编写imap协议、IIS、wordpress、log4j、cve-2015-2443、netwave-ip-camera漏洞、TLS heartbeat的suricata规则-测试(9004062-9004069)
1.测试规则(9004062)
1.主机B开启服务 cat >fake_imap_143.py <<'PY' import socket, threading RESP = b"A001 NO [AUTHENTICATIONFAILED] Authentication failed\r\n" def handle(c): try: c.sendall(b"* OK IMAP4 ready\r\n") _ = c.recv(4096) c.sendall(RESP) except Exception: pass finally: try: c.close() except Exception: pass s = socket.socket() s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind(("0.0.0.0", 143)) s.listen(200) print("fake imap server listening on :143") while True: c, _ = s.accept() threading.Thread(target=handle, args=(c,), daemon=True).start() PY 2.主机A发起请求 for i in $(seq 1 5); do printf "A%03d LOGIN user pass\r\n" "$i" | nc 10.10.10.2 143 >/dev/null done for i in $(seq 1 50); do printf "A%03d LOGIN user pass\r\n" "$i" | nc 10.10.10.2 143 >/dev/null done 3.主机B分析测试流量 tshark -r imap_bf.pcap -Y 'tcp.srcport==143 && (frame contains "AUTHENTICATIONFAILED" or frame contains "Authentication failed" or frame contains " NO ")' -T fields -e frame.number -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e tcp.stream -e tcp.payload -e tcp.len
2.测试规则(9004064-9004065)
1.主机A编写IE服务 cat > exploit.html <<'HTML' <html> <head> <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE9"> </head> <body> <script> function demo(){ // 关键字按两条规则要求排列 var d = Object.getOwnPropertyDescriptor({a:1},"a"); var s = String.fromCharCode(parseInt("90",16)); try { throw new Error("boom"); } catch(e) {} return d + s; } demo(); </script> </body> </html> HTML cat > hunting.txt <<'TXT' <script> var d = Object.getOwnPropertyDescriptor({a:1},"a"); var s = String['fromCharCode'](parseInt("90",16)); var x = atob("QQ=="); </script> TXT python -m http.server 80 --bind 10.10.10.1 2.主机B发送请求至主机A curl -s http://10.10.10.1/exploit.html -o /dev/null curl -s http://10.10.10.1/hunting.txt -o /dev/null 3.主机B分析测试流量 列出包含关键字的帧 tshark -r IE_CVE_2015_2443.pcap -Y 'frame contains "getOwnPropertyDescriptor" or frame contains "fromCharCode" or frame contains "HTTP /1."' -T fields -e frame.number -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e tcp.len -e tcp.stream 打印某个stream的payload tshark -r IE_CVE_2015_2443.pcap -Y 'tcp.stream==0 && tcp.len>0' -x 还原服务器响应ASCII tshark -r IE_CVE_2015_2443.pcap -Y 'tcp.srcport==80 && tcp.len>0' -T fields -e tcp.payload | head -n 5 | tr -d ':' | xxd -r -p
3.测试规则(9004066-9004067)
1.主机B开启80服务 python -m http.server 80 --bind 10.10.10.2 2.主机A发送请求至主机B curl -s -X POST "http://10.10.10.2/wp-content/plugins/mailpress/mp-includes/action.php" -H "Content-Type: application/x-www-form-urlencoded" --data "subject=%3C%3Fphp%20echo%201%3B" -o /dev/null curl -s -X POST "http://10.10.10.2/wp-content/plugins/mailpress/mp-includes/action.php" -H "Content-Type: application/x-www-form-urlencoded" --data "subject=<?php%20echo%201" -o /dev/null 3.主机B分析测试流量 tshark -r mailpress.pcap -Y 'ip.src==10.10.10.1 && tcp.dstport==80 && tcp.len>0' -T fields -e tcp.payload | tr -d ':' | xxd -r -p | head -n 80
4.测试规则(9004068-9004069)
1.主机B开启80监听 python -m http.server 80 --bind 10.10.10.2 2.主机A发送请求 printf '%s' 'GET /test.asp%5c%5c127.0.0.1%5cc$%5cwindows%5csystem32%5c HTTP/1.1\r\nHost: victim\r\n\r\n' | nc -nv 10.10.10.2 80 printf '%s' 'GET /..%5c..%5cwindows%5csystem32%5c HTTP/1.1\r\nHost: victim\r\n\r\n' | nc -nv 10.10.10.2 80
5.测试规则(9004070-9004071)
