/* Generically detect exploitation of CVE-2018-4878, a use-after-free vulnerability affecting Adobe Flash versions up to and including 28.0.0.137. Following the conversation at: http://blog.inquest.net/blog/2018/02/07/cve-2018-4878-adobe-flash-0day-itw https://twitter.com/i/moments/960633253165191170 InQuest customers can detect related events on their network by searching for: event ID 5000805 */ rule Adobe_Flash_DRM_Use_After_Free { meta: note = "This YARA rule is intended to run atop of decompiled Flash." strings: $as = "package" $exp1 = "import com.adobe.tvsdk.mediacore" // covers .* $exp2 = "createDispatcher(" $exp3 = "createMediaPlayer(" $exp4 = "drmManager.initialize(" // com.adobe.tvsdk.mediacore.DRMOperationCompleteListener; $vara_1 = "push(this)" $vara_2 = "push(null)" $vara_3 = /pop\(\)\..+\s*=\s*.+pop\(\)/ $varb_1 = /push\([^\)]{1,24}drmManager.initialize/ // all the requisite pieces in a single function. $varc_1 = /\{[^\}]+createDispatcher\s*\([^\}]+createMediaPlayer\s*\([^\}]+drmManager\.initialize\s*\([^\}]+=\s*null[^\}]+\}/ condition: $as at 0 and all of ($exp*) and (all of ($vara*) or $varb_1 or $varc_1) }