search

vulncheck-oss / go-exploit

A Go-based Exploit Framework
https://pkg.go.dev/github.com/vulncheck-oss/go-exploit
Apache License 2.0
309 stars 29 forks source link

Add options #200

Closed WHIJK closed 4 months ago

WHIJK commented 4 months ago

Maybe add a feature to add options?Example , when executing a command , can customize a option to change the executed command in code

terrorbyte commented 4 months ago

Internally we will regularly define a flag inside of an exploit as a exploit local global, use Go flag and then when you call exploit.RunProgram it internally runs flag.Parse and handles the setup. That way you can have package specific flags that can be passed.

Here's another snippet example:

// ... snip...
var (
    // ... snip ...
    globalID              = 1
    globalExploitDB       = 0
    globalExploitHost     = false
    globalDumpHashes      = false
    globalDumpConnections = false
    globalRunSQL          = ""
    globalRunSQLDB        = 0
)
// ... snip ...

func main() {
    flag.BoolVar(&globalDumpHashes, "hashes", true, "Dump metadata user hashes")
    flag.BoolVar(&globalDumpConnections, "db-connections", true, "Dump database connections and decrypt the encrypted connection strings")
    flag.BoolVar(&globalExploitHost, "exploit-host", false, "Whether to exploit the Superset host (mutually exclusive with database exploitation)")
    flag.IntVar(&globalID, "id", 1, "ID to forge for the session")
    flag.StringVar(&globalRunSQL, "run-sql", "", "Run an SQL statement against an arbitrary database")
    flag.IntVar(&globalRunSQLDB, "run-sql-db", 0, "ID to run arbitrary SQL against")
    flag.IntVar(&globalExploitDB, "exploit-db", 0, "Exploit the PostgreSQL database Superset is utilizing (mutually exclusive with -exploit-host)")
    supportedC2 := []c2.Impl{
        c2.SSLShellServer,
        c2.SimpleShellServer,
    }
    conf := config.New(config.CodeExecution, supportedC2, "Apache Superset", "CVE-2023-27524", 8088)

    sploit := ApacheSupersetDefaultSession{}
    exploit.RunProgram(sploit, conf)
}

Then these options can be used just like in the flag package description :) This was lesser documented until recently and should be described a bit more clearly here: https://pkg.go.dev/github.com/vulncheck-oss/go-exploit#RunProgram

Additionally, our current payloads are more focused on full session callbacks and if you want a more traditional "execute and retrieve command output" style that might have to be done a little ad-hoc without the builtin C2 structure. That being said if that's something that is generally wanted it is potentially possible to add it if you can give a full description of what you are looking for exactly.

WHIJK commented 4 months ago

Internally we will regularly define a flag inside of an exploit as a exploit local global, use Go flag and then when you call exploit.RunProgram it internally runs flag.Parse and handles the setup. That way you can have package specific flags that can be passed.

Here's another snippet example:

// ... snip...
var (
  // ... snip ...
  globalID              = 1
  globalExploitDB       = 0
  globalExploitHost     = false
  globalDumpHashes      = false
  globalDumpConnections = false
  globalRunSQL          = ""
  globalRunSQLDB        = 0
)
// ... snip ...

func main() {
  flag.BoolVar(&globalDumpHashes, "hashes", true, "Dump metadata user hashes")
  flag.BoolVar(&globalDumpConnections, "db-connections", true, "Dump database connections and decrypt the encrypted connection strings")
  flag.BoolVar(&globalExploitHost, "exploit-host", false, "Whether to exploit the Superset host (mutually exclusive with database exploitation)")
  flag.IntVar(&globalID, "id", 1, "ID to forge for the session")
  flag.StringVar(&globalRunSQL, "run-sql", "", "Run an SQL statement against an arbitrary database")
  flag.IntVar(&globalRunSQLDB, "run-sql-db", 0, "ID to run arbitrary SQL against")
  flag.IntVar(&globalExploitDB, "exploit-db", 0, "Exploit the PostgreSQL database Superset is utilizing (mutually exclusive with -exploit-host)")
  supportedC2 := []c2.Impl{
      c2.SSLShellServer,
      c2.SimpleShellServer,
  }
  conf := config.New(config.CodeExecution, supportedC2, "Apache Superset", "CVE-2023-27524", 8088)

  sploit := ApacheSupersetDefaultSession{}
  exploit.RunProgram(sploit, conf)
}

Then these options can be used just like in the flag package description :) This was lesser documented until recently and should be described a bit more clearly here: https://pkg.go.dev/github.com/vulncheck-oss/go-exploit#RunProgram

Additionally, our current payloads are more focused on full session callbacks and if you want a more traditional "execute and retrieve command output" style that might have to be done a little ad-hoc without the builtin C2 structure. That being said if that's something that is generally wanted it is potentially possible to add it if you can give a full description of what you are looking for exactly.

