Xanda's Blog !~!

Yara Rule for CVE-2010-1297

Jun
11
rule FlashNewfunction: decodedPDF
{
   meta:  
      ref = "CVE-2010-1297"
      hide = true
      impact = 5 
   strings:
      $unescape = "unescape" fullword nocase
      $shellcode = /%u[A-Fa-f0-9]{4}/
      $shellcode5 = /(%u[A-Fa-f0-9]{4}){5}/
      $cve20101297 = /\/Subtype ?\/Flash/
   condition:
      ($unescape and $shellcode and $cve20101297) or ($shellcode5 and $cve20101297)
}

One Response to Yara Rule for CVE-2010-1297

  1. Pingback: Tweets that mention Yara Rule for CVE-2010-1297 | Xanda's Blog !~! -- Topsy.com

Leave a Reply

Your email address will not be published. Required fields are marked *