Create CVE-2022-0847.yar

cve_rules/CVE-2022-0847.yar

@@ -0,0 +1,46 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html)
+    and open to any user or organization, as long as you use it under this license.
+
+    Author: Max Kellerman
+    Date: 2022-02-19
+    Identifier: Dirty Pipe PoC
+*/
+
+/*  Super Rule ------------------------------------------------------------- */
+
+rule DirtyPipez_CVE_2022_0847
+{
+    meta:
+        description = "Exploit Sample DirtyPipe CVE-2022-0847"
+        author = "Max Kellerman"
+        eference = "hxxps[://]dirtypipe[.]cm4all[.]com/"
+        date = "2022-02-19"
+        vuln_type = "Local Privilege Escalation (DirtyCow reloaded?)"
+        vuln_impact = "SUID binary hijack"
+        affected_versions = "Linux kernel >5.15 <5.15.25 >=5.16 <5.16.11"
+        report = "hxxps[://]dirtypipe[.]cm4all[.]com/"
+        hash1 = "8ced0e276f4cbe52ddac086b0a902e63970edc1a3ef22ba9dfc7150d8052bcf7"
+        hash2 = "49561b607ebee157831f4eb55be9893165cf522c71a92c1b80aacc8262489f14"
+
+
+/*  Automatically generated by yarGen -------------------------------------- */
+    strings:
+        $s1 = "prepare_pipe" fullword ascii
+        $s2 = "pipe@GLIBC_2.2.5" fullword ascii
+        $s3 = "splice failed" fullword ascii
+        $s4 = "_IO_stdin_used" fullword ascii
+        $s5 = ".note.ABI-tag" fullword ascii
+        $s6 = "__stack_chk_fail@GLIBC_2.4" fullword ascii
+        $s7 = ".eh_frame_hdr" fullword ascii
+        $s8 = "__FRAME_END__" fullword ascii
+        $s9 = "__frame_dummy_init_array_entry" fullword ascii
+        $s10 = "read@GLIBC_2.2.5" fullword ascii
+        $s11 = "__GNU_EH_FRAME_HDR" fullword ascii
+        $s12 = "short splice" fullword ascii
+        $s13 = "__libc_start_main" fullword ascii
+        $s14 = "__do_global_dtors_aux_fini_array_entry" fullword ascii
+        $s15 = "buffer.0" fullword ascii
+    condition:
+        uint16(0) == 0x457f and ( 8 of them ) or ( all of them )
+}