exploit

package module
v1.32.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 27, 2024 License: Apache-2.0 Imports: 13 Imported by: 10

README

go-exploit: Go Exploit Framework

Go Go Report Card

go-exploit is an exploit development framework for Go. The framework helps exploit developers create small, self-contained, portable, and consistent exploits. The framework was developed to simplify large scale scanning, exploitation, and integration with other tools. For API documentation, check out the package on pkg.go.dev/github.com/vulncheck-oss/go-exploit.

Go Exploit Phases

The Go Exploit Framework includes the following Phases which can be chained or executed independently:

Go Exploit Features

The Go Exploit Framework includes these additional features:

Examples

  • CVE-2023-22527: Three go-exploit implementations taking unique approaches to Atlassian Confluence CVE-2023-22527.
  • CVE-2023-25194: Demonstrates exploiting CVE-2023-25194 against Apache Druid (using Kafka).
  • CVE-2023-46604: Demonstrates exploiting CVE-2023-46604 and using the go-exploit HTTPServeFile c2.
  • CVE-2023-36845: Scans for Juniper firewalls to determine if they are vulnerable to CVE-2023-36845.
  • CVE-2023-51467: A go-exploit implementation of CVE-2023-51467 that lands a Nashorn reverse shell.

Contributing

Community contributions in the form of issues and features are welcome. When submitting issues, please ensure they include sufficient information to reproduce the problem. For new features, provide a reasonable use case, appropriate unit tests, and ensure compliance with our .golangci.yml without generating any complaints.

Please also ensure that linting comes back clean, and all tests pass.

golangci-lint run --fix
go test ./...

License

go-exploit is licensed under the Apache License, Version 2.0. For more details, refer to the LICENSE file.

Documentation

Overview

Package exploit is the entrypoint for exploits developed with the go-exploit framework.

The exploit package invokes command line parsing, handles c2, and calls into the three stages of exploitation (as defined by go-exploit). In order to use this framework, implementing exploits should follow this general template:

package main

import (
	"github.com/vulncheck-oss/go-exploit"
	"github.com/vulncheck-oss/go-exploit/c2"
	"github.com/vulncheck-oss/go-exploit/config"
	"github.com/vulncheck-oss/go-exploit/output"
)

type MyExploit struct{}

func generatePayload(conf *config.Config) (string, bool) {
        generated := ""

        switch conf.C2Type {
        case c2.SimpleShellServer:
                // generated = reverse.Bash.TCPRedirection(conf.Lhost, conf.Lport) // Example
        default:
                output.PrintError("Invalid payload")

                return generated, false
        }

        return generated, true
}

func (sploit MyExploit) ValidateTarget(conf *config.Config) bool {
	return false
}

func (sploit MyExploit) CheckVersion(conf *config.Config) exploit.VersionCheckType {
	return exploit.NotImplemented
}

func (sploit MyExploit) RunExploit(conf *config.Config) bool {
	generated, ok := generatePayload(conf)
 	if !ok {
     		return false
 	}
	return true
}

func main() {
	supportedC2 := []c2.Impl{
		c2.SimpleShellServer,
		c2.SimpleShellClient,
	}
	conf := config.NewRemoteExploit(
		config.ImplementedFeatures{AssetDetection: false, VersionScanning: false, Exploitation: false},
		config.CodeExecution, supportedC2, "Vendor", []string{"Product"},
		[]string{"cpe:2.3:a:vendor:product"}, "CVE-2024-1270", "HTTP", 8080)

	sploit := MyExploit{}
	exploit.RunProgram(sploit, conf)
}

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func RunProgram

func RunProgram(sploit Exploit, conf *config.Config)

Effectively the package main function. Parses configuration, starts command and control, controls which targets are scanned, initiates call down into the exploits implementation and is ultimately responsible for waiting for all c2 and attack threads to finish.

This function also runs `flag.Parse()` so any defined flags will be parsed when RunProgram is called.

This function should be called by the implementing exploit, likely in the main function.

func StoreVersion added in v1.21.0

func StoreVersion(conf *config.Config, version string)

Prints the version to the log file using status VERSION and a parsable version string (version=). Additionally, updates the database if it's in use. Typically should be called from the exploit.

Types

type Exploit

type Exploit interface {
	ValidateTarget(conf *config.Config) bool
	CheckVersion(conf *config.Config) VersionCheckType
	RunExploit(conf *config.Config) bool
}

Exploit is the implementing interface for go-exploit exploits. The functions are called in order: ValidateTarget, CheckVersion, RunExploit.

ValidateTarget

ValidateTarget is for determining if the target is the type of software the implemented exploit would like to exploit. This is to avoid throwing an exploit at target would never be vulnerable. For example, if an exploit is targeting Confluence, then ValidateTarget might look like the following

func (sploit ConfluenceExploit) ValidateTarget(conf *config.Config) bool {
	url := protocol.GenerateURL(conf.Rhost, conf.Rport, conf.SSL, "/")
	resp, _, ok := protocol.HTTPSendAndRecv("GET", url, "")
	if !ok {
		return false
	}

	if resp.StatusCode != 200 {
		output.PrintfError("Received an unexpected HTTP status code: %d", resp.StatusCode)

		return false
	}
	_, ok = resp.Header["X-Confluence-Request-Time"]

	return ok
}

Above you can see ValidateTarget returns true *only* if it finds the X-Confluence-Request-Time HTTP header. The exploit will not continue on if false is returned. If true is returned then it will move on to the next stage (CheckVersion).

