Permalink
Switch branches/tags
Find file Copy path
6c5fd1a May 27, 2017
1 contributor

Users who have contributed to this file

122 lines (101 sloc) 4.19 KB
rule meterpreter_reverse_tcp_shellcode {
meta:
author = "FDD @ Cuckoo sandbox"
description = "Rule for metasploit's meterpreter reverse tcp raw shellcode"
strings:
$s1 = { fce8 8?00 0000 60 } // shellcode prologe in metasploit
$s2 = { 648b ??30 } // mov edx, fs:[???+0x30]
$s3 = { 4c77 2607 } // kernel32 checksum
$s4 = "ws2_" // ws2_32.dll
$s5 = { 2980 6b00 } // WSAStartUp checksum
$s6 = { ea0f dfe0 } // WSASocket checksum
$s7 = { 99a5 7461 } // connect checksum
condition:
all of them and filesize < 5KB
}
rule meterpreter_reverse_tcp_shellcode_rev1 {
meta:
author = "FDD @ Cuckoo sandbox"
description = "Meterpreter reverse TCP shell rev1"
LHOST = 0xae
LPORT = 0xb5
strings:
$s1 = { 6a00 53ff d5 }
condition:
meterpreter_reverse_tcp_shellcode and $s1 in (270..filesize)
}
rule meterpreter_reverse_tcp_shellcode_rev2 {
meta:
author = "FDD @ Cuckoo sandbox"
description = "Meterpreter reverse TCP shell rev2"
LHOST = 194
LPORT = 201
strings:
$s1 = { 75ec c3 }
condition:
meterpreter_reverse_tcp_shellcode and $s1 in (270..filesize)
}
rule meterpreter_reverse_tcp_shellcode_domain {
meta:
author = "FDD @ Cuckoo sandbox"
description = "Variant used if the user specifies a domain instead of a hard-coded IP"
strings:
$s1 = { a928 3480 } // Checksum for gethostbyname
$domain = /(\w+\.)+\w{2,6}/
condition:
meterpreter_reverse_tcp_shellcode and all of them
}
rule metasploit_download_exec_shellcode_rev1 {
meta:
author = "FDD @ Cuckoo Sandbox"
description = "Rule for metasploit's download and exec shellcode"
name = "Metasploit download & exec payload"
URL = 185
strings:
$s1 = { fce8 8?00 0000 60 } // shellcode prologe in metasploit
$s2 = { 648b ??30 } // mov edx, fs:[???+0x30]
$s4 = { 4c77 2607 } // checksum for LoadLibraryA
$s5 = { 3a56 79a7 } // checksum for InternetOpenA
$s6 = { 5789 9fc6 } // checksum for InternetConnectA
$s7 = { eb55 2e3b } // checksum for HTTPOpenRequestA
$s8 = { 7546 9e86 } // checksum for InternetSetOptionA
$s9 = { 2d06 187b } // checksum for HTTPSendRequestA
$url = /\/[\w_\-\.]+/
condition:
all of them and filesize < 5KB
}
rule metasploit_download_exec_shellcode_rev2 {
meta:
author = "FDD @ Cuckoo Sandbox"
description = "Rule for metasploit's download and exec shellcode"
name = "Metasploit download & exec payload"
URL = 185
strings:
$s1 = { fce8 8?00 0000 60 } // shellcode prologe in metasploit
$s2 = { 648b ??30 } // mov edx, fs:[???+0x30]
$s4 = { 4c77 2607 } // checksum for LoadLibraryA
$s5 = { 3a56 79a7 } // checksum for InternetOpenA
$s6 = { 5789 9fc6 } // checksum for InternetConnectA
$s7 = { eb55 2e3b } // checksum for HTTPOpenRequestA
$s9 = { 2d06 187b } // checksum for HTTPSendRequestA
$url = /\/[\w_\-\.]+/
condition:
all of them and filesize < 5KB
}
rule metasploit_bind_shell {
meta:
author = "FDD @ Cuckoo Sandbox"
description = "Rule for metasploit's bind shell shellcode"
name = "Metasploit bind shell payload"
strings:
$s1 = { fce8 8?00 0000 60 } // shellcode prologe in metasploit
$s2 = { 648b ??30 } // mov edx, fs:[???+0x30]
$s3 = { 4c77 2607 } // checksum for LoadLibraryA
$s4 = { 2980 6b00 } // checksum for WSAStartup
$s5 = { ea0f dfe0 } // checksum for WSASocketA
$s6 = { c2db 3767 } // checksum for bind
$s7 = { b7e9 38ff } // checksum for listen
$s8 = { 74ec 3be1 } // checksum for accept
condition:
all of them and filesize < 5KB
}