Add protocol/grpc helper for plaintext gRPC exploits (#588)

Author: vlobstein-vc

go.mod

@@ -14,6 +14,7 @@ require (
 	golang.org/x/net v0.54.0
 	golang.org/x/sys v0.44.0
 	golang.org/x/text v0.37.0
+	google.golang.org/grpc v1.81.0
 	modernc.org/sqlite v1.50.1
 )
 
@@ -28,6 +29,8 @@ require (
 	github.com/ncruces/go-strftime v1.0.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	golang.org/x/sync v0.20.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
 	modernc.org/libc v1.72.3 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect

go.sum

@@ -4,12 +4,18 @@ github.com/antchfx/htmlquery v1.3.6 h1:RNHHL7YehO5XdO8IM8CynwLKONwRHWkrghbYhQIk9
 github.com/antchfx/htmlquery v1.3.6/go.mod h1:kcVUqancxPygm26X2rceEcagZFFVkLEE7xgLkGSDl/4=
 github.com/antchfx/xpath v1.3.6 h1:s0y+ElRRtTQdfHP609qFu0+c6bglDv20pqOViQjjdPI=
 github.com/antchfx/xpath v1.3.6/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwqzXNcs=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/emiago/sipgo v1.1.2 h1:JvLqEvqNSQm2mBX40qZ7O0WC3Ee67Z0UrfmBI7y6Beo=
 github.com/emiago/sipgo v1.1.2/go.mod h1:DuwAxBZhKMqIzQFPGZb1MVAGU6Wuxj64oTOhd5dx/FY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/gobwas/httphead v0.1.0 h1:exrUm0f4YX0L7EBwZHuCF4GDp8aJfVeBrlLQrs6NqWU=
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
 github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=
@@ -18,8 +24,11 @@ github.com/gobwas/ws v1.4.0 h1:CTaoG1tojrh4ucGPcoJFiAQUAsEWekEWvLy7GsVNqGs=
 github.com/gobwas/ws v1.4.0/go.mod h1:G3gNqMNtPppf5XUz7O4shetPpcZ1VJ7zt18dlUeakrc=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@@ -44,6 +53,18 @@ github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8
 github.com/vjeantet/ldapserver v1.0.2-0.20240305064909-a417792e2906 h1:qHFp1iRg6qE8xYel3bQT9x70pyxsdPLbJnM40HG3Oig=
 github.com/vjeantet/ldapserver v1.0.2-0.20240305064909-a417792e2906/go.mod h1:YvUqhu5vYhmbcLReMLrm/Tq3S7Yj43kSVFvvol6Lh6k=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
+go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
+go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
+go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
+go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=
+go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg=
+go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw=
+go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A=
+go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
+go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
@@ -122,6 +143,14 @@ golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxb
 golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
 golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
+gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 h1:ggcbiqK8WWh6l1dnltU4BgWGIGo+EVYxCaAPih/zQXQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
+google.golang.org/grpc v1.81.0 h1:W3G9N3KQf3BU+YuCtGKJk0CmxQNbAISICD/9AORxLIw=
+google.golang.org/grpc v1.81.0/go.mod h1:xGH9GfzOyMTGIOXBJmXt+BX/V0kcdQbdcuwQ/zNw42I=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=

