Common Information
| Type | Value |
|---|---|
| Value |
rule neo_regeorg_proxy {
meta:
author = "Charles Lomboni - Security Joes"
description = "Rules to detect neo-reGeorg proxy tool"
date = "June, 2022"
reference = "https://github.com/L-codes/Neo-reGeorg"
strings:
$neo_regeorg_en = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
$neo_regeorg_de = "BASE64 CHARSLIST"
$neo_regeorg_cmd = "X-CMD"
$neo_regeorg_target = "X-TARGET"
$neo_regeorg_error = "X-ERROR"
$neo_regeorg_status = "X-STATUS"
$neo_regeorg_phrase = "Georg says, 'All seems fine'"
$neo_pass_php_1 = "if(version_compare(PHP_VERSION,'5.4.0','>='))@http_response_code(200);"
$neo_pass_php_2 = "$mark = substr($cmd,0,22);"
$neo_pass_php_3 = "$cmd = substr($cmd, 22);"
$neo_pass_php_4 = "$writebuf = \"writebuf\".$mark;"
$neo_pass_php_5 = "$readbuf = \"readbuf\".$mark;"
$neo_pass_php_6 = "$target_ary = explode(\"|\", base64_decode(strtr($headers["
$neo_pass_php_7 = "$_SESSION[$writebuf] .= base64_decode(strtr($rawPostData, $de, $en));"
$neo_pass_jspx_1 = "<jsp:root version=\"2.0\"
mlns:jsp=\"http://java.sun.com/JSP/Page\"><jsp:directive.page
contentType=\"text/html\"/><jsp:directive.page pageEncoding=\"UTF-8\"
trimDirectiveWhitespaces=\"true\"/>"
$neo_pass_jspx_2 = "return super.defineClass(b, 0, b.length);"
$neo_pass_jspx_3 = "Class clazz = new U(this.getClass().getClassLoader()).g(clazzBytes);"
$neo_pass_jsp_1 = "<%@page pageEncoding=\"UTF-8\" trimDirectiveWhitespaces=\"true\"%>"
$neo_pass_aspx_1 = "public String StrTr(string input, string frm, string to) {"
$neo_pass_aspx_2 = "String en =
\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\";"
$neo_pass_aspx_3 = "Uri u = new
Uri(System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(StrTr(rUrl, de, en))));"
$neo_pass_aspx_4 = "request.Headers.Add(key, Request.Headers.Get(key));"
$neo_pass_aspx_5 = "if((c = Request.InputStream.Read(buff, 0, buff.Length)) > 0) {"
$neo_pass_aspx_6 = "String mark = cmd.Substring(0,22);"
$neo_pass_aspx_7 = "String target_str =
System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get("
condition:
($neo_regeorg_en and $neo_regeorg_de and $neo_regeorg_cmd and $neo_regeorg_target and $neo_regeorg_error and $neo_regeorg_status and $neo_regeorg_phrase) or ($neo_pass_php_1 and $neo_pass_php_2 and $neo_pass_php_3 and $neo_pass_php_4 and $neo_pass_php_5 and $neo_pass_php_6 and $neo_pass_php_7) or (($neo_pass_jspx_1 or $neo_pass_jsp_1) and $neo_pass_jspx_2 and $neo_pass_jspx_3) or ($neo_pass_aspx_1 and $neo_pass_aspx_2 and $neo_pass_aspx_3 and $neo_pass_aspx_4 and $neo_pass_aspx_5 and $neo_pass_aspx_6 and $neo_pass_aspx_7)
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |