Et rule 2034004 - Magic-SigExplorer

""ET EXPLOIT Microsoft Edge Chakra - InlineArrayPush Type Confusion Inbound M2 (CVE-2018-8617)""

SID: 2034004

Revision: 2

Class Type: attempted-admin

Metadata: attack_target Client_Endpoint, created_at 2021_09_21, cve CVE_2018_8617, deployment Perimeter, signature_severity Major, tag Exploit, updated_at 2021_09_21

Reference:

cve
2018-8617

Protocol: tcp

Source Network: any

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,from_server

Contents:

Value: "function"
Value: "Object.prototype.p"
Value: "|20|=|20|Array.prototype.p"

Within:

PCRE: "/^\s(?P[\w-]{1,20})((?P[\w-]{1,20})\s,\s(?P[\w-]{1,20}).{1,300}(?P=obj_1).(?P[\w-]{1,20})\s=\s\d+(?:.\d+)?.{1,300}?(?P=obj_2).pop().{1,300}?(?P=obj_1).(?P[\w-]{1,20})\s=\s\d+(?:.\d+)?.{1,500}Object.prototype.p(op|ush)\s=\sArray.prototype.p(op|ush)\x3b.{1,500}var\s(?P[\w-]{1,20})\s=\s{\s(?P=prop_1)\s\x3a\s\d+(?:.\d+)?\s,\s(?:(?P=prop_2)\s\x3a\s\d+(?:.\d+)?|(?P=prop_2)\s\x3a\s\d+(?:.\d+)?\s,\s(?P=prop_1)\s\x3a\s\d+(?:.\d+)).{1,500}(?P=func_a)(\s(?:(?P=obj_3)\s,\snew\sObject()|\snew\sObject()\s,\s(?P=obj_3)\s).{1,500}?(?P=func_a)((?P=obj_3)/Rsi"

Special Options:

file_data
fast_pattern

source