CheckVersion

CheckVersion is for determning if the target is an affected version or not. Again, to avoid throwing an exploit at a target that is not vulnerable. CheckVersion is intended to be a non-intrusive version check. That generally means doing things like:

  • Extracting the version number from a login page
  • Examining the HTTP Last-Modified header
  • Looking for new functionality introduce in the patch

For example, to check for CVE-2022-30525, you could do something like this.

func (sploit ZyxelExploit) CheckVersion(conf *config.Config) exploit.VersionCheckType {
	url := protocol.GenerateURL(conf.Rhost, conf.Rport, conf.SSL, "/")
	resp, bodyString, ok := protocol.HTTPSendAndRecv("GET", url, "")
	if !ok {
		return exploit.Unknown
	}

	if resp.StatusCode != 200 {
		output.PrintfError("Received an unexpected HTTP status code: %d", resp.StatusCode)

		return exploit.Unknown
	}

	if !strings.Contains(bodyString, "zyFunction.js") {
		output.PrintError("The HTTP response did not contain an expected JavaScript include")

		return exploit.Unknown
	}

	re := regexp.MustCompile(`src="/ext-js/app/common/zyFunction.js\?v=([0-9]+)"></script>`)
	res := re.FindAllStringSubmatch(bodyString, -1)
	if len(res) == 0 {
		output.PrintError("Could not extract the build date from the target")

		return exploit.Unknown
	}

	output.PrintfStatus("The device has a self-reported firmware publication date of %s", res[0][1])
	date64, _ := strconv.ParseInt(res[0][1], 10, 64)
	if date64 < 220415000000 {
		return exploit.Vulnerable
	}

	return exploit.NotVulnerable
}

Regardless, the goal is to avoid throwing the exploit until you are somewhat sure that it should land. This cannot always be accomplished so the return of exploit.NotImplemented is always on offer, and the attacker can skip this step via configuration if they please.

RunExploit

RunExploit should contain the logic for exploiting the target. There is almost no requirement on this function other than the attacker do their thing. The on thing the implementation should do is return false if believe their attack has failed.

type VersionCheckType

type VersionCheckType int

The return type for CheckVersion().

const (
	// The target is not vulnerable.
	NotVulnerable VersionCheckType = 0
	// The target is vulnerable.
	Vulnerable VersionCheckType = 1
	// Based on incomplete information, the target might be vulnerable.
	PossiblyVulnerable VersionCheckType = 2
	// Something went wrong during CheckVersion().
	Unknown VersionCheckType = 3
	// CheckVersion() is not implemented.
	NotImplemented VersionCheckType = 4
)

Directories

Path Synopsis
c2
channel
The channel package is the container for first-party framework C2 structures and variables, it holds the internal settings for multiple types of C2s.
The channel package is the container for first-party framework C2 structures and variables, it holds the internal settings for multiple types of C2s.
cli
external
The external C2 module extends the C2 functionality and exposes an interface to allow for an exploit to utilize a channel that is defined in an external repository.
The external C2 module extends the C2 functionality and exposes an interface to allow for an exploit to utilize a channel that is defined in an external repository.
httpservefile
httpservefile c2 spawns an HTTP or HTTPS server and hosts arbitrary user-provided files.
httpservefile c2 spawns an HTTP or HTTPS server and hosts arbitrary user-provided files.
httpserveshell
httpservershell is (literally) a combination of HTTPServeFile and (SSLShell || SimpleShellServer).
httpservershell is (literally) a combination of HTTPServeFile and (SSLShell || SimpleShellServer).
shelltunnel
shelltunnel is a simple C2 that copies shell traffic between a reverse shell origin and a connectback server.
shelltunnel is a simple C2 that copies shell traffic between a reverse shell origin and a connectback server.
sslshell
sslshell is a simple c2 that listens for incoming ssl/tls connections in order to establish a reverse shell.
sslshell is a simple c2 that listens for incoming ssl/tls connections in order to establish a reverse shell.
SQLite Caching and Cross-Exploit Database
SQLite Caching and Cross-Exploit Database
ldapjndi
This is an implementation of an evil JNDI LDAP server.
This is an implementation of an evil JNDI LDAP server.
Package output handles structured logging for the framework and exploits.
Package output handles structured logging for the framework and exploits.
Payload related functions and actions
Payload related functions and actions
bindshell
Bind shell payloads & listeners.
Bind shell payloads & listeners.
dropper
File dropper download and execute payloads.
File dropper download and execute payloads.
fileplant
file planting based payloads.
file planting based payloads.
reverse
Reverse shell and command payloads.
Reverse shell and command payloads.
webshell
Webshell payloads
Webshell payloads
ajp
Package ajp is a very basic (and incomplete) implementation of the AJPv13 protocol.
Package ajp is a very basic (and incomplete) implementation of the AJPv13 protocol.
fortinet
Package fortinet is a very basic (and incomplete) implementation of Fortinet FGFM protocol
Package fortinet is a very basic (and incomplete) implementation of Fortinet FGFM protocol
mikrotik
`msg.go` contains the logic for building, reading, accessing, and serializing RouterOS M2 messages.
`msg.go` contains the logic for building, reading, accessing, and serializing RouterOS M2 messages.
rocketmq
Package rocketmq is a very basic (and incomplete) implementation of RocketMQ remoting protocol
Package rocketmq is a very basic (and incomplete) implementation of RocketMQ remoting protocol

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL