16 lines
870 B
Plaintext
16 lines
870 B
Plaintext
|
|
rule Exploit_MacOS_LimeRain_D_MTB{
|
|
meta:
|
|
description = "Exploit:MacOS/LimeRain.D!MTB,SIGNATURE_TYPE_MACHOHSTR_EXT,06 00 06 00 06 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {53 65 6e 64 69 6e 67 20 66 61 6b 65 20 64 61 74 61 } //01 00 Sending fake data
|
|
$a_01_1 = {64 65 76 69 63 65 5f 69 6e 66 6f 5f 66 72 6f 6d 5f 64 65 76 69 63 65 5f 72 65 63 6f 72 64 } //01 00 device_info_from_device_record
|
|
$a_01_2 = {6c 69 6d 65 72 61 31 6e 5f 65 78 70 6c 6f 69 74 } //01 00 limera1n_exploit
|
|
$a_01_3 = {69 64 65 76 69 63 65 72 65 73 74 6f 72 65 2d 6c 69 6d 65 72 61 31 6e } //01 00 idevicerestore-limera1n
|
|
$a_01_4 = {6c 69 6d 65 72 61 31 6e 5f 70 61 79 6c 6f 61 64 } //01 00 limera1n_payload
|
|
$a_01_5 = {69 72 65 63 76 5f 74 72 69 67 67 65 72 5f 6c 69 6d 65 72 61 31 6e 5f 65 78 70 6c 6f 69 74 } //00 00 irecv_trigger_limera1n_exploit
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |