valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-07 02:25:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: fix in rule improvement

Browse Source
This commit is contained in:
Florian Roth 2019-03-02 17:14:36 +01:00
parent 78706dbe46
commit 0c1d02a6ef
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
yara/gen_metasploit_payloads.yar
View File

@ -220,7 +220,6 @@ rule Msfpayloads_msf_cmd {
rule Msfpayloads_msf_9 { rule Msfpayloads_msf_9 {
meta: meta:
description = "Metasploit Payloads - file msf.war - contents" description = "Metasploit Payloads - file msf.war - contents"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth" author = "Florian Roth"
reference = "Internal Research" reference = "Internal Research"
date = "2017-02-09" date = "2017-02-09"
@ -231,9 +230,11 @@ rule Msfpayloads_msf_9 {
$s3 = "[0] = \"chmod\";" ascii $s3 = "[0] = \"chmod\";" ascii
$s4 = "= Runtime.getRuntime().exec(" ascii $s4 = "= Runtime.getRuntime().exec(" ascii
$s5 = ", 16) & 0xff;" ascii $s5 = ", 16) & 0xff;" ascii
$x1 = "4d5a9000030000000" ascii
condition: condition:
4 of ($s*) or ( 4 of ($s*) or (
uint32(0) == 0x00905a4d and uint32(4) == 0x00000003 uint32(0) == 0x61356434 and $x1 at 0
) )
} }