Sneed-Reactivity/yara-mikesxrs/InQuest/CVE_2018_4878_0day_ITW.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

62 lines
2.5 KiB
Text

/*
This signature is mostly public sourced and detects an in-the-wild exploit for CVE-2018-4878. Following the
conversation at:
http://blog.inquest.net/blog/2018/02/07/cve-2018-4878-adobe-flash-0day-itw
https://twitter.com/i/moments/960633253165191170
InQuest customers can detect related events on their network by searching for:
event ID 5000798
*/
rule CVE_2018_4878_0day_ITW
{
strings:
$known1 = "F:\\work\\flash\\obfuscation\\loadswf\\src" nocase wide ascii
$known2 = "G:\\FlashDeveloping" nocase wide ascii
$known3 = "Z:\\Main\\zero day\\Troy" nocase wide ascii
$known4 = "C:\\Users\\Rose\\Adobe Flash Builder 4.6\\ExpAll\\src" nocase wide ascii
$known5 = "F:\\work\\flash\\obfuscation\\loadswf\\src" nocase wide ascii
$known6 = "admincenter/files/boad/4/manager.php" nocase wide ascii
// EMBEDDED FLASH OBJECT BIN HEADER
$header = "rdf:RDF" wide ascii
// OBJECT APPLICATION TYPE TITLE
// disabled 2/13/18 due to false positive on 2a75ff1acdf9141bfb836343f94f4a73b8c64b226b0e2ae30a69e9aacc472cba
// $title = "Adobe Flex" wide ascii
// PDB PATH
$pdb = "F:\\work\\flash\\obfuscation\\loadswf\\src" wide ascii
// LOADER STRINGS
$loader1 = "URLRequest" wide ascii
$loader2 = "URLLoader" wide ascii
$loader3 = "loadswf" wide ascii
$loader4 = "myUrlReqest" wide ascii
// 1a3269253784f76e3480e4b3de312dfee878f99045ccfd2231acb5ba57d8ed0d.fws exploit specific multivar definition.
$observed_multivar_1 = /999(\x05[a-z]10[0-9][0-9]){100}/ nocase wide ascii
$observed_multivar_2 = /999(\x05[a-z]11[0-9][0-9]){100}/ nocase wide ascii
$flash_magic = { (43 | 46 | 5A) 57 53 }
// 53fa83d02cc60765a75abd0921f5084c03e0b7521a61c4260176e68b6a402834 exploit specific.
$exp53_1 = "C:\\Users\\Miha\\AdobeMinePoC"
$exp53_2 = "UAFGenerator"
$exp53_3 = "shellcodBytes"
$exp53_4 = "DRM_obj"
$exp53_5 = "MainExp"
condition:
($flash_magic at 0 and all of ($observed_multivar*))
or
(any of ($known*))
or
// disabled 2/13/18 due to false positive on 2a75ff1acdf9141bfb836343f94f4a73b8c64b226b0e2ae30a69e9aacc472cba
//(all of ($header*) and all of ($title*) and 3 of ($loader*))
// or
(all of ($pdb*) and all of ($header*) and 1 of ($loader*))
or
($flash_magic at 0 and all of ($exp53*))
}