Sneed-Reactivity/yara-mikesxrs/forcepoint/CVE_2014_6352.yar

rule cve_2014_6352

{
meta:
  author = "Forcepoint"
  reference = "https://blogs.forcepoint.com/security-labs/ebola-spreads-cyber-attacks-too"
strings:

        $rootentry = {52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 05 00 ff ff ff ff ff ff ff ff 01 00 00 00}

        $ole10native = {4F 00 ( 4C | 6C ) 00 ( 45 | 65 ) 00 31 00 30 00 4E 00 61 00 74 00 69 00 76 00 65 00 00}

        $c = "This program cannot be run in DOS mode"

condition:

     ($rootentry or $ole10native) and $c

}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00			`rule cve_2014_6352`

			`{`
			`meta:`
			`author = "Forcepoint"`
			`reference = "https://blogs.forcepoint.com/security-labs/ebola-spreads-cyber-attacks-too"`
			`strings:`

			`$rootentry = {52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 05 00 ff ff ff ff ff ff ff ff 01 00 00 00}`

			`$ole10native = {4F 00 ( 4C \| 6C ) 00 ( 45 \| 65 ) 00 31 00 30 00 4E 00 61 00 74 00 69 00 76 00 65 00 00}`

			`$c = "This program cannot be run in DOS mode"`

			`condition:`

			`($rootentry or $ole10native) and $c`

			`}`