2016-02-15 09:22:28 +00:00
|
|
|
|
2018-04-14 09:55:57 +00:00
|
|
|
rule Flash_CVE_2015_5119_APT3_leg {
|
2016-02-15 09:22:28 +00:00
|
|
|
meta:
|
|
|
|
|
description = "Exploit Sample CVE-2015-5119"
|
2018-08-26 10:47:41 +00:00
|
|
|
license = "https://creativecommons.org/licenses/by-nc/4.0/"
|
|
|
|
|
author = "Florian Roth"
|
2016-02-15 09:22:28 +00:00
|
|
|
score = 70
|
2018-04-14 09:55:57 +00:00
|
|
|
yaraexchange = "No distribution without author's consent"
|
2016-02-15 09:22:28 +00:00
|
|
|
date = "2015-08-01"
|
|
|
|
|
strings:
|
|
|
|
|
$s0 = "HT_exploit" fullword ascii
|
|
|
|
|
$s1 = "HT_Exploit" fullword ascii
|
|
|
|
|
$s2 = "flash_exploit_" ascii
|
|
|
|
|
$s3 = "exp1_fla/MainTimeline" ascii fullword
|
|
|
|
|
$s4 = "exp2_fla/MainTimeline" ascii fullword
|
|
|
|
|
$s5 = "_shellcode_32" fullword ascii
|
2018-04-14 09:55:57 +00:00
|
|
|
$s6 = "todo: unknown 32-bit target" fullword ascii
|
2016-02-15 09:22:28 +00:00
|
|
|
condition:
|
|
|
|
|
uint16(0) == 0x5746 and 1 of them
|
2018-04-14 09:55:57 +00:00
|
|
|
}
|
