This Metasploit module exploits a remote command execution (RCE) vulnerability in ElasticSearch, exploitable by default on ElasticSearch prior to 1.4.3. The bug is found in the REST API, which does not require authentication, where the search function allows groovy code execution and its sandbox can be bypassed using java.lang.Math.class.forName to reference arbitrary classes. It can be used to execute arbitrary Java code. This Metasploit module has been tested successfully on ElasticSearch 1.4.2 on Ubuntu Server 12.04.
176b7335ffc0f7911e7044aabe3ffc56753a9bee674eb8ec914eebc3bc9e46fa
Elasticsearch versions 1.3.0 through 1.3.7 and 1.4.0 through 1.4.2 have vulnerabilities in the Groovy scripting engine. The vulnerabilities allow an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM.
66145cb4fc4b97a9b78472aa53007c7b5848d4c52871e4d2f47327bd5f50ccae