Create CVE-2016-5195.yar

CVE_Rules/CVE-2016-5195.yar

+
+rule Linux_DirtyCow_Exploit {
+   meta:
+      description = "Detects Linux Dirty Cow Exploit - CVE-2012-0056 and CVE-2016-5195"
+      author = "Florian Roth"
+      reference = "http://dirtycow.ninja/"
+      date = "2016-10-21"
+   strings:
+      $a1 = { 48 89 D6 41 B9 00 00 00 00 41 89 C0 B9 02 00 00 00 BA 01 00 00 00 BF 00 00 00 00 }
+
+      $b1 = { E8 ?? FC FF FF 48 8B 45 E8 BE 00 00 00 00 48 89 C7 E8 ?? FC FF FF 48 8B 45 F0 BE 00 00 00 00 48 89 }
+      $b2 = { E8 ?? FC FF FF B8 00 00 00 00 }
+
+      $source1 = "madvise(map,100,MADV_DONTNEED);"
+      $source2 = "=open(\"/proc/self/mem\",O_RDWR);"
+      $source3 = ",map,SEEK_SET);"
+
+      $source_printf1 = "mmap %x"
+      $source_printf2 = "procselfmem %d"
+      $source_printf3 = "madvise %d"
+      $source_printf4 = "[-] failed to patch payload"
+      $source_printf5 = "[-] failed to win race condition..."
+      $source_printf6 = "[*] waiting for reverse connect shell..."
+
+      $s1 = "/proc/self/mem"
+      $s2 = "/proc/%d/mem"
+      $s3 = "/proc/self/map"
+      $s4 = "/proc/%d/map"
+
+      $p1 = "pthread_create" fullword ascii
+      $p2 = "pthread_join" fullword ascii
+   condition:
+      ( uint16(0) == 0x457f and $a1 ) or
+      all of ($b*) or
+      3 of ($source*) or
+      ( uint16(0) == 0x457f and 1 of ($s*) and all of ($p*) and filesize < 20KB )
+}