-
Notifications
You must be signed in to change notification settings - Fork 54
/
Copy pathAdobe_Flash_DRM_Use_After_Free.rule
34 lines (27 loc) · 1.26 KB
/
Adobe_Flash_DRM_Use_After_Free.rule
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
/*
Generically detect exploitation of CVE-2018-4878, a use-after-free vulnerability affecting Adobe Flash versions up to
and including 28.0.0.137. Following the conversation at:
http://blog.inquest.net/blog/2018/02/07/cve-2018-4878-adobe-flash-0day-itw
https://twitter.com/i/moments/960633253165191170
InQuest customers can detect related events on their network by searching for:
event ID 5000805
*/
rule Adobe_Flash_DRM_Use_After_Free
{
meta:
note = "This YARA rule is intended to run atop of decompiled Flash."
strings:
$as = "package"
$exp1 = "import com.adobe.tvsdk.mediacore" // covers .*
$exp2 = "createDispatcher("
$exp3 = "createMediaPlayer("
$exp4 = "drmManager.initialize(" // com.adobe.tvsdk.mediacore.DRMOperationCompleteListener;
$vara_1 = "push(this)"
$vara_2 = "push(null)"
$vara_3 = /pop\(\)\..+\s*=\s*.+pop\(\)/
$varb_1 = /push\([^\)]{1,24}drmManager.initialize/
// all the requisite pieces in a single function.
$varc_1 = /\{[^\}]+createDispatcher\s*\([^\}]+createMediaPlayer\s*\([^\}]+drmManager\.initialize\s*\([^\}]+=\s*null[^\}]+\}/
condition:
$as at 0 and all of ($exp*) and (all of ($vara*) or $varb_1 or $varc_1)
}