Add support for file format (document generation) exploits and local exploits

Author: j-baines

cli/commandline.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"flag"
 	"fmt"
+	"io"
 	"net"
 	"os"
 	"strconv"
@@ -408,8 +409,25 @@ func dbFlags(conf *config.Config) {
 	flag.IntVar(&db.GlobalHTTPRespCacheLimit, "cacheMax", 10*(1024*1024), "The maximum size of an HTTP response that can be cached")
 }
 
-// handlue generic sounding c2 flags.
-func c2Flags(conf *config.Config) {
+// handle generic sounding c2 flags.
+func c2Flags(c2Selection *string, conf *config.Config) {
+	c2Default, _ := c2.ImplToString(conf.SupportedC2[0])
+	c2Available := "The C2 server implementation to use. Supported: "
+	for _, value := range conf.SupportedC2 {
+		c2Name, ok := c2.ImplToString(value)
+		if ok {
+			c2Available += "\n\t" + c2Name
+		}
+
+		// add the supported c2 flags, allowing for command line config of the backend
+		impl, success := c2.GetInstance(value)
+		if success {
+			impl.CreateFlags()
+		}
+	}
+	c2Available += "\n"
+	flag.StringVar(c2Selection, "c2", c2Default, c2Available)
+
 	// flags unique to remote code execution
 	flag.IntVar(&conf.Bport, "bport", 0, "The port to attach the bind shell to")
 
@@ -423,6 +441,31 @@ func c2Flags(conf *config.Config) {
 	flag.BoolVar(&conf.ThirdPartyC2Server, "o", false, "Indicates if the reverse shell should be caught by an outside program (nc, openssl)")
 }
 
+// loop through the c2 the exploit supports and find the one the user actually selected.
+func validateC2Selection(c2Selection string, conf *config.Config) bool {
+	c2Selected, ok := c2.StringToImpl(c2Selection)
+	if !ok {
+		output.PrintFrameworkError("Provided an invalid c2 implementation")
+
+		return false
+	}
+	// is this a supported c2?
+	foundSupported := false
+	for _, value := range conf.SupportedC2 {
+		if c2Selected == value {
+			foundSupported = true
+		}
+	}
+	if !foundSupported {
+		output.PrintFrameworkError("The c2 you selected is not supported by this exploit.")
+
+		return false
+	}
+	conf.C2Type = c2Selected
+
+	return true
+}
+
 // Parses the command line arguments used by RCE exploits.
 func CodeExecutionCmdLineParse(conf *config.Config) bool {
 	var rhosts string
@@ -432,6 +475,7 @@ func CodeExecutionCmdLineParse(conf *config.Config) bool {
 	var frameworkLogLevel string
 	var exploitLogLevel string
 	var proxy string
+	var c2Selection string
 
 	dbFlags(conf)
 	proxyFlags(&proxy)
@@ -440,26 +484,7 @@ func CodeExecutionCmdLineParse(conf *config.Config) bool {
 	localHostFlags(conf)
 	exploitFunctionality(conf)
 	sslFlags(conf)
-	c2Flags(conf)
-
-	// c2 selection. defaults to the implementations first supported value
-	var c2Selection string
-	c2Default, _ := c2.ImplToString(conf.SupportedC2[0])
-	c2Available := "The C2 server implementation to use. Supported: "
-	for _, value := range conf.SupportedC2 {
-		c2Name, ok := c2.ImplToString(value)
-		if ok {
-			c2Available += "\n\t" + c2Name
-		}
-
-		// add the supported c2 flags, allowing for command line config of the backend
-		impl, success := c2.GetInstance(value)
-		if success {
-			impl.CreateFlags()
-		}
-	}
-	c2Available += "\n"
-	flag.StringVar(&c2Selection, "c2", c2Default, c2Available)
+	c2Flags(&c2Selection, conf)
 
 	flag.Usage = func() {
 		// banner explaining what the software is
@@ -478,23 +503,7 @@ func CodeExecutionCmdLineParse(conf *config.Config) bool {
 
