valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

detect Oracle Weblogic exploit CVE-2017-10271

Browse Source 
Performed a retrohunt. 3 matches came back--all true positives:
20f5a6b4915d51c36b1e2fa77da7f75c44b07697b717ef733deba86d7c57b09a
376c2bc11d4c366ad4f6fecffc0bea8b195e680b4c52a48d85a8d3f9fab01c95
864e9d8904941fae90ddd10eb03d998f85707dc2faff80cba2e365a64e830e1d/subfile
This commit is contained in:
John Lambert 2018-03-21 14:06:07 -07:00 committed by GitHub
parent 1e2fb32e11
commit f6fef3e296
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
yara/gen_exploit_CVE_2017_10271_WebLogic Normal file
View File

@ -0,0 +1,24 @@
rule gen_exploit_CVE_2017_10271_WebLogic
{
meta:
description = "Exploit for CVE-2017-10271 (Oracle WebLogic)"
author = "John Lambert @JohnLaTwC"
date = "2018-03-21"
hash1 = "376c2bc11d4c366ad4f6fecffc0bea8b195e680b4c52a48d85a8d3f9fab01c95"
hash2 = "376c2bc11d4c366ad4f6fecffc0bea8b195e680b4c52a48d85a8d3f9fab01c95"
hash3 = "864e9d8904941fae90ddd10eb03d998f85707dc2faff80cba2e365a64e830e1d/subfile"
reference = "https://github.com/c0mmand3rOpSec/CVE-2017-10271, https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html"
strings:
$s1 = "<soapenv:Header"
$s2 = "java.beans.XMLDecoder"
$s3 = "void" fullword
$s4 = "index="
$s5 = "/array>"
$s6 = "\"start\""
$s7 = "work:WorkContext" nocase
condition:
filesize < 10KB
and uint32(0) == 0x616f733c
and all of ($s*)
}