25 lines
1.4 KiB
Text
25 lines
1.4 KiB
Text
|
rule hacktool_multi_pyrasite_py
|
||
|
{
|
||
|
meta:
|
||
|
description = "A tool for injecting arbitrary code into running Python processes."
|
||
|
reference = "https://github.com/lmacken/pyrasite"
|
||
|
author = "@fusionrace"
|
||
|
strings:
|
||
|
$s1 = "WARNING: ptrace is disabled. Injection will not work." fullword ascii wide
|
||
|
$s2 = "A payload that connects to a given host:port and receives commands" fullword ascii wide
|
||
|
$s3 = "A reverse Python connection payload." fullword ascii wide
|
||
|
$s4 = "pyrasite - inject code into a running python process" fullword ascii wide
|
||
|
$s5 = "The ID of the process to inject code into" fullword ascii wide
|
||
|
$s6 = "This file is part of pyrasite." fullword ascii wide
|
||
|
$s7 = "https://github.com/lmacken/pyrasite" fullword ascii wide
|
||
|
$s8 = "Setup a communication socket with the process by injecting" fullword ascii wide
|
||
|
$s9 = "a reverse subshell and having it connect back to us." fullword ascii wide
|
||
|
$s10 = "Write out a reverse python connection payload with a custom port" fullword ascii wide
|
||
|
$s11 = "Wait for the injected payload to connect back to us" fullword ascii wide
|
||
|
$s12 = "PyrasiteIPC" fullword ascii wide
|
||
|
$s13 = "A reverse Python shell that behaves like Python interactive interpreter." fullword ascii wide
|
||
|
$s14 = "pyrasite cannot establish reverse" fullword ascii wide
|
||
|
condition:
|
||
|
any of them
|
||
|
}
|