 	// validate a reverse shell or bind shell params are correctly specified
 	if conf.DoExploit {
-		c2Selected, ok := c2.StringToImpl(c2Selection)
-		if !ok {
-			output.PrintFrameworkError("Provided an invalid c2 implementation")
-			success = false
-		}
-		// is this a supported c2?
-		foundSupported := false
-		for _, value := range conf.SupportedC2 {
-			if c2Selected == value {
-				foundSupported = true
-			}
-		}
-		if !foundSupported {
-			output.PrintFrameworkError("The c2 you selected is not supported by this exploit.")
-			success = false
-		}
-		conf.C2Type = c2Selected
+		success = validateC2Selection(c2Selection, conf)
 
 		if rhostsFile == "-" {
 			// this is a pretty dirty check but c2 that use stdin can't be used after piping targets in
@@ -589,3 +598,132 @@ func WebShellCmdLineParse(conf *config.Config) bool {
 	return handleLogOptions(logFile, frameworkLogLevel, exploitLogLevel) &&
 		commonValidate(conf, rhosts, rports, rhostsFile) && handleRhostsOptions(conf, rhosts, rports, rhostsFile)
 }
+
+func loadFileFormatTemplate(templateFilePath string, conf *config.Config) bool {
+	if len(templateFilePath) == 0 {
+		// the user doesn't have to provide an -in. There are plenty of scenarios where I could imagine
+		// the template would be embedded in the exploit. That seems fine to me.
+		return true
+	}
+
+	fileTemplate, err := os.Open(templateFilePath)
+	if err != nil {
+		output.PrintfFrameworkError("Failed to open the template file: %s", err.Error())
+
+		return false
+	}
+	defer fileTemplate.Close()
+
+	content, err := io.ReadAll(fileTemplate)
+	if err != nil {
+		output.PrintfFrameworkError("Failed to read the template file: %s", err.Error())
+
+		return false
+	}
+
+	conf.FileTemplateData = string(content)
+	if len(conf.FileTemplateData) == 0 {
+		output.PrintfFrameworkError("The template file was empty")
+
+		return false
+	}
+
+	return true
+}
+
+// FileFormat doesn't handle any type of remote host configuration. FileFormat exploits just
+// take an -in and and -out, where "in" is expected to be some type of template and "out" is
+// the file to generate.
+func FormatFileCmdLineParse(conf *config.Config) bool {
+	var logFile string
+	var frameworkLogLevel string
+	var exploitLogLevel string
+	var templateFile string
+	var c2Selection string
+
+	loggingFlags(&logFile, &frameworkLogLevel, &exploitLogLevel)
+	localHostFlags(conf)
+	exploitFunctionality(conf)
+	c2Flags(&c2Selection, conf)
+	flag.StringVar(&templateFile, "in", "", "The file format template to work with")
+	flag.StringVar(&conf.FileFormatFilePath, "out", "", "The file to write the malicious file to")
+
+	flag.Usage = func() {
+		// banner explaining what the software is
+		fmt.Printf("An exploit for %s %s that crafts a malicious file\n\n", conf.Product, conf.CVE)
+
+		// print default usage information
+		flag.PrintDefaults()
+
+		// usage examples
+		fmt.Println("Usage example:")
+		fmt.Println("\t./exploit -e -in <file> -out <file>")
+	}
+	flag.Parse()
+
+	if !loadFileFormatTemplate(templateFile, conf) {
+		return false
+	}
+	if len(conf.FileFormatFilePath) == 0 {
+		output.PrintFrameworkError("Must provide an -out parameter")
+
+		return false
+	}
+	if !conf.DoExploit {
+		output.PrintFrameworkError("Exploitation must be invoked for file format exploits")
+
+		return false
+	}
+	if conf.DoVerify || conf.DoVersionCheck {
+		output.PrintFrameworkError("Verification and version checking are disabled for file format exploits")
+
+		return false
+	}
+	if !validateC2Selection(c2Selection, conf) {
+		return false
+	}
+	if !conf.ThirdPartyC2Server && (conf.Lport == 0 || len(conf.Lhost) == 0) {
+		output.PrintFrameworkError("Missing exploitation options (-Lhost or -Lport)")
+
+		return false
+	}
+
+	return handleLogOptions(logFile, frameworkLogLevel, exploitLogLevel)
+}
+
+func LocalCmdLineParse(conf *config.Config) bool {
+	var logFile string
+	var frameworkLogLevel string
+	var exploitLogLevel string
+	var c2Selection string
+
+	loggingFlags(&logFile, &frameworkLogLevel, &exploitLogLevel)
+	localHostFlags(conf)
+	exploitFunctionality(conf)
+	c2Flags(&c2Selection, conf)
+
+	flag.Usage = func() {
+		// banner explaining what the software is
+		fmt.Printf("An exploit for %s %s that exploits a local vulnerability\n\n", conf.Product, conf.CVE)
+
+		// print default usage information
+		flag.PrintDefaults()
+
+		// usage examples
+		fmt.Println("Usage example:")
+		fmt.Println("\t./exploit -e")
+	}
+	flag.Parse()
+
+	if !validateC2Selection(c2Selection, conf) {
+		return false
+	}
+
+	if !conf.ThirdPartyC2Server && (conf.Lport == 0 || len(conf.Lhost) == 0) {
+		output.PrintFrameworkError("Missing exploitation options (-Lhost or -Lport)")
+
+		return false
+	}
+
+	return handleLogOptions(logFile, frameworkLogLevel, exploitLogLevel)
+}