protocol/grpc/grpc.go

@@ -0,0 +1,160 @@
+// Package grpc helps exploit modules talk to plaintext (h2c) or TLS
+// gRPC services. Two layers:
+//
+//   - Invoke is the fast path for unary RPCs: one request, one response,
+//     no grpc-go imports on the caller side.
+//
+//     body := grpc.EncodeBytesField(1, payload)
+//     out, ok := grpc.Invoke(host, port, "/svc/Method", body, 5, conf.SSL)
+//
+//   - Dial returns a *grpc.ClientConn pre-configured with the raw codec
+//     and transport. Use it when Invoke is not enough: server- /
+//     client- / bidi-streaming RPCs, gRPC reflection, or reusing one
+//     connection across many calls. The caller drives the standard
+//     grpc-go ClientStream API and is responsible for closing the conn.
+//
+// EncodeBytesField / EncodeStringField wrap a value as a proto3
+// length-delimited field so callers can build proto messages by hand on
+// the simple cases. For complex schemas, callers bring their own
+// protoc-generated marshallers and pass the resulting bytes through.
+package grpc
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"net"
+	"strconv"
+	"time"
+
+	"github.com/vulncheck-oss/go-exploit/output"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/credentials/insecure"
+	"google.golang.org/grpc/encoding"
+)
+
+const rawCodecName = "vulncheck-raw-bytes"
+
+// rawCodec passes pre-encoded protobuf bytes through grpc-go untouched
+// so callers can hand-roll proto3 wire format without protoc.
+type rawCodec struct{}
+
+var errCodecType = errors.New("grpc rawCodec: unexpected value type")
+
+func (rawCodec) Marshal(v any) ([]byte, error) {
+	b, ok := v.([]byte)
+	if !ok {
+		return nil, fmt.Errorf("%w: %T (want []byte)", errCodecType, v)
+	}
+
+	return b, nil
+}
+
+func (rawCodec) Unmarshal(data []byte, v any) error {
+	out, ok := v.(*[]byte)
+	if !ok {
+		return fmt.Errorf("%w: %T (want *[]byte)", errCodecType, v)
+	}
+	*out = data
+
+	return nil
+}
+
+func (rawCodec) Name() string { return rawCodecName }
+
+// grpc-go's codec registry is process-wide, so registration must be
+// package-level.
+//
+//nolint:gochecknoinits
+func init() {
+	encoding.RegisterCodec(rawCodec{})
+}
+
+// Dial opens a gRPC client connection with the package's raw codec and
+// the chosen transport. ssl picks h2c (false) or TLS (true); under TLS
+// the client skips certificate verification (exploit targets routinely
+// use self-signed certs). The caller is responsible for Close. Returns
+// ok=false on any error from grpc.NewClient; the underlying error is
+// logged at framework-debug level.
+func Dial(host string, port int, ssl bool) (*grpc.ClientConn, bool) {
+	addr := net.JoinHostPort(host, strconv.Itoa(port))
+	conn, err := grpc.NewClient(addr,
+		grpc.WithTransportCredentials(transportCreds(ssl)),
+		grpc.WithDefaultCallOptions(grpc.ForceCodec(rawCodec{})),
+	)
+	if err != nil {
+		output.PrintfFrameworkDebug("grpc.NewClient(%s): %s", addr, err)
+
+		return nil, false
+	}
+
+	return conn, true
+}
+
+// Invoke runs a unary RPC with timeoutSec as the dial-and-invoke
+// budget. Returns the response body or ok=false on any failure; the
+// underlying error is logged at framework-debug level with the method,
+// host and port so failed RPCs are attributable in a multi-target run.
+func Invoke(host string, port int, method string, in []byte, timeoutSec int, ssl bool) ([]byte, bool) {
+	conn, ok := Dial(host, port, ssl)
+	if !ok {
+		return nil, false
+	}
+	defer conn.Close()
+
+	ctx, cancel := context.WithTimeout(context.Background(),
+		time.Duration(timeoutSec)*time.Second)
+	defer cancel()
+
+	var out []byte
+	if err := conn.Invoke(ctx, method, in, &out); err != nil {
+		output.PrintfFrameworkDebug("grpc Invoke %s on %s:%d: %s", method, host, port, err)
+
+		return nil, false
+	}
+
+	return out, true
+}
+
+// transportCreds picks the credential option for the requested
+// transport. The TLS config mirrors protocol/httphelper.go: certificate
+// verification is intentionally disabled and the minimum version is
+// permissive. We have no control over the SSL versions supported on the
+// remote target. Be permissive for more targets.
+func transportCreds(ssl bool) credentials.TransportCredentials {
+	if ssl {
+		return credentials.NewTLS(&tls.Config{
+			InsecureSkipVerify: true,             //nolint:gosec
+			MinVersion:         tls.VersionSSL30, //nolint:staticcheck
+		})
+	}
+
+	return insecure.NewCredentials()
+}
+
+// EncodeBytesField wraps value as a proto3 length-delimited field
+// (wire type 2). Lets modules skip protoc on messages with one or two
+// fields.
+func EncodeBytesField(fieldNumber uint32, value []byte) []byte {
+	out := appendVarint(nil, uint64(fieldNumber<<3|2))
+	out = appendVarint(out, uint64(len(value)))
+
+	return append(out, value...)
+}
+
+// EncodeStringField wraps value as a proto3 string field (same wire
+// shape as bytes).
+func EncodeStringField(fieldNumber uint32, value string) []byte {
+	return EncodeBytesField(fieldNumber, []byte(value))
+}
+
+func appendVarint(b []byte, v uint64) []byte {
+	for v >= 0x80 {
+		b = append(b, byte(v|0x80))
+		v >>= 7
+	}
+
+	return append(b, byte(v))
+}

