Navin ‘nuvs’ Jain nuvs
karanlyons
/ ZoomDaemon.yara
Last active
August 5, 2024 23:37
Fixes for Zoom, RingCentral, Zhumu (and additional white labels) RCE vulnerabilities
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| private rule Macho | |
| { | |
| meta: | |
| description = "private rule to match Mach-O binaries (copied from Apple's XProtect)" | |
| condition: | |
| uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca | |
| } | |
| rule ZoomDaemon | |
| { |