Skip to content

Latest commit

 

History

History
311 lines (246 loc) · 8.69 KB

spec.md

File metadata and controls

311 lines (246 loc) · 8.69 KB
Raw
version
v0.4.3

Sploit Specification

1. Top level commands

Commands Alias Description
env e information collection
exploit x run a exploit
checksec c detect vulnerabilities
auto a auto gathering information, and detect vuls, and exploit
version - show sploit tool's version
spec-version - show which spec does the sploit tool use

1.1 version command

execute xsploit version, output:

xsploit <license: [public|pro|...]> version v0.0.1[+dev], build <gitcommit> at <datetime>

  • license can be public, pro, or any other value you want
  • version follows Semantic Versioning 2.0.0
  • gitcommit is the first 7 characters of the latest commit's hash
  • datetime follows the RFC3339 format

e.g.

$ ctrsploit version
ctrsploit public version v0.5.0+dev, build 6165b8e at 2023-05-31T07:36:02Z

1.2 checksec command

check vulnerability exists

e.g.

❯ ./bin/release/xsploit_linux_amd64 checksec     
NAME:
   xsploit checksec - check security inside a container

USAGE:
   xsploit checksec command [command options] [arguments...]

COMMANDS:
   auto                 auto
   CVE-2099-9999, 2099  Description of CVE-2099-9999
   help, h              Shows a list of commands or help for one command

OPTIONS:
   --help, -h  show help

❯ ./bin/release/xsploit_linux_amd64 checksec 2099
[Y]  CVE-2099-9999      # Description of CVE-2099-9999
❯ ./bin/release/xsploit_linux_amd64 --json checksec 2099
{"name":"CVE-2099-9999","description":"Description of CVE-2099-9999","result":false}
❯ ./bin/release/xsploit_linux_amd64 --json checksec auto
{"CVE-2099-9999":{"name":"CVE-2099-9999","description":"Description of CVE-2099-9999","result":true}}

There can be submodules under checksec. e.g. checksec mysql CVE-2088-8888

checksec can also be a single binary thanks to Command2App()

❯ .checksec_linux_amd64 --json a
{"CVE-2099-9999":{"name":"CVE-2099-9999","description":"Description of CVE-2099-9999","result":true}}

1.2.1 Vulnerability

Vulnerability is an interface provide these methods:

github.com/ctrsploit/sploit-spec/pkg/vul.Vulnerability

type Vulnerability interface {
	// GetName returns a one word name; may be used as command name
	GetName() string
	// GetDescription return usage
	GetDescription() string
	GetVulnerabilityExists() bool
	Info()
	// CheckSec whether vulnerability exists
	CheckSec() (bool, error)
	// Output shows checksec result
	Output()
	// Exploitable whether vulnerability can be exploited,
	// will be called automatically before Exploit()
	Exploitable() (bool, error)
	Exploit() (err error)
}

What developer should do is implement a Vulnerability object, and convert it to a cli.Command.

var Command = &cli.Command{
	Name:    "checksec",
	Aliases: []string{"c"},
	Usage:   "check security inside a container",
	Subcommands: []*cli.Command{
		app.Vul2ChecksecCmd(vul.CVE_2099_9999_v1, []string{"2099"}),
	},
}
var (
	CVE_2099_9999_v1 = &CVE_2099_9999{
		vul.BaseVulnerability{
			Name:        "CVE-2099-9999",
			Description: "Description of CVE-2099-9999",
			CheckSecPrerequisites: prerequisite.Prerequisites{
				&prerequisite2.EvenTime,
			},
			ExploitablePrerequisites: prerequisite.Prerequisites{
				&user.MustBeRoot,
			},
		},
	}
)

func (cve CVE_2099_9999) Exploit() (err error) {
	err = cve.BaseVulnerability.Exploit()
	if err != nil {
		return
	}
	fmt.Println("CVE-2099-9999 has exploited")
	return
}

