valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-07 02:25:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Improved DirtyCOW Rule

Browse Source
This commit is contained in:
Florian Roth 2016-10-24 16:40:54 +02:00
parent 7a219e5a4b
commit c1d9a5379c
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
yara/gen_dirtycow.yar
View File

@ -34,9 +34,12 @@ rule Linux_DirtyCow_Exploit {
$s2 = "/proc/%d/mem" $s2 = "/proc/%d/mem"
$s3 = "/proc/self/map" $s3 = "/proc/self/map"
$s4 = "/proc/%d/map" $s4 = "/proc/%d/map"
$p1 = "pthread_create" fullword ascii
$p2 = "pthread_join" fullword ascii
condition: condition:
( uint16(0) == 0x457f and $a1 ) or ( uint16(0) == 0x457f and $a1 ) or
all of ($b*) or all of ($b*) or
3 of ($source*) or 3 of ($source*) or
( uint16(0) == 0x457f and 1 of ($s*) and filesize < 20KB ) ( uint16(0) == 0x457f and 1 of ($s*) and all of ($p*) and filesize < 20KB )
} }