Tools
June 20
Автоматический поиск Proof-Of-Concept скриптов для CVE (sploitscan)
Введение
В Kali Linux 2024.2 Release добавили инструмент, позволяющий автоматизировать поиск PoC скриптов для эксплуатации уязвимостей - sploitscan. На момент написания статьи инструмент поддерживает следующие базы данных эксплойтов:
- GitHub
- ExploitDB
- VulnCheck (требуется API ключ)
- Packet Storm
- Nuclei
Данная статья представлена исключительно в образовательных целях. Red Team сообщество "GISCYBERTEAM" не несёт ответственности за любые последствия ее использования третьими лицами.
Установка
git clone <https://github.com/xaitax/SploitScan.git> cd sploitscan pip install -r requirements.txt
pip install --user sploitscan
apt install sploitscan
Первоначальная настройка
Инструмент имеет возможность интеграции с VulnCheck и OpenAI, поэтому если нужно воспользоваться этими сервисами, то необходимо создать файл config.json в одной из этих директорий:
В созданный конфигурационный файл необходимо внести API ключи:
{
"vulncheck_api_key": "your_vulncheck_api_key",
"openai_api_key": "your_openai_api_key"
}
Пример использования
Для вызова справки можно использовать sploitscan -h:
sploitscan -h ███████╗██████╗ ██╗ ██████╗ ██╗████████╗███████╗ ██████╗ █████╗ ███╗ ██╗ ██╔════╝██╔══██╗██║ ██╔═══██╗██║╚══██╔══╝██╔════╝██╔════╝██╔══██╗████╗ ██║ ███████╗██████╔╝██║ ██║ ██║██║ ██║ ███████╗██║ ███████║██╔██╗ ██║ ╚════██║██╔═══╝ ██║ ██║ ██║██║ ██║ ╚════██║██║ ██╔══██║██║╚██╗██║ ███████║██║ ███████╗╚██████╔╝██║ ██║ ███████║╚██████╗██║ ██║██║ ╚████║ ╚══════╝╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝ ╚══════╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═══╝ v0.9 / Alexander Hagenah / @xaitax / [email protected] usage: sploitscan.py [-h] [-e {json,JSON,csv,CSV,html,HTML}] [-t {nessus,nexpose,openvas,docker}] [-i IMPORT_FILE] [cve_ids ...] SploitScan: Retrieve and display vulnerability data as well as public exploits for given CVE ID(s). positional arguments: cve_ids Enter one or more CVE IDs to fetch data. Separate multiple CVE IDs with spaces. Format for each ID: CVE-YYYY-NNNNN. This argument is optional if an import file is provided using the -n option. options: -h, --help show this help message and exit -e {json,JSON,csv,CSV,html,HTML}, --export {json,JSON,csv,CSV,html,HTML} Optional: Export the results to a JSON, CSV, or HTML file. Specify the format: 'json', 'csv', or 'html'. -t {nessus,nexpose,openvas,docker}, --type {nessus,nexpose,openvas,docker} Specify the type of the import file: 'nessus', 'nexpose', 'openvas' or 'docker'. -i IMPORT_FILE, --import-file IMPORT_FILE Path to an import file from a vulnerability scanner. If used, CVE IDs can be omitted from the command line arguments.
Опция -e (--export) позволяет импортировать результат выполнения утилиты в файлы формата JSON, CSV или HTML.
