-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for splunk 7.2.4 to 'Splunk Custom App Remote Code Execution #11579
Conversation
resubmitted from a unique branch |
documentation/modules/exploit/multi/http/lesplunk_upload_app_exec.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/lesplunk_upload_app_exec.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/lesplunk_upload_app_exec.md
Outdated
Show resolved
Hide resolved
…xec.md Co-Authored-By: avanzo <matteo@malvica.com>
Can you also suggest how to set the default payload to "cmd/unix/reverse_python" on linux and osx targets? I have noticed that this one is a more stable payload. |
You can set a default payload for each target in your module. An example of its usage can be found here. |
thank you, I have added them now on each target |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Docs are looking great, a few stylistic things but some great additions!
documentation/modules/exploit/multi/http/splunk_upload_app_exec.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/splunk_upload_app_exec.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/splunk_upload_app_exec.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/splunk_upload_app_exec.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/splunk_upload_app_exec.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/splunk_upload_app_exec.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/splunk_upload_app_exec.md
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please run ./tools/dev/msftidy.rb modules/exploits/multi/http/splunk_upload_app_exec.rb
on this module and resolve the following violations:
[*] Running msftidy.rb in ./.git/hooks/post-merge mode
--- Checking new and changed module syntax with tools/dev/msftidy.rb ---
modules/exploits/multi/http/splunk_upload_app_exec.rb - [INFO] No CVE references found. Please check before you land!
modules/exploits/multi/http/splunk_upload_app_exec.rb:127 - [WARNING] Spaces at EOL
modules/exploits/multi/http/splunk_upload_app_exec.rb:134 - [WARNING] Spaces at EOL
modules/exploits/multi/http/splunk_upload_app_exec.rb:139 - [WARNING] Spaces at EOL
modules/exploits/multi/http/splunk_upload_app_exec.rb:161 - [WARNING] Spaces at EOL
modules/exploits/multi/http/splunk_upload_app_exec.rb:348 - [WARNING] Spaces at EOL
modules/exploits/multi/http/splunk_upload_app_exec.rb:404 - [WARNING] Spaces at EOL
modules/exploits/multi/http/splunk_upload_app_exec.rb:414 - [WARNING] Spaces at EOL
------------------------------------------------------------------------
Edit If there's no CVE, that's fine. The warning can safely be ignored.
# log in to Splunk (if required) | ||
do_login | ||
# check if the target version is 7.2.4 | ||
if target.name.include? "7.2.4" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be nice to know when the changes to Splunk which broke this module were introduced.
Were the changes introduced in version 7.2.4
? Or >= 7.x
?
It may be worth starting to think about implementing different methods for each major version, ie exploit_5
, exploit_6
, exploit_7
, etc (but better named).
This method is starting to become rather long, and the target version is repeatedly checked.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Totally agree, but at the moment I am not able to test any early version of 7.x, so I would rather stick to the tested version, even though I suspect as well that changes have been introduced from 7.x
documentation/modules/exploit/multi/http/splunk_upload_app_exec.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/splunk_upload_app_exec.md
Outdated
Show resolved
Hide resolved
Co-Authored-By: avanzo <matteo@malvica.com>
Co-Authored-By: avanzo <matteo@malvica.com>
…c.md Co-Authored-By: avanzo <matteo@malvica.com>
Co-Authored-By: avanzo <matteo@malvica.com>
documentation/modules/exploit/multi/http/splunk_upload_app_exec.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/splunk_upload_app_exec.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/splunk_upload_app_exec.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/splunk_upload_app_exec.md
Outdated
Show resolved
Hide resolved
…c.md Co-Authored-By: avanzo <matteo@malvica.com>
…c.md Co-Authored-By: avanzo <matteo@malvica.com>
…c.md Co-Authored-By: avanzo <matteo@malvica.com>
…c.md Co-Authored-By: avanzo <matteo@malvica.com>
documentation/modules/exploit/multi/http/splunk_upload_app_exec.md
Outdated
Show resolved
Hide resolved
Just wanted to say thanks for all the big doc updates, they look super good now (minus the one copy pasta i just posted). +1 for sticking hanging through all of the changes and additions! |
Hi, is there any more I can contribute from my side? |
I didn't test Windows, but this seems alright with me. Let's ship it. |
Release NotesExpanded version support and documentation for the splunk_upload_app_exec module, including Splunk 5.x, 6.x, up to 7.2.4, has been added. |
Hi
I have been working on integrating some changes to the 'Splunk Custom App Remote Code Execution' and including support for splunk 7.2.4 (it might even work on the whole 7 train up to 7.2.4)
Verification steps
If targeting linux or macos, the payload will be set automatically to 'cmd/unix/reverse_python '
If targeting windows, the 'adduser' payload is automatically selected, since we do not have an available python reverse shell payload
'run' or 'exploit' and you should expect reverse shell connection on port 4444 (or a new user added in case of windows)
It has been tested successfully on both linux,macos (windows does not support python reverse shell but all the other available commands are working as expected)