19 lines
1.1 KiB
Plaintext
19 lines
1.1 KiB
Plaintext
|
|
rule Exploit_MacOS_JailBreak_TA_MTB{
|
|
meta:
|
|
description = "Exploit:MacOS/JailBreak.TA!MTB,SIGNATURE_TYPE_MACHOHSTR_EXT,07 00 07 00 08 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {6d 61 63 2e 74 61 69 67 2e 63 6f 6d } //01 00
|
|
$a_00_1 = {2f 54 61 69 47 2d 66 6f 72 2d 6d 61 63 2f 74 65 73 74 2d 6d 61 63 2d 63 6f 63 6f 61 2f 74 65 73 74 2d 6d 61 63 2d 63 6f 63 6f 61 2f 41 70 70 44 65 6c 65 67 61 74 65 2e 6d 6d } //01 00
|
|
$a_00_2 = {2f 54 61 69 47 2d 66 6f 72 2d 6d 61 63 2f 74 65 73 74 2d 6d 61 63 2d 63 6f 63 6f 61 2f 74 65 73 74 2d 6d 61 63 2d 63 6f 63 6f 61 2f 6d 6f 62 69 6c 65 2e 63 70 70 } //01 00
|
|
$a_00_3 = {6a 61 69 6c 62 72 65 61 6b 63 6f 6d 70 6c 65 74 65 } //01 00
|
|
$a_00_4 = {63 6f 6d 2e 73 61 75 72 69 6b 2e 43 79 64 69 61 } //01 00
|
|
$a_00_5 = {74 68 61 6e 6b 79 6f 75 46 6f 72 55 73 65 54 61 69 47 6a 61 69 6c 62 72 65 61 6b 54 65 78 74 46 69 65 6c 64 } //01 00
|
|
$a_00_6 = {67 65 74 44 65 76 69 63 65 49 6e 66 6f } //01 00
|
|
$a_03_7 = {2f 74 61 69 67 90 02 10 2e 63 70 70 90 00 } //00 00
|
|
$a_00_8 = {5d 04 00 00 } //a8 ea
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |