• XSS.stack #1 – первый литературный журнал от юзеров форума

[CVE-2023-0669] GoAnywhere Vulnerability (command injection)

Отслеживать
Prokhorenco

Prokhorenco

(L3) cache
Пользователь
Регистрация
18.02.2023
Сообщения
192
Реакции
305
I've been reading about cl0p group exploiting GoAnywhere (CVE-2023-0669) and having great success exfiltrating data.

Scanning (ports may vary):
1. masscan -p8001,8000 -Pn -sS -iL ranges.txt -oL results --rate 10000 --excludefile block.txt
2. Filter IPs: grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" results > results_list
3. Append port to IP for vuln scan: sed -i 's/$/:8001/' results_list
4. nuclei -l results_list -t nuclei-templates/cves/2023/CVE-2023-0669.yaml

References:
[1] https://www.rapid7.com/db/modules/exploit/multi/http/fortra_goanywhere_rce_cve_2023_0669/ (msf exploit)
[2] https://www.rapid7.com/db/vulnerabilities/goanywhere-cve-2023-0669-remote-code-injection/
[3] https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/

News:
[1] https://www.malwarebytes.com/blog/n...mware-is-victimizing-goanywhere-mft-customers
[2] https://www.securityweek.com/hitach...n-zero-day-as-ransomware-gang-threatens-firm/
[3] https://www.bleepingcomputer[.]com/...-breached-130-orgs-using-goanywhere-zero-day/
 
Последнее редактирование:
Prokhorenco сказал(а):
I've been reading about cl0p group exploiting GoAnywhere (CVE-2023-0669) and having great success exfiltrating data.

Scanning (ports may vary):
1. masscan -p8001,8000 -Pn -sS -iL ranges.txt -oL results --rate 10000 --excludefile block.txt
2. Filter IPs: grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" results > results_list
3. Append port to IP for vuln scan: sed -i 's/$/:8001/' results_list
4. nuclei -l results_list -t nuclei-templates/cves/2023/CVE-2023-0669.yaml

References:
[1] https://www.rapid7.com/db/modules/exploit/multi/http/fortra_goanywhere_rce_cve_2023_0669/ (msf exploit)
[2] https://www.rapid7.com/db/vulnerabilities/goanywhere-cve-2023-0669-remote-code-injection/
[3] https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/

News:
[1] https://www.malwarebytes.com/blog/n...mware-is-victimizing-goanywhere-mft-customers
[2] https://www.securityweek.com/hitach...n-zero-day-as-ransomware-gang-threatens-firm/
[3] https://www.bleepingcomputer[.]com/...-breached-130-orgs-using-goanywhere-zero-day/

are you sure it's ports 8000 and 8001? it seems to me that maybe it is 443?
 
slavenfww сказал(а):
are you sure it's ports 8000 and 8001? it seems to me that maybe it is 443?
Yes, it's true that anyone can change the software away from it's default ports. I gathered the port numbers from bleeping and the metasploit exploit. It's why i included additional reading ;)

While Shodan shows that over 1,000 GoAnywhere instances are exposed online, only 135 are on ports 8000 and 8001 (the ones used by the vulnerable admin console).
Source: https://www.bleepingcomputer[.]com/...-breached-130-orgs-using-goanywhere-zero-day/

Technically you can scan any and all ports hoping to find GoAnywhere. But in spray and pray attacks it's best to scan the default ports and or well known uncommon port numbers. From other scans i would suggest -p443,8001,8000,80 mainly. If you know otherwise please comment for others to learn from :)
 
Prokhorenco сказал(а):
Yes, it's true that anyone can change the software away from it's default ports. I gathered the port numbers from bleeping and the metasploit exploit. It's why i included additional reading ;)


Source: https://www.bleepingcomputer[.]com/...-breached-130-orgs-using-goanywhere-zero-day/

Technically you can scan any and all ports hoping to find GoAnywhere. But in spray and pray attacks it's best to scan the default ports and or well known uncommon port numbers. From other scans i would suggest -p443,8001,8000,80 mainly. If you know otherwise please comment for others to learn from :)
based on the documentation on page 8 and page 32 the published ports, especially for DMZ >> link <<< and when scanned the ports, got the best result on port 443, which also coincides with the scan using IoT. got nothing from ports 8000 and 8001
if i'm wrong correct me.
 
Последнее редактирование:
slavenfww сказал(а):
based on the documentation on page 8 and page 32 the published ports, especially for DMZ >> link <<< and when scanned the ports, got the best result on port 443, which also coincides with the scan using IoT. got nothing from ports 8000 and 8001
if i'm wrong correct me.
https://www.bleepingcomputer[.]com/...-confirms-data-theft-via-goanywhere-zero-day/

Quote: "While Shodan shows that over 1,000 GoAnywhere instances are exposed online, only 135 are on ports 8000 and 8001 (the ones used by the vulnerable admin console)."
Source: https://www.bleepingcomputer[.]com/...-breached-130-orgs-using-goanywhere-zero-day/
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх