15 lines
1.1 KiB
Plaintext
15 lines
1.1 KiB
Plaintext
|
|
rule Exploit_Win32_CVE-2020-1472_A_ibt{
|
|
meta:
|
|
description = "Exploit:Win32/CVE-2020-1472.A!ibt,SIGNATURE_TYPE_PEHSTR_EXT,16 00 16 00 05 00 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {6e 65 74 73 65 72 76 65 72 61 75 74 68 65 6e 74 69 63 61 74 65 32 20 65 72 72 6f 72 } //1 netserverauthenticate2 error
|
|
$a_00_1 = {6e 65 74 72 73 65 72 76 65 72 61 75 74 68 65 6e 74 69 63 61 74 65 32 3a 20 53 54 41 54 55 53 5f 4e 4f 5f 54 52 55 53 54 5f 53 41 4d 5f 41 43 43 4f 55 4e 54 } //1 netrserverauthenticate2: STATUS_NO_TRUST_SAM_ACCOUNT
|
|
$a_00_2 = {6e 63 61 63 6e 5f 69 70 5f 74 63 70 } //1 ncacn_ip_tcp
|
|
$a_03_3 = {81 bd a0 fd ff ff d0 07 00 00 0f 8d 51 01 00 00 8d 45 b4 50 8d 4d cc 51 68 e8 cb 42 00 6a 00 e8 02 ea ff ff 83 c4 10 89 85 a8 fd ff ff 83 bd a8 fd ff ff 00 0f 85 13 01 00 00 8d 95 80 fd ff ff 52 8d 45 c0 50 8d 4d d8 51 68 ?? ?? ?? 00 8b 95 90 90 fd ff ff 52 68 28 c0 42 00 } //10
|
|
$a_03_4 = {8d 45 08 50 b9 01 00 00 00 6b d1 00 81 c2 ?? ?? ?? 00 52 68 c8 a8 42 00 ff 15 7c 01 42 00 83 c4 0c 89 45 fc 8b 45 fc 8b e5 5d c3 } //10
|
|
condition:
|
|
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_03_3 & 1)*10+(#a_03_4 & 1)*10) >=22
|
|
|
|
} |