Sample Exploits
Run Sample Exploits across Java, Node and Web Servers.
Prerequisites
Make sure you have K2 Agents Installed
Make sure you have active account on K2 Portal
We will require Linux environment to run below attack shell script
Sample Script
Copy contents of below script and save in run_script.sh file. Also you can find the below sample scripts in demo_exploits directory of installer. This script runs various categories of vulnerabilities and it gets detected by K2 Platform seamlessly.
#!/bin/bash
###############################################################################
# Copyright (C) 2019 - K2 Cyber Security, Inc. All rights reserved.
#
# This software is proprietary information of K2 Cyber Security, Inc and
# constitutes valuable trade secrets of K2 Cyber Security, Inc. You shall
# not disclose this information and shall use it only in accordance with the
# terms of License.
#
# K2 CYBER SECURITY, INC MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE
# SUITABILITY OF THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT
# NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
# PARTICULAR PURPOSE, OR NON-INFRINGEMENT. K2 CYBER SECURITY, INC SHALL
# NOT BE LIABLE FOR ANY DAMAGES SUFFERED BY LICENSEE AS A RESULT OF USING,
# MODIFYING OR DISTRIBUTING THIS SOFTWARE OR ITS DERIVATIVES.
#
# "K2 Cyber Security, Inc"
#
################################################################################
help() {
echo "To run a specific test and attack, ";
echo "bash $0 sql-injection JAVA"
echo "bash $0 verademo JAVA"
echo "bash $0 forkexec JAVA"
echo "bash $0 struts-cve-2017-5638 JAVA"
echo "bash $0 easybuggy JAVA"
echo "bash $0 spiracle JAVA"
echo "bash $0 java-sec-code JAVA"
echo "bash $0 tomcat-cve-2017-12617 JAVA"
echo "bash $0 nginx BINARY"
echo "bash $0 dnsmasq BINARY"
echo "bash $0 node-demo-app sqli NODE.JS"
echo "bash $0 node-demo-app rce NODE.JS"
echo "bash $0 node-demo-app rci NODE.JS"
echo "bash $0 node-demo-app ssrf NODE.JS"
echo "bash $0 node-demo-app file-access NODE.JS"
echo "bash $0 node-demo-app nosqli NODE.JS"
}
die() {
ret=$1
if [ ${ret} != 0 ]
then
echo "Error: $ret"
exit 1;
fi
}
start(){
echo
echo
echo "Test [$1] "
case $1 in
"sql-injection"|"verademo"|"forkexec"|"struts-cve-2017-5638"|"spiracle"|"easybuggy"|"java-sec-code"|"tomcat-cve-2017-12617")
docker rm -f test-$1
docker rmi -f k2cyber/ic-test-application:${1}
docker run --rm -v /opt/k2-ic:/opt/k2-ic -itd -p 8091:8080 -e K2_OPTS="-javaagent:/opt/k2-ic/K2-JavaAgent-1.0.0-jar-with-dependencies.jar" --name test-${1} k2cyber/ic-test-application:${1};
ret=$?; die $ret
;;
"node-demo-app")
docker rm -f test-$1
docker rmi -f k2cyber/ic-test-application:${1}
docker run --rm -v /opt/k2-ic:/opt/k2-ic -itd -p 9090:9090 -e K2_OPTS="--require /opt/k2-ic/k2-njs-agent" --name test-${1} k2cyber/ic-test-application:${1};
ret=$?; die $ret
;;
"dnsmasq")
docker stop test-$1
docker rm -f test-$1
aslr=`cat /proc/sys/kernel/randomize_va_space`
echo "Current ASLR status $aslr"
echo "Turning off ASLR"
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space >& /dev/null
docker exec k2agent bash -c ">/tmp/monitorstatus.txt"
docker rmi -f k2cyber/ubuntu-dnsmasq1
docker run --rm --name test-${1} -d k2cyber/ubuntu-dnsmasq1
ret=$?; die $ret
docker exec test-${1} ip addr show eth0|grep inet6 >& /dev/null
if [ $? -ne 0 ]; then
echo "Failed: IPV6 not enabled on docker daemon"
echo "Refer To Docker Documentation At:"
echo -e "https://docs.docker.com/v17.09/engine/userguide/networking/default_network/ipv6/"
docker stop test-$1
docker rm -f test-$1
exit
fi
;;
"nginx")
echo 2 | sudo tee /proc/sys/kernel/randomize_va_space >& /dev/null
read -r -p "Stop/Remove Nginx Containers/Images? [y/N] " response
case "$response" in
[yY][eE][sS]|[yY])
echo "Stopping Nginx Container and Removing Nginx Images"
docker stop test-${1}
docker rm -f test-${1}
docker rmi -f k2cyber/nginx-1.4.0-exploit
docker rmi -f k2cyber/nginx-1.4.0-exploiter-local
;;
*)
;;
esac
out=`docker ps`
if [[ $out == *"test-nginx"* ]]; then
echo "nginx-1.4.0-exploit already running"
else
docker exec k2agent bash -c ">/tmp/monitorstatus.txt"
docker run --rm -itd -p 80:80 --name test-nginx k2cyber/nginx-1.4.0-exploit
ret=$?; die $ret
fi
;;
*) help;echo "Invalid test name : $1";ret=-1;die $ret;;
esac
if [[ "$1" == "nginx" ]]
then
echo -e "\e[32m\e[1mStep 1: INITIALIZING K2 TO PROTECT NGINX SERVER (Can take about 5 min)"
echo -e "\e[0mWaiting maximum 10 minute for test application to come up in watch interval of 30 seconds:$(date)"
masternginx=`ps aux|grep nginx|grep master|awk -F " " '{print $2}'`
if [ $? -ne 0 ]; then
echo "Could not file master nginx: ${masternginx}"
die
fi
workernginx=`ps aux|grep nginx|grep worker|awk -F " " '{print $2}'`
if [ $? -ne 0 ]; then
echo "Could not file worker nginx: ${workernginx}"
die
fi
for i in {1..120}
do
docker exec k2agent cat /tmp/monitorstatus.txt |grep "Started Monitoring Pid:$masternginx" >& /dev/null
ret=$?
