Added CVE_2015_1674_CNGSYS from Loki

0a910b8c · David André · 7913f78f · 0a910b8c
Commit 0a910b8c authored May 20, 2015 by David André
Hide whitespace changes
Inline Side-by-side

Showing with 20 additions and 0 deletions

Miscelanea.yar malware/Miscelanea.yar +20 -0

No files found.
--- a/malware/Miscelanea.yar
+++ b/malware/Miscelanea.yar
@@ -905,3 +905,23 @@ rule CN_Toolset_LScanPortss_2 {
 	condition:
 		4 of them
 }
+rule CVE_2015_1674_CNGSYS {
+	meta:
+		description = "Detects exploits for CVE-2015-1674"
+		author = "Florian Roth"
+		reference = "http://www.binvul.com/viewthread.php?tid=508"
+		reference2 = "https://github.com/Neo23x0/Loki/blob/master/signatures/exploit_cve_2015_1674.yar"
+		date = "2015-05-14"
+		hash = "af4eb2a275f6bbc2bfeef656642ede9ce04fad36"
+	strings:
+		$s1 = "\\Device\\CNG" fullword wide
+		$s2 = "GetProcAddress" fullword ascii
+		$s3 = "LoadLibrary" ascii
+		$s4 = "KERNEL32.dll" fullword ascii
+		$s5 = "ntdll.dll" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 60KB and all of them
+}