Posted: June 11th, 2010 | Author: xanda | Filed under: IT Related | Tags: adobe, CVE-2010-1297, flash, jsunpack, pdf, yara | 1 Comment »
rule FlashNewfunction: decodedPDF
{
meta:
ref = "CVE-2010-1297"
hide = true
impact = 5
strings:
$unescape = "unescape" fullword nocase
$shellcode = /%u[A-Fa-f0-9]{4}/
$shellcode5 = /(%u[A-Fa-f0-9]{4}){5}/
$cve20101297 = /\/Subtype ?\/Flash/
condition:
($unescape and $shellcode and $cve20101297) or ($shellcode5 and $cve20101297)
} |
rule FlashNewfunction: decodedPDF
{
meta:
ref = "CVE-2010-1297"
hide = true
impact = 5
strings:
$unescape = "unescape" fullword nocase
$shellcode = /%u[A-Fa-f0-9]{4}/
$shellcode5 = /(%u[A-Fa-f0-9]{4}){5}/
$cve20101297 = /\/Subtype ?\/Flash/
condition:
($unescape and $shellcode and $cve20101297) or ($shellcode5 and $cve20101297)
}
[…] This post was mentioned on Twitter by Gadix, Mila and Fakhri Me, xanda. xanda said: Yara Rule for CVE-2010-1297 http://goo.gl/sPFg […]