qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Exploit/WinNT/CVE-2012-4681/Exploit_WinNT_CVE-2012-4681...

32 lines
2.8 KiB
Plaintext
Raw Blame History

rule Exploit_WinNT_CVE-2012-4681_ALD{
meta:
description = "Exploit:WinNT/CVE-2012-4681.ALD,SIGNATURE_TYPE_JAVAHSTR_EXT,16 00 16 00 16 00 00 01 00 "
strings :
$a_01_0 = {01 00 1d 28 4c 6a 61 76 61 2f 73 65 63 75 72 69 74 79 2f 50 65 72 6d 69 73 73 69 6f 6e 3b 29 56 } //01 00
$a_01_1 = {01 00 19 6a 61 76 61 2f 73 65 63 75 72 69 74 79 2f 50 65 72 6d 69 73 73 69 6f 6e 73 } //01 00
$a_01_2 = {01 00 12 73 65 74 53 65 63 75 72 69 74 79 4d 61 6e 61 67 65 72 } //01 00
$a_01_3 = {01 00 3a 28 4c 6a 61 76 61 2f 6c 61 6e 67 2f 4f 62 6a 65 63 74 3b 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 72 69 6e 67 3b 5b 4c 6a 61 76 61 2f 6c 61 6e 67 2f 4f 62 6a 65 63 74 3b 29 56 } //01 00
$a_01_4 = {01 00 41 28 4c 6a 61 76 61 2f 73 65 63 75 72 69 74 79 2f 43 6f 64 65 53 6f 75 72 63 65 3b 4c 6a 61 76 61 2f 73 65 63 75 72 69 74 79 2f 50 65 72 6d 69 73 73 69 6f 6e 43 6f 6c 6c 65 63 74 69 6f 6e 3b 29 56 } //01 00
$a_01_5 = {01 00 1e 6a 61 76 61 2f 73 65 63 75 72 69 74 79 2f 63 65 72 74 2f 43 65 72 74 69 66 69 63 61 74 65 } //01 00
$a_01_6 = {01 00 32 28 4c 6a 61 76 61 2f 6e 65 74 2f 55 52 4c 3b 5b 4c 6a 61 76 61 2f 73 65 63 75 72 69 74 79 2f 63 65 72 74 2f 43 65 72 74 69 66 69 63 61 74 65 3b 29 56 } //01 00
$a_01_7 = {01 00 22 6a 61 76 61 2f 73 65 63 75 72 69 74 79 2f 41 63 63 65 73 73 43 6f 6e 74 72 6f 6c 43 6f 6e 74 65 78 74 } //01 00
$a_01_8 = {01 00 1e 6a 61 76 61 2f 73 65 63 75 72 69 74 79 2f 50 72 6f 74 65 63 74 69 6f 6e 44 6f 6d 61 69 6e } //01 00
$a_01_9 = {01 00 0c 6a 61 76 61 2f 6e 65 74 2f 55 52 4c } //01 00
$a_01_10 = {01 00 15 28 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 72 69 6e 67 3b 29 56 } //01 00
$a_01_11 = {01 00 10 6a 61 76 61 2f 6c 61 6e 67 2f 53 79 73 74 65 6d } //01 00
$a_01_12 = {01 00 08 66 69 6c 65 3a 2f 2f 2f } //01 00
$a_01_13 = {01 00 07 65 78 65 63 75 74 65 } //01 00
$a_01_14 = {01 00 14 6a 61 76 61 2f 62 65 61 6e 73 2f 53 74 61 74 65 6d 65 6e 74 } //01 00
$a_01_15 = {01 00 10 6a 61 76 61 2f 6c 61 6e 67 2f 4f 62 6a 65 63 74 } //01 00
$a_01_16 = {01 00 1b 6a 61 76 61 2f 73 65 63 75 72 69 74 79 2f 41 6c 6c 50 65 72 6d 69 73 73 69 6f 6e } //01 00
$a_01_17 = {01 00 06 3c 69 6e 69 74 3e } //01 00
$a_01_18 = {01 00 24 28 5b 4c 6a 61 76 61 2f 73 65 63 75 72 69 74 79 2f 50 72 6f 74 65 63 74 69 6f 6e 44 6f 6d 61 69 6e 3b 29 56 } //01 00
$a_01_19 = {01 00 4a 28 4c 6a 61 76 61 2f 6c 61 6e 67 2f 43 6c 61 73 73 3b 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 72 69 6e 67 3b 4c 6a 61 76 61 2f 6c 61 6e 67 2f 4f 62 6a 65 63 74 3b 4c 6a 61 76 61 2f 6c 61 6e 67 2f 4f 62 6a 65 63 74 3b 29 56 } //01 00
$a_01_20 = {01 00 18 6a 61 76 61 2f 73 65 63 75 72 69 74 79 2f 43 6f 64 65 53 6f 75 72 63 65 } //01 00
$a_01_21 = {bb 59 13 12 04 bd b7 4c bb 59 b7 4d 2c bb 59 b7 b6 bb 59 bb 59 bb 59 12 b7 03 bd b7 2c b7 4e bb 59 04 bd 59 03 2d 53 b7 3a 2a 13 12 2b 19 b7 2b b6 b1 } //00 00
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink