valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-07 02:25:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2444eb6d8f
signature-base/yara/gen_dirtycow.yar
Florian Roth f4c725bb84 False Positive Reduction
2017-06-07 09:18:52 +02:00

49 lines
1.5 KiB
Plaintext
Raw Blame History

/*
Yara Rule Set
Author: Florian Roth
Date: 2016-10-20
Identifier: Dirty Cow
*/
/* Rule Set ----------------------------------------------------------------- */
rule Linux_DirtyCow_Exploit {
meta:
description = "Detects Linux Dirty Cow Exploit - CVE-2012-0056 and CVE-2016-5195"
author = "Florian Roth"
reference = "http://dirtycow.ninja/"
date = "2016-10-21"
strings:
$a1 = { 48 89 D6 41 B9 00 00 00 00 41 89 C0 B9 02 00 00 00 BA 01 00 00 00 BF 00 00 00 00 }
$b1 = { E8 ?? FC FF FF 48 8B 45 E8 BE 00 00 00 00 48 89 C7 E8 ?? FC FF FF 48 8B 45 F0 BE 00 00 00 00 48 89 }
$b2 = { E8 ?? FC FF FF B8 00 00 00 00 }
$source1 = "madvise(map,100,MADV_DONTNEED);"
$source2 = "=open(\"/proc/self/mem\",O_RDWR);"
$source3 = ",map,SEEK_SET);"
$source_printf1 = "mmap %x"
$source_printf2 = "procselfmem %d"
$source_printf3 = "madvise %d"
$source_printf4 = "[-] failed to patch payload"
$source_printf5 = "[-] failed to win race condition..."
$source_printf6 = "[*] waiting for reverse connect shell..."
$s1 = "/proc/self/mem"
$s2 = "/proc/%d/mem"
$s3 = "/proc/self/map"
$s4 = "/proc/%d/map"
$p1 = "pthread_create" fullword ascii
$p2 = "pthread_join" fullword ascii
condition:
(
( uint16(0) == 0x457f and $a1 ) or
all of ($b*) or
3 of ($source*) or
( uint16(0) == 0x457f and 1 of ($s*) and all of ($p*) and filesize < 20KB )
)
and not filename == "libSegFault.so"
}
Reference in New Issue View Git Blame Copy Permalink