Yara Rule For CVE-2010-0805

Posted: April 6th, 2010 | Author: | Filed under: IT Related | Tags: , , , , , , | 9 Comments »

Internet Explorer Tabular Data Control ActiveX Memory Corruption CVE-2010-0805 ported to Metasploit, so I decided to release the detection rule for Yara

rule MSIETabularActivex
{
        meta:
                ref = "CVE-2010-0805"
                impact = 7
                hide = true
        strings:
                $cve20100805_1 = "333C7BC4-460F-11D0-BC04-0080C7055A83" nocase fullword
                $cve20100805_2 = "DataURL" nocase fullword
                $cve20100805_3 = /value\=\"http:\/\/(.*?)\"/ nocase fullword
        condition:
                ($cve20100805_1 and $cve20100805_3) or (all of them)
}

Credit:

  1. ZSploit.com
  2. Metasploit
  3. @d3t0n4t0r

9 Comments on “Yara Rule For CVE-2010-0805”

  1. 1 d4rKn19t said at 12:14 PM on April 8th, 2010:

    xanda, is this just for the IE or can also be added to Mozilla

  2. 2 landak said at 12:38 PM on April 8th, 2010:

    wey d4rKn19t , so you stupid heh??

  3. 3 tdr said at 2:13 PM on April 8th, 2010:

    hahaha….

  4. 4 d4rKn19t said at 4:23 PM on April 8th, 2010:

    @landak
    hahaha

  5. 5 Ucuz Pratik Hızlı Lezzetli Yemek Tarifleri » Blog Archive » Baharatlı Tuna Salatası said at 4:51 PM on April 9th, 2010:

    […] Yara Rule For CVE-2010-0805 | Xanda's Blog !~! […]

  6. 6 Ucuz Pratik Hızlı Lezzetli Yemek Tarifleri » Blog Archive » Gözleme said at 12:18 AM on April 10th, 2010:

    […] Yara Rule For CVE-2010-0805 | Xanda's Blog !~! […]

  7. 7 Tweets that mention Yara Rule For CVE-2010-0805 | Xanda's Blog !~! -- Topsy.com said at 1:53 AM on April 13th, 2010:

    […] This post was mentioned on Twitter by xanda. xanda said: Yara (and JSunpack) Rule For CVE-2010-0805 http://blog.xanda.org/2010/04/06/yara-rule-for-cve-2010-0805/ […]

  8. 8 yeh said at 8:36 PM on April 17th, 2010:

    =.=!!!

  9. 9 Yara (and JSunpack) Rule For C… | Xanda's Twitter said at 8:18 AM on August 30th, 2010:

    […] (and JSunpack) Rule For CVE-2010-0805 http://blog.xanda.org/2010/04/06/yara-rule-for-cve-2010-0805/ […]


Leave a Reply