1.主机B开启80服务 python -m http.server 80 --bind 10.10.10.2 2.主机A发送请求 printf '%s' 'GET /get_status.cgi HTTP/1.1\r\nHost: 10.10.10.2\r\nConnection: close\r\n\r\n' \ | nc -nv 10.10.10.2 80 for p in \ '/get_status.cgi' \ '/get%5fstatus.cgi' \ '/get%255fstatus.cgi' \ '/foo/get_status.cgi?x=1' \ '/foo/get%5fstatus.cgi?x=1' do printf '%s' "GET ${p} HTTP/1.1\r\nHost: victim\r\nConnection: close\r\n\r\n" | nc -nv 10.10.10.2 80 >/dev/null 2>&1 done 3.主机B分析测试流量 tshark -r netwave_status.pcap -Y 'frame contains "get_status.cgi" or frame contains "get%5fstatus.cgi" or frame contains "get%255fstatus.cgi"' -T fields -e frame.number -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e tcp.len -e tcp.stream
6.测试规则(9004072-9004073)
1.主机B开启服务程序 import socket import argparse def hexdump(b: bytes, width=16) -> str: out = [] for i in range(0, len(b), width): chunk = b[i:i+width] hexs = " ".join(f"{x:02x}" for x in chunk) out.append(f"{i:04x}: {hexs}") return "\n".join(out) def build_hb_response(record_minor=0x02, record_len=0x00A0) -> bytes: # TLS record: type(0x18) ver(0x03 minor) len(2) hdr = bytes([0x18, 0x03, record_minor]) + record_len.to_bytes(2, "big") # Heartbeat response payload: type(0x02) + payload_length(2) + padding payload = bytes([0x02]) + record_len.to_bytes(2, "big") + b"B" * (record_len - 3) return hdr + payload def main(): ap = argparse.ArgumentParser() ap.add_argument("--listen", default="0.0.0.0") ap.add_argument("--port", type=int, default=443) args = ap.parse_args() resp = build_hb_response(record_minor=0x02, record_len=0x00A0) # 160 (>150) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind((args.listen, args.port)) s.listen(5) print(f"[+] Listening on {args.listen}:{args.port}") while True: c, addr = s.accept() print(f"[+] Accepted from {addr}") data = c.recv(4096) print(f"[>] Received {len(data)} bytes") if data: print(hexdump(data[:64])) # 无论是否解析成功,直接发“超大 heartbeat response”用于触发 9004073 c.sendall(resp) c.close() print("[<] Sent large heartbeat response and closed") if __name__ == "__main__": main() python hb_server.py --port 443 2.主机A发送请求 import socket import argparse def build_hb_request(record_minor=0x02, record_len=0x0010, claim_len=0x00D0) -> bytes: # record_len = 16 (<40), claim_len = 208 (>200) hdr = bytes([0x18, 0x03, record_minor]) + record_len.to_bytes(2, "big") payload = bytes([0x01]) + claim_len.to_bytes(2, "big") + b"A" * (record_len - 3) return hdr + payload def main(): ap = argparse.ArgumentParser() ap.add_argument("--host", required=True) ap.add_argument("--port", type=int, default=443) args = ap.parse_args() req = build_hb_request() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((args.host, args.port)) s.sendall(req) resp = s.recv(4096) print(f"[+] got response bytes: {len(resp)}") s.close() if __name__ == "__main__": main() python hb_client.py --host 10.10.10.2 --port 443 3.主机B分析测试流量 tshark -r heartbeat.pcap -Y 'tcp.len>0' -T fields -e frame.number -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e tcp.len -e tcp.stream tshark -r heartbeat.pcap -Y 'tcp.len>0' -x tshark -r heartbeat.pcap -Y 'tcp.len>0' -T fields -e tcp.payload | tr -d ':' | xxd -r -p | head -n 50
7.测试规则(9004074-9004075)