Аргумент -t (--type) совместно с -i (--import-file) позволяют получить данные о найденых CVE из файлов экспорта сканеров уязвимостей:
Возьмём для примера уязвимость Spring4Shell (CVE-2022-22965). Попробуем найти для неё PoC. Для этого можно использовать команду sploitscan CVE-2022-22965:
$ sploitscan CVE-2022-22965 ███████╗██████╗ ██╗ ██████╗ ██╗████████╗███████╗ ██████╗ █████╗ ███╗ ██╗ ██╔════╝██╔══██╗██║ ██╔═══██╗██║╚══██╔══╝██╔════╝██╔════╝██╔══██╗████╗ ██║ ███████╗██████╔╝██║ ██║ ██║██║ ██║ ███████╗██║ ███████║██╔██╗ ██║ ╚════██║██╔═══╝ ██║ ██║ ██║██║ ██║ ╚════██║██║ ██╔══██║██║╚██╗██║ ███████║██║ ███████╗╚██████╔╝██║ ██║ ███████║╚██████╗██║ ██║██║ ╚████║ ╚══════╝╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝ ╚══════╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═══╝ v0.9 / Alexander Hagenah / @xaitax / [email protected] ╔════════════════════════╗ ║ CVE ID: CVE-2022-22965 ║ ╚════════════════════════╝ ┌───[ 🔍 Vulnerability information ] | ├ Published: 2022-04-01 ├ Base Score: N/A (N/A) ├ Vector: N/A └ Description: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. ┌───[ ♾ Exploit Prediction Score (EPSS) ] | └ EPSS Score: 97.48% Probability of exploitation. ┌───[ 🛡 CISA KEV Catalog ] | ├ Listed: Yes └ Ransomware: Unknown ┌───[ 💣 GitHub Exploits ] | ├ Date: 2023-11-13 └ URL: https://github.com/LucasPDiniz/CVE-2022-22965 | ├ Date: 2023-08-13 └ URL: https://github.com/h4ck0rman/Spring4Shell-PoC | ├ Date: 2023-06-20 └ URL: https://github.com/jakabakos/spring4shell | ├ Date: 2023-06-07 └ URL: https://github.com/dbgee/Spring4Shell | ├ Date: 2023-06-04 └ URL: https://github.com/BKLockly/CVE-2022-22965 | ├ Date: 2023-05-31 └ URL: https://github.com/bL34cHig0/Telstra-Cybersecurity-Virtual-Experience- | ├ Date: 2023-03-13 └ URL: https://github.com/gokul-ramesh/Spring4Shell-PoC-exploit | ├ Date: 2023-03-02 └ URL: https://github.com/c33dd/CVE-2022-22965 | ├ Date: 2023-02-28 └ URL: https://github.com/pwnwriter/CVE-2022-22965 | ├ Date: 2023-01-04 └ URL: https://github.com/ajith737/Spring4Shell-CVE-2022-22965-POC ┌───[ 💥 VulnCheck Exploits ] | └ API key for VulnCheck is not configured correctly. ┌───[ 👾 Exploit-DB Exploits ] | └ ❌ No data found. ┌───[ 🎆 PacketStorm Exploits ] | └ URL: https://packetstormsecurity.com/search/?q=CVE-2022-22965 ┌───[ ⚛ Nuclei Template ] | └ URL: https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/http/cves/2022/CVE-2022-22965.yaml ┌───[ ⚠ Patching Priority Rating ] | └ Priority: A+ ┌───[ 📚 Further References ] | ├ https://tanzu.vmware.com/security/cve-2022-22965 ├ https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67 ├ https://www.oracle.com/security-alerts/cpuapr2022.html ├ https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005 ├ http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html ├ https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf ├ https://www.oracle.com/security-alerts/cpujul2022.html └ http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html ┌───[ 🤖 AI-Powered Risk Assessment ] | | ❌ OpenAI API key is not configured correctly. | └────────────────────────────────────────
Как видно, утилита выдала нам большое количество Proof-Of-Concept скриптов.
