16 lines
1.1 KiB
Text
16 lines
1.1 KiB
Text
rule SUSP_VulnDriver_HP_Hardware_Diagnostics_Etdsupp_May23 {
|
|
meta:
|
|
description = "Detects vulnerable versions of the HP Hardware Diagnostics driver (etdsupp.sys) based on PE metadata info"
|
|
author = "X__Junior (Nextron Systems)"
|
|
date = "2023-05-12"
|
|
reference = "https://github.com/alfarom256/HPHardwareDiagnostics-PoC/tree/main/"
|
|
hash = "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145"
|
|
score = 65
|
|
id = "8f838e4f-3e3e-5131-9d67-e49f6848bb37"
|
|
strings:
|
|
$s1 = {4f 00 72 00 69 00 67 00 69 00 6e 00 61 00 6c 00 46 00 69 00 6c 00 65 00 6e 00 61 00 6d 00 65 00 00 00 65 00 74 00 64 00 73 00 75 00 70 00 70 00 2e 00 73 00 79 00 73 00} /*OriginalFilename etdsupp.sys*/
|
|
$s2 = "etdsupp.pdb"
|
|
$s3 = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}([\x00-\xff]{2}[\x00-\x11]\x00[\x00-\xff]{4}|\x00\x00\x12\x00\x00\x00\x00\x00)/ /* Vuln Versions*/
|
|
condition:
|
|
uint16(0) == 0x5a4d and int16(uint32(0x3C) + 0x5c) == 0x0001 and filesize < 100KB and all of them
|
|
}
|