if [ $ret -ne 0 ]; then
echo "master nginx not monitored yet"
sleep 30
continue
fi
docker exec k2agent cat /tmp/monitorstatus.txt |grep "Started Monitoring Pid:$workernginx" >& /dev/null
ret=$?
if [ $ret -ne 0 ]; then
echo "worker nginx not monitored yet"
sleep 30
continue
fi
break
done
if [ $ret -ne 0 ]; then
echo "failed to monitor nginx"
die
fi
sleep 5
docker run --net=host -it k2cyber/nginx-1.4.0-exploiter-local ruby exp-nginx-lc.rb 127.0.0.1 80
echo "Test Done [$1] :$(date)"
elif [[ "$1" == "dnsmasq" ]]
then
echo -e "\e[32m\e[1mStep 1: INITIALIZING K2 TO PROTECT DNSMASQ"
echo -e "\e[0mWaiting maximum 10 minute for test application to come up in watch interval of 30 seconds:$(date)"
dnspid=`ps aux|grep "test\/dnsmasq"|awk -F " " '{print $2}'`
if [ $? -ne 0 ]; then
echo "Could not file dnsmasq: ${dnspid}"
die
fi
for i in {1..120}
do
docker exec k2agent cat /tmp/monitorstatus.txt |grep "Started Monitoring Pid:$dnspid" >& /dev/null
ret=$?
if [ $ret -ne 0 ]; then
echo "dnsmasq not monitored yet"
sleep 30
continue
fi
break
done
if [ $ret -ne 0 ]; then
echo "failed to monitor dnsmasq"
die
fi
echo -e "\033[01;32mStep 2: APPLICATION SETUP IS READY FOR ATTACK! \033[00m"
sleep 5
echo Press key to run attack
read x
echo -e "\033[01;32mStep 3: TRIGERRING THE ATTACK \033[00m"
docker exec test-${1} python poc.py ::1 547
echo -e "\033[01;32mStep 3: ATTACK SUCCESSFUL \033[00m"
echo "Test Cleanup [$1] "
sleep 30
echo "Restoring ASLR to $aslr"
echo $aslr | sudo tee /proc/sys/kernel/randomize_va_space >& /dev/null
docker rm -f test-${1}
docker rmi -f k2cyber/ubuntu-dnsmasq1
elif [[ "$1" == "node-demo-app" ]]
then
echo -e "\033[01;32mStep 1: INSTALLING THE VULNERABLE NODE APPLICATION (Can take about 2 min) \033[00m"
echo "Waiting maximum 1 minute for test application to come up in watch interval of 10 seconds"
for i in {1..36}
do
status=$(docker exec -it test-${1} bash -c "ps -ef | grep /opt/k2-ic/k2-njs-agent" | wc -l)
if [ ${status} -eq 3 ]; then
echo "Test Container is up"
echo -e "\033[01;32mStep 2: APPLICATION SETUP IS READY FOR ATTACK! \033[00m"
break
fi
sleep 10
done
echo Press key to run attack
read x
docker exec -it test-${1} bash -c "/attack.sh ${2}"
sleep 10
echo "Test Cleanup [$1] "
echo Press key to Clean up VULNERABLE Container
read x
docker rm -f test-${1}
docker rmi -f k2cyber/ic-test-application:${1}
else
echo -e "\033[01;32mStep 1: INSTALLING THE VULNERABLE JAVA APPLICATION (Can take about 2 min) \033[00m"
echo "Waiting maximum 1 minute for test application to come up in watch interval of 10 seconds"
for i in {1..36}
do
status=$(docker exec -it test-${1} bash -c "ps -ef | grep K2-JavaAgent-1.0.0-jar-with-dependencies.jar" | wc -l)
if [ ${status} -eq 3 ]; then
echo "Test Container is up"
echo -e "\033[01;32mStep 2: APPLICATION SETUP IS READY FOR ATTACK! \033[00m"
break
fi
sleep 10
done
echo Press key to run attack
read x
docker exec -it test-${1} bash -c ./attack.sh
sleep 10
echo "Test Cleanup [$1] "
echo Press key to Clean up VULNERABLE Container
read x
docker rm -f test-${1}
docker rmi -f k2cyber/ic-test-application:${1}
fi
}
if [ $# -eq 0 ]
then
help;
else
tests="$*"
start ${tests}
fi
Run Sample Attacks
bash run_script.sh sql-injection JAVA
bash run_script.sh verademo JAVA
bash run_script.sh forkexec JAVA
bash run_script.sh struts-cve-2017-5638 JAVA
bash run_script.sh easybuggy JAVA
bash run_script.sh spiracle JAVA
bash run_script.sh java-sec-code JAVA
bash run_script.sh tomcat-cve-2017-12617 JAVA
bash run_script.sh nginx BINARY
bash run_script.sh dnsmasq BINARY
bash run_script.sh node-demo-app sqli NODE.JS
bash run_script.sh node-demo-app rce NODE.JS
bash run_script.sh node-demo-app rci NODE.JS
bash run_script.sh node-demo-app ssrf NODE.JS
bash run_script.sh node-demo-app file-access NODE.JS"
bash run_script.sh node-demo-app nosqli NODE.JSView Exploits
Detected Exploits will be shown on K2 Portal's Exploits Page.
Alternatively go to Exploits | K2 Portal
Last updated
Was this helpful?