signature-base/yara/gen_dirtycow.yar

/*
   Yara Rule Set
   Author: Florian Roth
   Date: 2016-10-20
   Identifier: Dirty Cow
*/

/* Rule Set ----------------------------------------------------------------- */

rule Linux_DirtyCow_Exploit {
   meta:
      description = "Detects Linux Dirty Cow Exploit - CVE-2012-0056 and CVE-2016-5195"
      author = "Florian Roth"
      reference = "http://dirtycow.ninja/"
      date = "2016-10-21"
   strings:
      $a1 = { 48 89 D6 41 B9 00 00 00 00 41 89 C0 B9 02 00 00 00 BA 01 00 00 00 BF 00 00 00 00 }

      $b1 = { E8 ?? FC FF FF 48 8B 45 E8 BE 00 00 00 00 48 89 C7 E8 ?? FC FF FF 48 8B 45 F0 BE 00 00 00 00 48 89 }
      $b2 = { E8 ?? FC FF FF B8 00 00 00 00 }

      $source1 = "madvise(map,100,MADV_DONTNEED);"
      $source2 = "=open(\"/proc/self/mem\",O_RDWR);"
      $source3 = ",map,SEEK_SET);"

      $source_printf1 = "mmap %x"
      $source_printf2 = "procselfmem %d"
      $source_printf3 = "madvise %d"
      $source_printf4 = "[-] failed to patch payload"
      $source_printf5 = "[-] failed to win race condition..."
      $source_printf6 = "[*] waiting for reverse connect shell..."

      $s1 = "/proc/self/mem"
      $s2 = "/proc/%d/mem"
      $s3 = "/proc/self/map"
      $s4 = "/proc/%d/map"

      $p1 = "pthread_create" fullword ascii
      $p2 = "pthread_join" fullword ascii
   condition:
      ( uint16(0) == 0x457f and $a1 ) or
      all of ($b*) or
      3 of ($source*) or
      ( uint16(0) == 0x457f and 1 of ($s*) and all of ($p*) and filesize < 20KB )
}
Dirty COW 2016-10-22 15:34:30 +00:00			`/*`
			`Yara Rule Set`
			`Author: Florian Roth`
			`Date: 2016-10-20`
			`Identifier: Dirty Cow`
			`*/`

			`/* Rule Set ----------------------------------------------------------------- */`

			`rule Linux_DirtyCow_Exploit {`
			`meta:`
			`description = "Detects Linux Dirty Cow Exploit - CVE-2012-0056 and CVE-2016-5195"`
			`author = "Florian Roth"`
			`reference = "http://dirtycow.ninja/"`
			`date = "2016-10-21"`
			`strings:`
			`$a1 = { 48 89 D6 41 B9 00 00 00 00 41 89 C0 B9 02 00 00 00 BA 01 00 00 00 BF 00 00 00 00 }`

			`$b1 = { E8 ?? FC FF FF 48 8B 45 E8 BE 00 00 00 00 48 89 C7 E8 ?? FC FF FF 48 8B 45 F0 BE 00 00 00 00 48 89 }`
			`$b2 = { E8 ?? FC FF FF B8 00 00 00 00 }`

			`$source1 = "madvise(map,100,MADV_DONTNEED);"`
			`$source2 = "=open(\"/proc/self/mem\",O_RDWR);"`
			`$source3 = ",map,SEEK_SET);"`

			`$source_printf1 = "mmap %x"`
			`$source_printf2 = "procselfmem %d"`
			`$source_printf3 = "madvise %d"`
DirtyCOW Update 2016-10-24 07:50:52 +00:00			`$source_printf4 = "[-] failed to patch payload"`
			`$source_printf5 = "[-] failed to win race condition..."`
			`$source_printf6 = "[*] waiting for reverse connect shell..."`
Dirty COW 2016-10-22 15:34:30 +00:00
			`$s1 = "/proc/self/mem"`
DirtyCOW Update 2016-10-24 07:50:52 +00:00			`$s2 = "/proc/%d/mem"`
			`$s3 = "/proc/self/map"`
			`$s4 = "/proc/%d/map"`
Improved DirtyCOW Rule 2016-10-24 14:40:54 +00:00
			`$p1 = "pthread_create" fullword ascii`
			`$p2 = "pthread_join" fullword ascii`
Dirty COW 2016-10-22 15:34:30 +00:00			`condition:`
			`( uint16(0) == 0x457f and $a1 ) or`
			`all of ($b*) or`
			`3 of ($source*) or`
Improved DirtyCOW Rule 2016-10-24 14:40:54 +00:00			`( uint16(0) == 0x457f and 1 of ($s) and all of ($p) and filesize < 20KB )`
Dirty COW 2016-10-22 15:34:30 +00:00			`}`