Create CVE-2018-20250.yar

a6845dee · jovimon · GitHub · 889b02d8 · a6845dee
Unverified Commit a6845dee authored Mar 17, 2019 by jovimon Committed by GitHub Mar 17, 2019
Show whitespace changes
Inline Side-by-side

Showing with 22 additions and 0 deletions

CVE-2018-20250.yar CVE_Rules/CVE-2018-20250.yar +22 -0

No files found.
--- a/CVE_Rules/CVE-2018-20250.yar
+++ b/CVE_Rules/CVE-2018-20250.yar
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/
+
+rule CVE_2018_20250 : AceArchive UNACEV2_DLL_EXP
+{
+    meta:
+        description = "Generic rule for hostile ACE archive using CVE-2018-20250"
+        author = "xylitol@temari.fr"
+        date = "2019-03-17"
+        reference = "https://research.checkpoint.com/extracting-code-execution-from-winrar/"
+        // May only the challenge guide you
+    strings:
+        $string1 = "**ACE**" ascii wide
+        $string2 = "*UNREGISTERED VERSION*" ascii wide
+        // $hexstring1 = C:\C:\
+        $hexstring1 = {?? 3A 5C ?? 3A 5C}
+        // $hexstring2 = C:\C:C:..
+        $hexstring2 = {?? 3A 5C ?? 3A ?? 3A 2E}
+    condition:  
+         $string1 at 7 and $string2 at 31 and 1 of ($hexstring*)
+}