• Stars
    star
    243
  • Rank 166,489 (Top 4 %)
  • Language
    Python
  • License
    MIT License
  • Created almost 6 years ago
  • Updated about 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Local privilege escalation, or remote code execution, through Splunk Universal Forwarder (UF) misconfigurations

SplunkWhisperer2

Description

Local privilege escalation, or remote code execution, through Splunk Universal Forwarder (UF) misconfigurations. See https://clement.notin.org/blog/2019/02/25/Splunk-Universal-Forwarder-Hijacking-2-SplunkWhisperer2/ for more details.

Which one to use?

  • You have a local shell on a Windows computer running Splunk UF?
    • If .NET 4.5, or later, is available (or you don't know), use SharpSplunkWhisperer2
    • Otherwise, use PySplunkWhisperer2_local
  • You can contact remotely the Splunk UF API (HTTPS port 8089 by default) and you have the credentials (note: the default credentials are admin/changeme but they do not work remotely by default)?
    • Use PySplunkWhisperer2_remote

PySplunkWhisperer2 works fine on Linux targets too (adapt the payload file name and content accordingly).

Note also that SharpSplunkWhisperer2 relies on the Splunk SDK for C# library, whereas PySplunkWhisperer2 directly calls the Splunk REST API.

Credits

These tools are inspired by the original Splunk Whisperer by @airman604.

The main advantage of these versions is that the Deployment Server used by the UF is not changed. It only installs a new application (then removes it) so it is less intrusive and the code is simpler.

Disclaimer

Resources provided here are shared to demonstrate risk. These can be used only against systems you own or are authorized to test, these must not be used for illegal purposes. The author cannot be held responsible for any misuse or damage from any material provided here.