f6 ff ff 90 02 10 8b 85 f0 f6 ff ff 48 81 c4 20 09 00 00 5d c3 90 00 } //02 00
|
|
$a_03_5 = {48 89 95 80 fe ff ff 48 89 8d 78 fe ff ff 48 8b 3d 56 52 07 00 e8 90 02 05 48 8b 8d 80 fe ff ff 48 89 01 48 8b 05 40 52 07 00 48 8b 8d 78 fe ff ff 48 89 01 48 8b 85 80 fe ff ff 48 8b 38 48 8b 15 25 52 07 00 48 8d 35 3e bf 06 00 90 00 } //00 00
|
|
$a_00_6 = {5d 04 00 00 0e 1b } //05 80
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |