漏洞平台

POC详情： ce66996a028bd0ebbca839097717f5513f381584

来源

https://github.com/t0kx/exploit-CVE-2015-1427

关联漏洞

标题： Elasticsearch Groovy Scripting Engine Sandbox 安全绕过漏洞 (CVE-2015-1427)
描述：Elasticsearch是荷兰Elasticsearch公司的一套基于Lucene构建的开源分布式RESTful搜索引擎，它主要用于云计算中，并支持通过HTTP使用JSON进行数据索引。 Elasticsearch 1.37及之前版本和1.4.3之前1.4.x版本的Groovy脚本引擎中存在安全漏洞。远程攻击者可借助特制的脚本利用该漏洞绕过沙箱保护机制，执行任意shell命令。

描述

Elasticsearch 1.4.0 < 1.4.2 Remote Code Execution exploit and vulnerable container

介绍

# Elasticsearch 1.4.0 &lt; 1.4.2 Remote Code Execution

Elasticsearch is a distributed, RESTful search and analytics engine capable of solving a growing number of use cases. As the heart of the Elastic Stack, it centrally stores your data so you can discover the expected and uncover the unexpected.

## Vulnerable environment

To setup a vulnerable environment for your test you will need [Docker](https://docker.com) installed, and just run the following command:

    docker build -t vuln/cve-2015-1427 .
    docker run --rm -it -p 9200:9200 vuln/cve-2015-1427

And it will spawn a vulnerable web application on your host on `9200` port

## Vulnerable code

The bug is found in the REST API, which does not require authentication, where the search function allows groovy code execution and its sandbox can be bypassed using `java.lang.Math.class.forName` to reference arbitrary classes. It can be used to execute arbitrary Java code. The bug is found in the REST API, which does not require authentication, where the search function allows groovy code execution and its sandbox can be bypassed using `java.lang.Math.class.forName` to reference arbitrary classes. It can be used to execute arbitrary Java code.

## Exploit

To exploit this target just run:

    ./exploit.sh host:port

If you are using this vulnerable image, you can just run:

    ./exploit.sh 127.0.0.1:9200
    [+] CVE-2015-1427 exploit by t0kx
    [+] Exploiting 127.0.0.1:9200
    [+] Trigger Payload...
    [+] Running whoami: root
    [+] Done

## Credits

This flaw was found by the Cisco Systems Information Security Team and Cameron Morris.

## Disclaimer

This or previous program is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that me (t0kx) is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of these programs is not t0kx's responsibility.

文件快照


 [4.0K]  /data/pocs/ce66996a028bd0ebbca839097717f5513f381584
├── [ 568]  Dockerfile
├── [ 761]  exploit.sh
├── [ 34K]  LICENSE
├── [ 262]  main.sh
└── [2.2K]  README.md

0 directories, 5 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。