go-exploit is an exploit framework developed for active scanning and exploitation of real targets. However, go-exploit can operate with a database to enable cross-exploit communication. Part of that database is an HTTP cache. We've found that allows go-exploit to operate in scanless mode.
For example, consider this go-exploit for CVE-2023-22527. We can use it to scan the internet for vulnerable Confluence instances without ever connecting to them.
For example, say we have a Shodan query for Confluence and we downloaded the results. We can use [go-exploit-cache] to generate a database for go-exploit.
albinolobster@mournland:~/go-exploit-cache$ ./build/go-exploit-cache -type shodan-gzip -in ~/Downloads/734342e9-56b8-4299-a072-9d1d28f66434.json.gz -out confluence.db
2024/07/16 15:59:55 Decompressing the Shodan GZIP... this can be slow
2024/07/16 15:59:56 Decompressed file written to .tmp/shodan.json
2024/07/16 15:59:56 Generating database entries...
2024/07/16 15:59:59 Cleaning up .tmp directory
albinolobster@mournland:~/go-exploit-cache$ sqlite3 confluence.db
SQLite version 3.31.1 2020-01-27 19:55:54
Enter ".help" for usage hints.
sqlite> select rhost,rport from http_cache limit 1;
52.200.210.54|80
sqlite> We can then demonstrate that go-exploit can do a version scan of the target without ever connecting to it. In the following command unshare is used to ensure the scanner has no network access (you don't need to use unshare, this is just for demonstration purposes):
albinolobster@mournland:~/cve-2023-22527/reverseshell$ sudo unshare -n ./build/cve-2023-22527_linux-arm64 -c -v -rhost 52.200.210.54 -rport 80 -db ~/go-exploit-cache/confluence.db
time=2024-07-16T16:33:07.239-04:00 level=STATUS msg="Starting target" index=0 host=52.200.210.54 port=80 ssl=false "ssl auto"=false
time=2024-07-16T16:33:07.239-04:00 level=STATUS msg="Validating Confluence target" host=52.200.210.54 port=80
time=2024-07-16T16:33:07.242-04:00 level=SUCCESS msg="Target verification succeeded!" host=52.200.210.54 port=80 verified=true
time=2024-07-16T16:33:07.242-04:00 level=STATUS msg="Running a version check on the remote target" host=52.200.210.54 port=80
time=2024-07-16T16:33:07.242-04:00 level=VERSION msg="The reported version is 7.19.17" host=52.200.210.54 port=80 version=7.19.17
time=2024-07-16T16:33:07.243-04:00 level=STATUS msg="The target appears to be a patched version." host=52.200.210.54 port=80 vulnerable=nogo-exploit-cache currently supports Shodan download files (.json.gz) and PCAP files. Additionally, there is limited support for RunZero asset json1 files (the limitation is that they only cache a small amount of HTTP data, so longer bodies have to be thrown away).
A sample file can be found in the test/testdata directory:
albinolobster@mournland:~/go-exploit-cache$ ./build/go-exploit-cache -type shodan-gzip -in ./test/testdata/shodan-confluence.json.gz -out confluence.db
2024/07/17 13:43:01 Decompressing the Shodan GZIP... this can be slow
2024/07/17 13:43:01 Decompressed file written to .tmp/shodan.json
2024/07/17 13:43:01 Generating database entriesalbinolobster@mournland:~/go-exploit-cache$ ./build/go-exploit-cache -type pcap -in ./test/testdata/confluence-exploit.pcapng -out confluence.db
2024/07/17 13:43:41 Locating all HTTP requests...
2024/07/17 13:43:41 Locating all HTTP responses...
2024/07/17 13:43:41 Generating database entries...albinolobster@mournland:~/go-exploit-cache$ ./build/go-exploit-cache -type runzero-jsonl -out runzero.db -in test/testdata/runzero-http.jsonl
2024/07/31 15:07:43 Generating database entries...go-exploit-cache can be compiled on Ubuntu like so (assuming Go is installed):
sudo apt install libpcap-dev
make