protocol/grpc/grpc_test.go

@@ -0,0 +1,146 @@
+package grpc_test
+
+import (
+	"context"
+	"encoding/hex"
+	"fmt"
+	"net"
+	"strconv"
+	"testing"
+
+	vcgrpc "github.com/vulncheck-oss/go-exploit/protocol/grpc"
+	"google.golang.org/grpc"
+)
+
+// hexEqual asserts got matches expected hex.
+func hexEqual(t *testing.T, got []byte, expected string) {
+	t.Helper()
+	if hex.EncodeToString(got) != expected {
+		t.Fatalf("hex mismatch:\n  got      %x\n  expected %s", got, expected)
+	}
+}
+
+// Each fixture row: tag = (fieldNumber<<3)|2, then varint length, then
+// payload bytes. Verified once against protoc output during development
+// and frozen here so the suite has no Python / protoc dependency.
+func TestEncodeBytesField(t *testing.T) {
+	cases := []struct {
+		name        string
+		fieldNumber uint32
+		value       []byte
+		expected    string
+	}{
+		{"empty", 1, nil, "0a00"},
+		{"short", 1, []byte("id"), "0a026964"},
+		{"field 2", 2, []byte("x"), "120178"},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			hexEqual(t, vcgrpc.EncodeBytesField(c.fieldNumber, c.value), c.expected)
+		})
+	}
+}
+
+// 256-byte payload exercises the multi-byte varint length prefix
+// (256 -> 0x80 0x02).
+func TestEncodeBytesFieldLongLength(t *testing.T) {
+	body := make([]byte, 256)
+	for i := range body {
+		body[i] = 'a'
+	}
+	got := vcgrpc.EncodeBytesField(1, body)
+	if got[0] != 0x0a || got[1] != 0x80 || got[2] != 0x02 {
+		t.Fatalf("expected tag 0x0a varint(256)=0x8002, got % x", got[:3])
+	}
+	if len(got) != 3+256 {
+		t.Fatalf("unexpected total length %d", len(got))
+	}
+}
+
+func TestEncodeStringField(t *testing.T) {
+	hexEqual(t, vcgrpc.EncodeStringField(1, "abc"), "0a03616263")
+}
+
+// startEchoServer spins up an in-process gRPC server that echoes the
+// raw bytes of every unary RPC. The handler registers under
+// /test.Echo/* so any method name on that service hits it.
+func startEchoServer(t *testing.T) (string, int, func()) {
+	t.Helper()
+
+	lis, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("listen: %v", err)
+	}
+
+	srv := grpc.NewServer(grpc.UnknownServiceHandler(func(_ any, stream grpc.ServerStream) error {
+		var in []byte
+		if err := stream.RecvMsg(&in); err != nil {
+			return fmt.Errorf("RecvMsg: %w", err)
+		}
+		if err := stream.SendMsg(in); err != nil {
+			return fmt.Errorf("SendMsg: %w", err)
+		}
+
+		return nil
+	}))
+	go func() { _ = srv.Serve(lis) }()
+
+	addr, ok := lis.Addr().(*net.TCPAddr)
+	if !ok {
+		srv.Stop()
+		t.Fatalf("listener address is not TCP: %T", lis.Addr())
+	}
+	host, portStr, err := net.SplitHostPort(addr.String())
+	if err != nil {
+		srv.Stop()
+		t.Fatalf("split addr: %v", err)
+	}
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		srv.Stop()
+		t.Fatalf("parse port: %v", err)
+	}
+
+	return host, port, srv.Stop
+}
+
+func TestInvokeEchoesPayload(t *testing.T) {
+	host, port, stop := startEchoServer(t)
+	defer stop()
+
+	in := vcgrpc.EncodeStringField(1, "hello")
+	out, ok := vcgrpc.Invoke(host, port, "/test.Echo/Echo", in, 5, false)
+	if !ok {
+		t.Fatal("Invoke failed")
+	}
+	if hex.EncodeToString(out) != hex.EncodeToString(in) {
+		t.Fatalf("echo mismatch:\n  got      %x\n  expected %x", out, in)
+	}
+}
+
+func TestInvokeRefusedConnection(t *testing.T) {
+	// 127.0.0.1:1 is reserved and never listening.
+	if _, ok := vcgrpc.Invoke("127.0.0.1", 1, "/test.Echo/Echo", nil, 1, false); ok {
+		t.Fatal("Invoke should fail against an unreachable address")
+	}
+}
+
+func TestDialReturnsConn(t *testing.T) {
+	host, port, stop := startEchoServer(t)
+	defer stop()
+
+	conn, ok := vcgrpc.Dial(host, port, false)
+	if !ok {
+		t.Fatal("Dial returned ok=false against a live echo server")
+	}
+	defer conn.Close()
+
+	in := vcgrpc.EncodeStringField(1, "ping")
+	var out []byte
+	if err := conn.Invoke(context.Background(), "/test.Echo/Echo", in, &out); err != nil {
+		t.Fatalf("Invoke via Dial: %v", err)
+	}
+	if hex.EncodeToString(out) != hex.EncodeToString(in) {
+		t.Fatalf("dial echo mismatch:\n  got      %x\n  expected %x", out, in)
+	}
+}