dmknght/dirtycow.yara

## dirtycow.yara
import "elf"

/*
  ANALYSIS
  Example is a compiled DirtyCow Exploit
  The binary has multiple unique functions: getpass, getpid, madvise, pthread_create, pthread_join, ptrace, waitpid
  Location: section ".dynstr", size 0xfa, Yara type "elf.SHT_STRTAB"
  Current ELF module of Yara version (4.2.0) doesn't have built-in function to check multiple functions imported in binary.
  This rule file shows an easy way to do it
*/

rule dirtycow {
  meta:
    author = "Nong Hoang Tu"
    email = "dmknght@parrotsec.org"
    md5 = "3871cfbee9b6fab4d7cf65cd18a1353a"
    description = "DirtyCow exploit"
  strings:
    $1 = "crypt"
    $2 = "madvise"
    $3 = "pthread_create"
    $4 = "ptrace"
    $5 = "waitpid"
    $6 = "getpass" // False positive signal-desktop binary without this function. However, it's very easy to bypass it using normal get string method from sdtin
  condition:
    uint32(0) == 0x464c457f and for any i in (0 .. elf.number_of_sections): // Make sure the file is ELF file. 0x464c457f is ELF file magic
    (
      // The section is ".dynstr". elf.SHT_STRTAB should be used for this and ".strtab". This for loop enumerates all sections
      // then check section's type and then check all strings inside
      // This rule can add condtion "elf.sections[i].name == ".dynstr" for better performance (skip checking ".strtab") and
      // more accurate detection rate. However, it's unknown if the EFL file obfuscates the sections at compile time
      elf.sections[i].type == elf.SHT_STRTAB and all of them in (elf.sections[i].offset .. elf.sections[i].offset + elf.sections[i].size)
    )
    // Condition can be combined with unique strings inside the binary so the rule can detect both runtime and static file.
}
	import "elf"

	/*
	ANALYSIS
	Example is a compiled DirtyCow Exploit
	The binary has multiple unique functions: getpass, getpid, madvise, pthread_create, pthread_join, ptrace, waitpid
	Location: section ".dynstr", size 0xfa, Yara type "elf.SHT_STRTAB"
	Current ELF module of Yara version (4.2.0) doesn't have built-in function to check multiple functions imported in binary.
	This rule file shows an easy way to do it
	*/

	rule dirtycow {
	meta:
	author = "Nong Hoang Tu"
	email = "dmknght@parrotsec.org"
	md5 = "3871cfbee9b6fab4d7cf65cd18a1353a"
	description = "DirtyCow exploit"
	strings:
	$1 = "crypt"
	$2 = "madvise"
	$3 = "pthread_create"
	$4 = "ptrace"
	$5 = "waitpid"
	$6 = "getpass" // False positive signal-desktop binary without this function. However, it's very easy to bypass it using normal get string method from sdtin
	condition:
	uint32(0) == 0x464c457f and for any i in (0 .. elf.number_of_sections): // Make sure the file is ELF file. 0x464c457f is ELF file magic
	(
	// The section is ".dynstr". elf.SHT_STRTAB should be used for this and ".strtab". This for loop enumerates all sections
	// then check section's type and then check all strings inside
	// This rule can add condtion "elf.sections[i].name == ".dynstr" for better performance (skip checking ".strtab") and
	// more accurate detection rate. However, it's unknown if the EFL file obfuscates the sections at compile time
	elf.sections[i].type == elf.SHT_STRTAB and all of them in (elf.sections[i].offset .. elf.sections[i].offset + elf.sections[i].size)
	)
	// Condition can be combined with unique strings inside the binary so the rule can detect both runtime and static file.
	}