exploit

README

go-exploit: Go Exploit Framework

go-exploit is an exploit development framework for Go. The framework helps exploit developers create small, self-contained, portable, and consistent exploits. The framework was developed to simplify large scale scanning, exploitation, and integration with other tools. For API documentation, check out the package on pkg.go.dev/github.com/vulncheck-oss/go-exploit.

Features

The framework includes the following features:

• Three step attack chain: target verification, version scanning, and exploitation. The phases can be chained or executed independently.
• Auto-detection of SSL/TLS on the remote target.
• Fully proxy-aware.
• Key-value or JSON output for easy integration into other automated systems.
• Builtin Java gadgets, classes, and LDAP infrastructure.
• Many reverse shell and bind shell payloads.
• Functionality that integrates exploitation with other tools or frameworks like Metasploit and Sliver.
• Builtin "c2" for catching encrypted/unencrypted shells or hosting implants.
• Supports multipe target formats including lists, file-based, VulnCheck IP-Intel, and more.

Examples

• CVE-2023-22527: Three go-exploit implementations taking unique approaches to Atlassian Confluence CVE-2023-22527.
• CVE-2023-51467: A go-exploit implementation of CVE-2023-51467 that lands a Nashorn reverse shell.
• CVE-2023-33246: A go-exploit implementation to hunt for RocketMQ broker configuration IoC. See the VulnCheck blog.
• IOS-XE Implant Scanner: A scanner for the Cisco IOS XE CVE-2023-20198 implant.

Contributing

Community contributions in the form of issues and features are welcome. When submitting issues, please ensure they include sufficient information to reproduce the problem. For new features, provide a reasonable use case, appropriate unit tests, and ensure compliance with our .golangci.yml without generating any complaints.

Please also ensure that linting comes back clean, and all tests pass.

golangci-lint run --fix
go test ./...

License

go-exploit is licensed under the Apache License, Version 2.0. For more details, refer to the LICENSE file.

Documentation

Overview

Package exploit is the entrypoint for exploits developed with the go-exploit framework.

The exploit package invokes command line parsing, handles c2, and calls into the three stages of exploitation (as defined by go-exploit). In order to use this framework, implementing exploits should follow this general template:

package main

import (
	"github.com/vulncheck-oss/go-exploit"
	"github.com/vulncheck-oss/go-exploit/c2"
	"github.com/vulncheck-oss/go-exploit/config"
)

type MyExploit struct{}

func (sploit MyExploit) ValidateTarget(conf *config.Config) bool {
	return false
}

func (sploit MyExploit) CheckVersion(conf *config.Config) exploit.VersionCheckType {
	return exploit.NotImplemented
}

func (sploit MyExploit) RunExploit(conf *config.Config) bool {
	return true
}

func main() {
	supportedC2 := []c2.Impl{
		c2.SimpleShellServer,
		c2.SimpleShellClient,
	}
	conf := config.New(config.CodeExecution, supportedC2, "My Target", "CVE-2023-1270", 80)

	sploit := MyExploit{}
	exploit.RunProgram(sploit, conf)
}

Index

• func RunProgram(sploit Exploit, conf *config.Config)
• type Exploit
• type VersionCheckType

Functions

func RunProgram

func RunProgram(sploit Exploit, conf *config.Config)

Effectively the package main function. Parses configuration, starts command and control, controls which targets are scanned, initiates call down into the exploits implementation and is ultimately responsible for waiting for all c2 and attack threads to finish.

This function should be called by the implementing exploit, likely in the main function.

Types

type Exploit

type Exploit interface {
	ValidateTarget(conf *config.Config) bool
	CheckVersion(conf *config.Config) VersionCheckType
	RunExploit(conf *config.Config) bool
}

Exploit is the implementing interface for go-exploit exploits. The functions are called in order: ValidateTarget, CheckVersion, RunExploit.

ValidateTarget

ValidateTarget is for determining if the target is the type of software the implemented exploit would like to exploit. This is to avoid throwing an exploit at target would never be vulnerable. For example, if an exploit is targeting Confluence, then ValidateTarget might look like the following

func (sploit ConfluenceExploit) ValidateTarget(conf *config.Config) bool {
	url := protocol.GenerateURL(conf.Rhost, conf.Rport, conf.SSL, "/")
	resp, _, ok := protocol.HTTPSendAndRecv("GET", url, "")
	if !ok {
		return false
	}

	if resp.StatusCode != 200 {
		output.PrintfError("Received an unexpected HTTP status code: %d", resp.StatusCode)

		return false
	}
	_, ok = resp.Header["X-Confluence-Request-Time"]

	return ok
}

Above you can see ValidateTarget returns true *only* if it finds the X-Confluence-Request-Time HTTP header. The exploit will not continue on if false is returned. If true is returned then it will move on to the next stage (CheckVersion).

CheckVersion

CheckVersion is for determning if the target is an affected version or not. Again, to avoid throwing an exploit at a target that is not vulnerable. CheckVersion is intended to be a non-intrusive version check. That generally means doing things like:

• Extracting the version number from a login page
• Examining the HTTP Last-Modified header
• Looking for new functionality introduce in the patch

For example, to check for CVE-2022-30525, you could do something like this.

func (sploit ZyxelExploit) CheckVersion(conf *config.Config) exploit.VersionCheckType {
	url := protocol.GenerateURL(conf.Rhost, conf.Rport, conf.SSL, "/")
	resp, bodyString, ok := protocol.HTTPSendAndRecv("GET", url, "")
	if !ok {
		return exploit.Unknown
	}

	if resp.StatusCode != 200 {
		output.PrintfError("Received an unexpected HTTP status code: %d", resp.StatusCode)

		return exploit.Unknown
	}

	if !strings.Contains(bodyString, "zyFunction.js") {
		output.PrintError("The HTTP response did not contain an expected JavaScript include")

		return exploit.Unknown
	}

	re := regexp.MustCompile(`src="/ext-js/app/common/zyFunction.js\?v=([0-9]+)"></script>`)
	res := re.FindAllStringSubmatch(bodyString, -1)
	if len(res) == 0 {
		output.PrintError("Could not extract the build date from the target")

		return exploit.Unknown
	}

	output.PrintfStatus("The device has a self-reported firmware publication date of %s", res[0][1])
	date64, _ := strconv.ParseInt(res[0][1], 10, 64)
	if date64 < 220415000000 {
		return exploit.Vulnerable
	}

	return exploit.NotVulnerable
}

Regardless, the goal is to avoid throwing the exploit until you are somewhat sure that it should land. This cannot always be accomplished so the return of exploit.NotImplemented is always on offer, and the attacker can skip this step via configuration if they please.

RunExploit

RunExploit should contain the logic for exploiting the target. There is almost no requirement on this function other than the attacker do their thing. The on thing the implementation should do is return false if believe their attack has failed.

type VersionCheckType

type VersionCheckType int

The return type for CheckVersion().

const (
	// The target is not vulnerable.
	NotVulnerable VersionCheckType = 0
	// The target is vulnerable.
	Vulnerable VersionCheckType = 1
	// Based on incomplete information, the target might be vulnerable.
	PossiblyVulnerable VersionCheckType = 2
	// Something went wrong during CheckVersion().
	Unknown VersionCheckType = 3
	// CheckVersion() is not implemented.
	NotImplemented VersionCheckType = 4
)