编写IE CSS漏洞的suricata规则-测试(9004090-9004103)

1.测试规则(9004090-9004094)

1.主机B创建CSS目录
1.1 生成 ASCII 版本(UTF-8/ASCII)
cat > ascii.css <<'EOF'
@import url(http://example.com/a.css);
body { background: #fff; }
EOF

1.2 生成 UTF-16LE 无 BOM
iconv -f UTF-8 -t UTF-16LE ascii.css > unicode_nobom.css

1.3 生成 UTF-16LE 带 BOM(FF FE + UTF-16LE 内容)
printf '\xFF\xFE' > unicode_bom.css
iconv -f UTF-8 -t UTF-16LE ascii.css >> unicode_bom.css

python -m http.server 80 --bind 10.10.10.2

2.主机A发起请求
curl -s http://10.10.10.2:80/ascii.css >/dev/null
curl -s http://10.10.10.2:80/unicode_bom.css >/dev/null
curl -s http://10.10.10.2:80/unicode_nobom.css >/dev/null

2.测试规则(9004095-9004098)

1.主机A开启word服务
from http.server import HTTPServer, BaseHTTPRequestHandler
HOST = "0.0.0.0"
PORT = 80
FILENAME = "evil.doc"
def build_body() -> bytes:
    # 按 9004098 的距离/偏移约束构造 body:
    # 1) OLE header at offset 0
    # 2) pattern2 at offset 68 (because distance:60 from end of 8-byte header => 8+60=68)
    # 3) pattern3 at offset 512 (because end(pattern2)=80; +432 => 512)
    ole = bytes.fromhex("D0 CF 11 E0 A1 B1 1A E1")  # 8 bytes
    pat2 = bytes.fromhex("FE FF FF FF 00 00 00 00 2F 00 00 00")  # 12 bytes
    pat3 = bytes.fromhex("EC A5 C1 00 21 60 09 04")  # 8 bytes
    body = bytearray()
    body += ole
    body += b"\x00" * 60          # len becomes 68
    body += pat2                  # len becomes 80
    body += b"\x00" * (512 - 80)  # +432 => len becomes 512
    body += pat3                  # len becomes 520
    body += b"\x00" * 256         # padding
    return bytes(body)
DOC_BODY = build_body()
class Handler(BaseHTTPRequestHandler):
    protocol_version = "HTTP/1.1"
    def do_GET(self):
        if self.path not in ("/", f"/{FILENAME}"):
            self.send_response(404)
            self.end_headers()
            return
        self.send_response(200)
        # 触发 9004095
        self.send_header("Content-Type", "application/msword")
        # 触发 9004096 + 9004097
        self.send_header("Content-Disposition",
                         f'attachment; filename="{FILENAME}"')
        self.send_header("Content-Length", str(len(DOC_BODY)))
        self.send_header("Connection", "close")
        self.end_headers()
        self.wfile.write(DOC_BODY)
    def log_message(self, fmt, *args):
        return  # 静默
def main():
    httpd = HTTPServer((HOST, PORT), Handler)
    print(
        f"[+] Serving http://<A_IP>:{PORT}/{FILENAME}  (len={len(DOC_BODY)})")
    httpd.serve_forever()
if __name__ == "__main__":
    main()

2.主机B发起请求
curl -v -o /dev/null http://10.10.10.1:80/evil.doc 

3.主机B分析测试流量
tshark -r word_cve_2006_6561.pcap -o tcp.desegment_tcp_streams:TRUE -o http.desegment_body:TRUE -q -z follow,tcp,hex,0

 3.测试规则(9004099-9004103)

1.主机A开启伪OOXML/伪DOCM
from http.server import HTTPServer, BaseHTTPRequestHandler
HOST, PORT = "0.0.0.0", 80
def ooxml_like_docx():
    # 触发 9004101:PK 03 042048 内出现 [Content_Types].xml
    return (b"PK\x03\x04"
            + b"\x00" * 100
            + b"[Content_Types].xml"
            + b"\x00" * 300
            + b"word/document.xml"
            + b"\x00" * 200)
def ooxml_like_docm_with_macro():
    # 触发 9004102/9004103:包含 word/vbaProject.bin + macroEnabled
    return (b"PK\x03\x04"
            + b"\x00" * 120
            + b"[Content_Types].xml"
            + b"\x00" * 500
            + b"word/vbaProject.bin"
            + b"\x00" * 200
            + b"macroEnabled"
            + b"\x00" * 200)
DOCX_BODY = ooxml_like_docx()
DOCM_BODY = ooxml_like_docm_with_macro()
class H(BaseHTTPRequestHandler):
    protocol_version = "HTTP/1.1"
    def do_GET(self):
        if self.path == "/docx":
            body = DOCX_BODY
            ctype = "application/vnd.openxmlformats-officedocument.wordprocessingml.document"
            dispo = 'attachment; filename="test.docx"'
        elif self.path == "/docm":
            body = DOCM_BODY
            # 故意用通用类型也行,用于测试 9004099zip/octet-stream 分支
            ctype = "application/zip"
            dispo = 'attachment; filename="test.docm"'
        else:
            self.send_response(404)
            self.end_headers()
            return
        self.send_response(200)
        self.send_header("Content-Type", ctype)
        self.send_header("Content-Disposition", dispo)
        self.send_header("Content-Length", str(len(body)))
        self.send_header("Connection", "close")
        self.end_headers()
        self.wfile.write(body)
    def log_message(self, fmt, *args):
        return
print(f"[+] Serving on :{PORT}  endpoints: /docx /docm")
HTTPServer((HOST, PORT), H).serve_forever()

2.主机A发送请求
curl -v -o /dev/null http://10.10.10.1:80/docx
curl -v -o /dev/null http://10.10.10.1:80/docm

3.主机B分析测试流量
3.1 列出TCP流
tshark -r ooxml.pcap -q -z conv,tcp
3.2 列出TCP 流编号
tshark -r ooxml.pcap -T fields -e frame.number -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e tcp.stream
3.3 列出重组TCP stream和HTTP Body
tshark -r ooxml.pcap -o tcp.desegment_tcp_streams:TRUE -o http.desegment_body:TRUE -q -z follow,tcp,hex,0

 

posted @ 2026-01-28 10:57  岐岐卡卡西  阅读(0)  评论(0)    收藏  举报