1.主机B开启监听服务 import socket import argparse def build_dtls_hb_record(msg_type: int, record_len: int, claim_len: int, ver_minor: int = 0xFD) -> bytes: # DTLS header (13 bytes) # ContentType=0x18(heartbeat), Version=0xFE 0xFD(DTLS1.2) or 0xFE 0xFF(DTLS1.0) content_type = 0x18 version = bytes([0xFE, ver_minor]) epoch = b"\x00\x00" seq = b"\x00\x00\x00\x00\x00\x01" # 6 bytes length = record_len.to_bytes(2, "big") # offset 11-12 hdr = bytes([content_type]) + version + epoch + seq + length # Heartbeat payload in fragment: # type(1) + payload_length(2) + padding (record_len-3) payload = bytes([msg_type]) + claim_len.to_bytes(2, "big") if record_len < 3: raise ValueError("record_len must be >= 3") payload += b"B" * (record_len - 3) return hdr + payload def main(): ap = argparse.ArgumentParser() ap.add_argument("--listen", default="0.0.0.0") ap.add_argument("--port", type=int, default=4444) args = ap.parse_args() # 响应侧:record_len > 150,heartbeat response(0x02) resp = build_dtls_hb_record(msg_type=0x02, record_len=0x00A0, claim_len=0x00A0, ver_minor=0xFD) s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.bind((args.listen, args.port)) print(f"[+] UDP listening on {args.listen}:{args.port}") while True: data, addr = s.recvfrom(4096) print(f"[+] recv {len(data)} bytes from {addr}") # 直接回一个“大 response”用于触发 9004075 s.sendto(resp, addr) print(f"[+] sent {len(resp)} bytes to {addr}") if __name__ == "__main__": main() python dtls_hb_server.py --port 4444 2.主机A发送请求 import socket import argparse def build_dtls_hb_request(ver_minor: int = 0xFD) -> bytes: # 满足 9004074: # - 开头:18 fe fd # - record_len < 40(放 0x0010=16) # - offset13 = 0x01(request) # - payload_length(offset14) > 200(放 0x00D0=208) content_type = 0x18 version = bytes([0xFE, ver_minor]) epoch = b"\x00\x00" seq = b"\x00\x00\x00\x00\x00\x01" record_len = 0x0010 # 16 (<40) length = record_len.to_bytes(2, "big") hdr = bytes([content_type]) + version + epoch + seq + length msg_type = 0x01 # request claim_len = 0x00D0 # 208 (>200) payload = bytes([msg_type]) + claim_len.to_bytes(2, "big") + b"A" * (record_len - 3) return hdr + payload def main(): ap = argparse.ArgumentParser() ap.add_argument("--host", required=True) ap.add_argument("--port", type=int, default=4444) args = ap.parse_args() req = build_dtls_hb_request() s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.settimeout(2) s.sendto(req, (args.host, args.port)) resp, _ = s.recvfrom(8192) print(f"[+] got response bytes: {len(resp)}") if __name__ == "__main__": main() python dtls_hb_client.py --host 10.10.10.2 --port 4444 3.主机B分析测试流量 tshark -r dtls_heartbeat.pcap -Y 'udp' -T fields -e frame.number -e ip.src -e udp.srcport -e ip.dst -e udp.dstport -e udp.stream tshark -r dtls_heartbeat.pcap -Y 'udp' -x tshark -r dtls_heartbeat.pcap -Y 'udp' -T fields -e udp.payload | tr -d ':' | xxd -r -p | head -n 50
8.测试规则(9004076-9004077)
1.主机B开启监听80端口 python -m http.server 80 --bind 10.10.10.2 2.主机A发送请求 printf 'GET /webadmin/script?command=|id HTTP/1.1\r\nHost: 10.10.10.2\r\n\r\n' | nc 10.10.10.2 80 3.主机B分析测试流量 tshark -r OpenDreamBox_strict.pcap -Y 'tcp.len>0' -T fields -e frame.number -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e tcp.stream tshark -r OpenDreamBox_strict.pcap -Y 'tcp.len>0' -x
9.测试规则(9004078-9004079)
1.主机B开启监听80端口 python -m http.server 80 --bind 10.10.10.2 2.主机A发送请求 printf 'GET /webadmin/script?command=;id HTTP/1.1\r\nHost: 10.10.10.2\r\n\r\n' | nc 10.10.10.2 80 printf 'GET /script?command=&&id HTTP/1.1\r\nHost: 10.10.10.2\r\n\r\n' | nc 10.10.10.2 80
浙公网安备 33010602011771号