Et rule 2033775 - Magic-SigExplorer

""ET EXPLOIT Microsoft Edge Chakra - InjectJsBuiltInLibraryCode Use-After-Free Inbound (CVE-2019-0568)""

SID: 2033775

Revision: 2

Class Type: attempted-admin

Metadata: attack_target Client_Endpoint, created_at 2021_08_24, cve CVE_2019_0568, deployment Perimeter, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_08_24

Reference:

cve
2019-0568

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: any

Destination Network: $HOME_NET

Destination Port: $HTTP_PORTS

Flow: established,from_server

Contents:

Value: "200"
Value: "function"
Value: "|28 7b 7d 29|.proto"
Value: "Error.prototype.toString"

Within:

PCRE: "/^\s(?P[A-Za-z0-9_-]{1,20})()\s{\slet\s(?P[A-Za-z0-9_-]{1,20})\s=\s{}\x3b\s(?:\/\/[\w\s_-]+)?(?:\/\/\s[^\r\n]+\r\n)?(?P=o_var).(?P[A-Za-z0-9_-]{1,20}).{1,300}for\s(\slet\s(?P[A-Za-z0-9_-]{1,20})\s=\s\d{1,8}\s\x3b\s(?:\/\/[\w\s_-]+)?(?:\/\/\s[^\r\n]+\r\n)?(?P=counter)\s(?:<|>)\s(?:0x)?\d{2,}\s\x3b\s(?:\/\/[\w\s_-]+)?(?:\/\/\s[^\r\n]+\r\n)?(?P=counter)(?:+{2}|-{2})).{1,100}(?P=opt)().{1,300}let\s(?P[A-Za-z0-9_-]{1,20})\s=\snull.{1,100}let\s(?P[A-Za-z0-9_-]{1,20})\s=\s({}).proto\x3b.{1,300}(?P=obj_proto).defineGetter(\x22\x27[\x22\x27],\sError.prototype.toString)\x3b\s(?:\/\/[\w\s_-]+)?(?:\/\/\s[^\r\n]+\r\n)?(?P=obj_proto).defineGetter(\x22\x27[\x22\x27].{1,300}delete\s(?P=obj_proto).(?P=message_proto)\x3b.{1,300}(?P=obj_proto).\w+\s=\s*Array.prototype.{1,300}(?P=opt)/Rs"

Special Options:

http_stat_code
file_data
fast_pattern

source