cli/commandline_test.go

@@ -1,6 +1,7 @@
 package cli
 
 import (
+	"strings"
 	"testing"
 
 	"github.com/vulncheck-oss/go-exploit/c2"
@@ -285,3 +286,16 @@ func TestParseIntelJSON(t *testing.T) {
 		t.Fatal("Invalid triplet parsing")
 	}
 }
+
+func TestFileFormatParams(t *testing.T) {
+	conf := config.NewLocal(config.FileFormat, []c2.Impl{}, "test product", "CVE-2023-1270")
+	if !loadFileFormatTemplate("", conf) {
+		t.Fatal("an empty file path should pass validation")
+	}
+	if !loadFileFormatTemplate("commandline_test.go", conf) {
+		t.Fatal("failed to load the file format template")
+	}
+	if !strings.Contains(conf.FileTemplateData, "TestFileFormatParams") {
+		t.Fatal("failed to load the file format template")
+	}
+}

config/config.go

@@ -10,6 +10,8 @@ const (
 	CodeExecution         ExploitType = 0
 	InformationDisclosure ExploitType = 1
 	Webshell              ExploitType = 2
+	FileFormat            ExploitType = 3
+	Local                 ExploitType = 4
 )
 
 type SSLSupport int
@@ -73,6 +75,10 @@ type Config struct {
 	ThirdPartyC2Server bool
 	// The database we are working with
 	DBName string
+	// File format template
+	FileTemplateData string
+	// File format exploit output
+	FileFormatFilePath string
 }
 
 func New(extype ExploitType, supportedC2 []c2.Impl, product string, cve string, defaultPort int) *Config {
@@ -85,3 +91,13 @@ func New(extype ExploitType, supportedC2 []c2.Impl, product string, cve string,
 
 	return returnVal
 }
+
+func NewLocal(extype ExploitType, supportedC2 []c2.Impl, product string, cve string) *Config {
+	returnVal := new(Config)
+	returnVal.ExType = extype
+	returnVal.SupportedC2 = supportedC2
+	returnVal.Product = product
+	returnVal.CVE = cve
+
+	return returnVal
+}

docs/exploit-types.md

@@ -1,17 +1,25 @@
 # `go-exploit` Exploit Types
 
-The `go-exploit` framework currently supports three exploit types. These types determine how the command-line interface accepts arguments and define the post-exploitation behavior. The three exploit types are defined in `config/config.go`:
+The `go-exploit` framework currently supports three exploit types. These types determine how the command-line interface accepts arguments and define the post-exploitation behavior. The fives exploit types are defined in `config/config.go`:
 
 1. CodeExecution
 2. InformationDisclosure
 3. Webshell
+4. File Format
+5. Local
 
-To configure the exploit type in the exploit's `main` function, you can use the `config.New` function as follows:
+To configure the exploit type in the exploit's `main` function, you can use the `config.New` function for remote exploits as follows:
 
 ```go
 conf := config.New(config.CodeExecution, supportedC2, "My Target", "CVE-2023-1270", 80)
 ```
 
+Local exploits (including File Format) omits the default port:
+
+```go
+conf := config.NewLocal(config.FileFormat,s upportedC2, "My Target", "CVE-2023-1270")
+```
+
 ## Examples
 
 ### Code Execution