Sneed-Reactivity/yara-Neo23x0/exploit_shitrix.yar

30 lines
1.4 KiB
Text
Raw Permalink Normal View History

rule EXPL_Shitrix_Exploit_Code_Jan20_1 : FILE {
meta:
description = "Detects payloads used in Shitrix exploitation CVE-2019-19781"
author = "Florian Roth (Nextron Systems)"
reference = "https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/"
date = "2020-01-13"
score = 70
id = "7fab3a9b-82a5-573a-b210-2ae65f1a7f24"
strings:
$s01 = "/netscaler/portal/scripts/rmpm.pl" ascii
$s02 = "tee /netscaler/portal/templates/" ascii
$s03 = "exec(\\'(wget -q -O- http://" ascii
$s04 = "cd /netscaler/portal; ls" ascii
$s05 = "cat /flash/nsconfig/ns.conf" ascii
$s06 = "/netscaler/portal/scripts/PersonalBookmak.pl" ascii
$s07 = "template.new({'BLOCK'='print readpipe(" ascii /* TrustedSec templae */
$s08 = "pwnpzi1337" fullword ascii /* PZI india static user name */
$s09 = "template.new({'BLOCK'=" /* PZI exploit URL decoded form */
$s10 = "template.new({'BLOCK'%3d" /* PZI exploit URl encoded form */
$s11 = "my ($citrixmd, %FORM);" /* Perl backdoor */
$s12 = "(CMD, \"($citrixmd) 2>&1" /* Perl backdoor */
$b1 = "NSC_USER:" ascii nocase /* https://twitter.com/ItsReallyNick/status/1217308463174496256 */
$b2 = "NSC_NONCE:" ascii nocase /* https://twitter.com/ItsReallyNick/status/1217308463174496256 */
$b3 = "/../" ascii
condition:
1 of ($s*) or all of ($b*)
}