«Реальный» пример
Для иллюстрации работы утилиты совместно со сканерами уязвимостей была использована уязвимая машина. Запущен сканер, который, помимо всего прочего, выявил ранее расмотренную уявзимость:
Экспортируем файл с результатами работы сканера в файл giscyber.nessus и запустим утилиту при помощи sploitscan -t nessus -i giscyber.nessus:
sploitscan -t nessus -i giscyber.nessus ███████╗██████╗ ██╗ ██████╗ ██╗████████╗███████╗ ██████╗ █████╗ ███╗ ██╗ ██╔════╝██╔══██╗██║ ██╔═══██╗██║╚══██╔══╝██╔════╝██╔════╝██╔══██╗████╗ ██║ ███████╗██████╔╝██║ ██║ ██║██║ ██║ ███████╗██║ ███████║██╔██╗ ██║ ╚════██║██╔═══╝ ██║ ██║ ██║██║ ██║ ╚════██║██║ ██╔══██║██║╚██╗██║ ███████║██║ ███████╗╚██████╔╝██║ ██║ ███████║╚██████╗██║ ██║██║ ╚████║ ╚══════╝╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝ ╚══════╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═══╝ v0.9 / Alexander Hagenah / @xaitax / [email protected] 📥 Successfully imported 1 CVE(s) from 'giscyber.nessus'. ╔════════════════════════╗ ║ CVE ID: CVE-2022-22965 ║ ╚════════════════════════╝ ┌───[ 🔍 Vulnerability information ] | ├ Published: 2022-04-01 ├ Base Score: N/A (N/A) ├ Vector: N/A └ Description: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. ┌───[ ♾ Exploit Prediction Score (EPSS) ] | └ EPSS Score: 97.48% Probability of exploitation. ┌───[ 🛡 CISA KEV Catalog ] | ├ Listed: Yes └ Ransomware: Unknown ┌───[ 💣 GitHub Exploits ] | ├ Date: 2023-11-13 └ URL: https://github.com/LucasPDiniz/CVE-2022-22965 | ├ Date: 2023-08-13 └ URL: https://github.com/h4ck0rman/Spring4Shell-PoC | ├ Date: 2023-06-20 └ URL: https://github.com/jakabakos/spring4shell | ├ Date: 2023-06-07 └ URL: https://github.com/dbgee/Spring4Shell | ├ Date: 2023-06-04 └ URL: https://github.com/BKLockly/CVE-2022-22965 | ├ Date: 2023-05-31 └ URL: https://github.com/bL34cHig0/Telstra-Cybersecurity-Virtual-Experience- | ├ Date: 2023-03-13 └ URL: https://github.com/gokul-ramesh/Spring4Shell-PoC-exploit | ├ Date: 2023-03-02 └ URL: https://github.com/c33dd/CVE-2022-22965 | ├ Date: 2023-02-28 └ URL: https://github.com/pwnwriter/CVE-2022-22965 | ├ Date: 2023-01-04 └ URL: https://github.com/ajith737/Spring4Shell-CVE-2022-22965-POC ┌───[ 💥 VulnCheck Exploits ] | └ API key for VulnCheck is not configured correctly. ┌───[ 👾 Exploit-DB Exploits ] | └ ❌ No data found. ┌───[ 🎆 PacketStorm Exploits ] | └ URL: https://packetstormsecurity.com/search/?q=CVE-2022-22965 ┌───[ ⚛ Nuclei Template ] | └ URL: https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/http/cves/2022/CVE-2022-22965.yaml ┌───[ ⚠ Patching Priority Rating ] | └ Priority: A+ ┌───[ 📚 Further References ] | ├ https://tanzu.vmware.com/security/cve-2022-22965 ├ https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67 ├ https://www.oracle.com/security-alerts/cpuapr2022.html ├ https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005 ├ http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html ├ https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf ├ https://www.oracle.com/security-alerts/cpujul2022.html └ http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html ┌───[ 🤖 AI-Powered Risk Assessment ] | | ❌ OpenAI API key is not configured correctly. | └────────────────────────────────────────
Испольузем первый эксплойт из списка на целевую систему:
Проверим работоспособность экплойта и порадуемся:
Заключение
Рассмотрен небольшой, но полезный инструмент, позволяющий сократить время на поисках Proof-Of-Concept скриптов при проведении пентеста или участии в CTF.