Xanda's Blog !~!

Yara Rule for CVE-2010-1297

Jun
11
rule FlashNewfunction: decodedPDF
{
   meta:  
      ref = "CVE-2010-1297"
      hide = true
      impact = 5 
   strings:
      $unescape = "unescape" fullword nocase
      $shellcode = /%u[A-Fa-f0-9]{4}/
      $shellcode5 = /(%u[A-Fa-f0-9]{4}){5}/
      $cve20101297 = /\/Subtype ?\/Flash/
   condition:
      ($unescape and $shellcode and $cve20101297) or ($shellcode5 and $cve20101297)
}

Yara Rule for CVE-2010-1885

Jun
11
rule HelpSupportCenter
{
   meta:  
      ref = "CVE-2010-1885"
      hide = true
      impact = 5 
   strings:
      $cve20101885 = /hcp:\/\/.*?(%u?[A-F]{1,4}.*?){90}/
   condition:
       all of them
}

Yara Rule for Safari window.parent.close()

May
08
rule SafariWindowParentClose
{
   meta:
      ref = "Safari window.parent.close()"
      impact = 7
   strings:
      $SafariWindowParentClose_1 = /.*?.prompt\(alert\)/
      $SafariWindowParentClose_2 = /.*?.prompt\(.*?\)/
      $SafariWindowParentClose_3 = /.*?.close\(\)/
   condition:
      all of them
}

Yara Rule For CVE-2010-0886 & CVE-2010-0887

Apr
21
rule JavaDeploymentToolkit
{
   meta:
      ref = "CVE-2010-0887"
      impact = 7
   strings:
      $cve20100887_1 = "CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA" nocase fullword
      $cve20100887_2 = "document.createElement(\"OBJECT\")" nocase fullword
      $cve20100887_3 = "application/npruntime-scriptable-plugin;deploymenttoolkit" nocase fullword
      $cve20100887_4 = "application/java-deployment-toolkit" nocase fullword
      $cve20100887_5 = "document.body.appendChild(" nocase fullword
      $cve20100887_6 = /.*?.launch\(.*?\)/
      $cve20100887_7 = "-J-jar -J" nocase fullword
   condition:
      3 of them
}

Yara Rule For CVE-2010-0805

Apr
06

Internet Explorer Tabular Data Control ActiveX Memory Corruption CVE-2010-0805 ported to Metasploit, so I decided to release the detection rule for Yara

rule MSIETabularActivex
{
        meta:
                ref = "CVE-2010-0805"
                impact = 7
                hide = true
        strings:
                $cve20100805_1 = "333C7BC4-460F-11D0-BC04-0080C7055A83" nocase fullword
                $cve20100805_2 = "DataURL" nocase fullword
                $cve20100805_3 = /value\=\"http:\/\/(.*?)\"/ nocase fullword
        condition:
                ($cve20100805_1 and $cve20100805_3) or (all of them)
}

Credit:

  1. ZSploit.com
  2. Metasploit
  3. @d3t0n4t0r