Internally we will regularly define a flag inside of an exploit as a exploit local global, use Go flag and then when you call exploit.RunProgram it internally runs flag.Parse and handles the setup. That way you can have package specific flags that can be passed.

Here's another snippet example:

// ... snip...
var (
  // ... snip ...
  globalID              = 1
  globalExploitDB       = 0
  globalExploitHost     = false
  globalDumpHashes      = false
  globalDumpConnections = false
  globalRunSQL          = ""
  globalRunSQLDB        = 0
)
// ... snip ...

func main() {
  flag.BoolVar(&globalDumpHashes, "hashes", true, "Dump metadata user hashes")
  flag.BoolVar(&globalDumpConnections, "db-connections", true, "Dump database connections and decrypt the encrypted connection strings")
  flag.BoolVar(&globalExploitHost, "exploit-host", false, "Whether to exploit the Superset host (mutually exclusive with database exploitation)")
  flag.IntVar(&globalID, "id", 1, "ID to forge for the session")
  flag.StringVar(&globalRunSQL, "run-sql", "", "Run an SQL statement against an arbitrary database")
  flag.IntVar(&globalRunSQLDB, "run-sql-db", 0, "ID to run arbitrary SQL against")
  flag.IntVar(&globalExploitDB, "exploit-db", 0, "Exploit the PostgreSQL database Superset is utilizing (mutually exclusive with -exploit-host)")
  supportedC2 := []c2.Impl{
      c2.SSLShellServer,
      c2.SimpleShellServer,
  }
  conf := config.New(config.CodeExecution, supportedC2, "Apache Superset", "CVE-2023-27524", 8088)

  sploit := ApacheSupersetDefaultSession{}
  exploit.RunProgram(sploit, conf)
}

Then these options can be used just like in the flag package description :) This was lesser documented until recently and should be described a bit more clearly here: https://pkg.go.dev/github.com/vulncheck-oss/go-exploit#RunProgram

Additionally, our current payloads are more focused on full session callbacks and if you want a more traditional "execute and retrieve command output" style that might have to be done a little ad-hoc without the builtin C2 structure. That being said if that's something that is generally wanted it is potentially possible to add it if you can give a full description of what you are looking for exactly.

Internally we will regularly define a flag inside of an exploit as a exploit local global, use Go flag and then when you call exploit.RunProgram it internally runs flag.Parse and handles the setup. That way you can have package specific flags that can be passed.

Here's another snippet example:

// ... snip...
var (
  // ... snip ...
  globalID              = 1
  globalExploitDB       = 0
  globalExploitHost     = false
  globalDumpHashes      = false
  globalDumpConnections = false
  globalRunSQL          = ""
  globalRunSQLDB        = 0
)
// ... snip ...

func main() {
  flag.BoolVar(&globalDumpHashes, "hashes", true, "Dump metadata user hashes")
  flag.BoolVar(&globalDumpConnections, "db-connections", true, "Dump database connections and decrypt the encrypted connection strings")
  flag.BoolVar(&globalExploitHost, "exploit-host", false, "Whether to exploit the Superset host (mutually exclusive with database exploitation)")
  flag.IntVar(&globalID, "id", 1, "ID to forge for the session")
  flag.StringVar(&globalRunSQL, "run-sql", "", "Run an SQL statement against an arbitrary database")
  flag.IntVar(&globalRunSQLDB, "run-sql-db", 0, "ID to run arbitrary SQL against")
  flag.IntVar(&globalExploitDB, "exploit-db", 0, "Exploit the PostgreSQL database Superset is utilizing (mutually exclusive with -exploit-host)")
  supportedC2 := []c2.Impl{
      c2.SSLShellServer,
      c2.SimpleShellServer,
  }
  conf := config.New(config.CodeExecution, supportedC2, "Apache Superset", "CVE-2023-27524", 8088)

  sploit := ApacheSupersetDefaultSession{}
  exploit.RunProgram(sploit, conf)
}

Then these options can be used just like in the flag package description :) This was lesser documented until recently and should be described a bit more clearly here: https://pkg.go.dev/github.com/vulncheck-oss/go-exploit#RunProgram

Additionally, our current payloads are more focused on full session callbacks and if you want a more traditional "execute and retrieve command output" style that might have to be done a little ad-hoc without the builtin C2 structure. That being said if that's something that is generally wanted it is potentially possible to add it if you can give a full description of what you are looking for exactly.

Thanks. The advice is very helpful.