Posted: June 11th, 2010 | Author: xanda | Filed under: IT Related | Tags: adobe, CVE-2010-1297, flash, jsunpack, pdf, yara | 1 Comment »
rule FlashNewfunction: decodedPDF
{
meta:
ref = "CVE-2010-1297"
hide = true
impact = 5
strings:
$unescape = "unescape" fullword nocase
$shellcode = /%u[A-Fa-f0-9]{4}/
$shellcode5 = /(%u[A-Fa-f0-9]{4}){5}/
$cve20101297 = /\/Subtype ?\/Flash/
condition:
($unescape and $shellcode and $cve20101297) or ($shellcode5 and $cve20101297)
} |
rule FlashNewfunction: decodedPDF
{
meta:
ref = "CVE-2010-1297"
hide = true
impact = 5
strings:
$unescape = "unescape" fullword nocase
$shellcode = /%u[A-Fa-f0-9]{4}/
$shellcode5 = /(%u[A-Fa-f0-9]{4}){5}/
$cve20101297 = /\/Subtype ?\/Flash/
condition:
($unescape and $shellcode and $cve20101297) or ($shellcode5 and $cve20101297)
}
Posted: June 11th, 2010 | Author: xanda | Filed under: IT Related | Tags: CVE-2010-1885, jsunpack, Windows Help and Support Center, yara | 3 Comments »
rule HelpSupportCenter
{
meta:
ref = "CVE-2010-1885"
hide = true
impact = 5
strings:
$cve20101885 = /hcp:\/\/.*?(%u?[A-F]{1,4}.*?){90}/
condition:
all of them
} |
rule HelpSupportCenter
{
meta:
ref = "CVE-2010-1885"
hide = true
impact = 5
strings:
$cve20101885 = /hcp:\/\/.*?(%u?[A-F]{1,4}.*?){90}/
condition:
all of them
}
Posted: May 8th, 2010 | Author: xanda | Filed under: IT Related | Tags: 0day, jsunpack, rule, safari, window.parent.close(), yara | 1 Comment »
rule SafariWindowParentClose
{
meta:
ref = "Safari window.parent.close()"
impact = 7
strings:
$SafariWindowParentClose_1 = /.*?.prompt\(alert\)/
$SafariWindowParentClose_2 = /.*?.prompt\(.*?\)/
$SafariWindowParentClose_3 = /.*?.close\(\)/
condition:
all of them
} |
rule SafariWindowParentClose
{
meta:
ref = "Safari window.parent.close()"
impact = 7
strings:
$SafariWindowParentClose_1 = /.*?.prompt\(alert\)/
$SafariWindowParentClose_2 = /.*?.prompt\(.*?\)/
$SafariWindowParentClose_3 = /.*?.close\(\)/
condition:
all of them
}
Posted: April 21st, 2010 | Author: xanda | Filed under: IT Related | Tags: 0day, Deployment Toolki, java, jsunpack, yara | No Comments »
rule JavaDeploymentToolkit
{
meta:
ref = "CVE-2010-0887"
impact = 7
strings:
$cve20100887_1 = "CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA" nocase fullword
$cve20100887_2 = "document.createElement(\"OBJECT\")" nocase fullword
$cve20100887_3 = "application/npruntime-scriptable-plugin;deploymenttoolkit" nocase fullword
$cve20100887_4 = "application/java-deployment-toolkit" nocase fullword
$cve20100887_5 = "document.body.appendChild(" nocase fullword
$cve20100887_6 = /.*?.launch\(.*?\)/
$cve20100887_7 = "-J-jar -J" nocase fullword
condition:
3 of them
} |
rule JavaDeploymentToolkit
{
meta:
ref = "CVE-2010-0887"
impact = 7
strings:
$cve20100887_1 = "CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA" nocase fullword
$cve20100887_2 = "document.createElement(\"OBJECT\")" nocase fullword
$cve20100887_3 = "application/npruntime-scriptable-plugin;deploymenttoolkit" nocase fullword
$cve20100887_4 = "application/java-deployment-toolkit" nocase fullword
$cve20100887_5 = "document.body.appendChild(" nocase fullword
$cve20100887_6 = /.*?.launch\(.*?\)/
$cve20100887_7 = "-J-jar -J" nocase fullword
condition:
3 of them
}
Posted: April 6th, 2010 | Author: xanda | Filed under: IT Related | Tags: ActiveX, CVE-2010-0805, detection, internet explorer, jsunpack, Tabular Data Control, yara | 9 Comments »
Internet Explorer Tabular Data Control ActiveX Memory Corruption CVE-2010-0805 ported to Metasploit, so I decided to release the detection rule for Yara
rule MSIETabularActivex
{
meta:
ref = "CVE-2010-0805"
impact = 7
hide = true
strings:
$cve20100805_1 = "333C7BC4-460F-11D0-BC04-0080C7055A83" nocase fullword
$cve20100805_2 = "DataURL" nocase fullword
$cve20100805_3 = /value\=\"http:\/\/(.*?)\"/ nocase fullword
condition:
($cve20100805_1 and $cve20100805_3) or (all of them)
} |
rule MSIETabularActivex
{
meta:
ref = "CVE-2010-0805"
impact = 7
hide = true
strings:
$cve20100805_1 = "333C7BC4-460F-11D0-BC04-0080C7055A83" nocase fullword
$cve20100805_2 = "DataURL" nocase fullword
$cve20100805_3 = /value\=\"http:\/\/(.*?)\"/ nocase fullword
condition:
($cve20100805_1 and $cve20100805_3) or (all of them)
}
Credit:
- ZSploit.com
- Metasploit
- @d3t0n4t0r