There's a 'BaseClass' BaseVulnerability implemented some methods:

github.com/ctrsploit/sploit-spec/pkg/vul.BaseVulnerability

type BaseVulnerability struct {
	Name                     string                     `json:"name"`
	Description              string                     `json:"description"`
	VulnerabilityExists      bool                       `json:"vulnerability_exists"`
	CheckSecHaveRan          bool                       `json:"-"`
	CheckSecPrerequisites    prerequisite.Prerequisites `json:"-"`
	ExploitablePrerequisites prerequisite.Prerequisites `json:"-"`
}

func (v *BaseVulnerability) CheckSec() (vulnerabilityExists bool, err error) {
    vulnerabilityExists, err = v.CheckSecPrerequisites.Satisfied()
    if err != nil {
        return
    }
    v.VulnerabilityExists = vulnerabilityExists
    v.CheckSecHaveRan = true
    return
}

Vulnerability has two types of prerequisite:

  1. Whether vulnerability exists?
  2. Whether vulnerability can be exploited? (We may do not require permissions to execute exploit but the vulnerability exists)

CheckSec method actually check the first type prerequisite.

1.2.2 prerequisite

Prerequisite is an Interface provide these methods:

github.com/ctrsploit/sploit-spec/pkg/prerequisite.Interface

type Interface interface {
	Check() error
	Output()
	GetSatisfied() bool
}

What developer should do is implement a Prerequisite object.

e.g.

github.com/ctrsploit/sploit-spec/pkg/prerequisite/user

type MustBe struct {
	ExpectedUser uint
	prerequisite.BasePrerequisite
}

func (p *MustBe) Check() (err error) {
    err = p.BasePrerequisite.Check()
    if err != nil {
        return
    }
    current, err := user.Current()
    if err != nil {
        awesome_error.CheckErr(err)
        return
    }
    u, err := strconv.Atoi(current.Uid)
    if err != nil {
        awesome_error.CheckErr(err)
        return
    }
    p.Satisfied = uint(u) == p.ExpectedUser
    return
}

1.3 env

The env list to be collected:

upload

upload env info to obs.

register the upload subcommand to env command

Upload = upload.GenerateUploadCommand(func() (content []byte, err error) {
    env := auto.Auto()
    content, err = json.Marshal(env)
    if err != nil {
        return
    }
    return
})

The upload subcommand has 4 Arguments, including servicename, filename, obsurl, obshots

//eg. ECS
servicename := context.Args().Get(0)
// region_tag.json eg. cn-north4_linux.json
filename := context.Args().Get(1)
// obsurl
obs := context.Args().Get(2)
// obshost (if want to hide obs upload behavior), put your real obsurl in here, put the fake url in obsurl
host := context.Args().Get(3)
if servicename == "" {
    return
}
  • servicename: like ECS\CCE
  • filename: tag_region.json (cn-north4_linux.json)
  • obs: the target obs url
  • host(optional): If you want to hide the obs upload behaviro, Put the real obs url in here, and put the fake url in obsurl.

finally, the subcommand is like:

xsploit env upload local cn-north7_linux.json http://xxx.com aaa.com

1.4 exploit command

2. suggested file structure

According to https://github.com/golang-standards/project-layout:

  • /bin: contains the built binary
    • /release
  • /cmd
    • /xsploit/: the cli directory
      • /env/: top level command env and it's subcommands' cli.Command definition
      • /exploit/: top level command exploit and it's subcommands' cli.Command definition
      • /checksec/: top level command checksec and it's subcommands' cli.Command definition
      • /auto/: top level command auto and it's subcommands' cli.Command definition
      • /version/: top level command version and it's subcommands' cli.Command definition
  • /env/: env implementations
  • /exploit/: exploit implementations
  • /checksec/: checksec implementations
  • /version: a file contains version information
  • /test/: Additional external test apps and test data.
  • /pkg/: Library code that's ok to use by external applications.

3. json/text/colorful output mode

x-sploit provide 3 output options:

GLOBAL OPTIONS:
   --colorful  output colorfully (default: false)
   --json      output colorfully (default: false)

Usage

x-sploit --colorful subcommands

E.g.

Coding examples see