Need help with SplunkWhisperer2?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

cnotin
151 Stars 38 Forks MIT License 11 Commits 0 Opened issues

Description

Local privilege escalation, or remote code execution, through Splunk Universal Forwarder (UF) misconfigurations

Services available

!
?

Need anything else?

Contributors list

# 23,108
PHP
gatsbyj...
Jekyll
sed
10 commits

SplunkWhisperer2

Description

Local privilege escalation, or remote code execution, through Splunk Universal Forwarder (UF) misconfigurations. See https://clement.notin.org/blog/2019/02/25/Splunk-Universal-Forwarder-Hijacking-2-SplunkWhisperer2/ for more details.

Which one to use?

  • You have a local shell on a Windows computer running Splunk UF?
    • If .NET 4.5, or later, is available (or you don't know), use
      SharpSplunkWhisperer2
    • Otherwise, use
      PySplunkWhisperer2_local
  • You can contact remotely the Splunk UF API (HTTPS port 8089 by default) and you have the credentials (note: the default credentials are admin/changeme but they do not work remotely by default)?
    • Use
      PySplunkWhisperer2_remote

PySplunkWhisperer2
works fine on Linux targets too (adapt the payload file name and content accordingly).

Note also that

SharpSplunkWhisperer2
relies on the Splunk SDK for C# library, whereas
PySplunkWhisperer2
directly calls the Splunk REST API.

Credits

These tools are inspired by the original Splunk Whisperer by @airman604.

The main advantage of these versions is that the Deployment Server used by the UF is not changed. It only installs a new application (then removes it) so it is less intrusive and the code is simpler.

Disclaimer

Resources provided here are shared to demonstrate risk. These can be used only against systems you own or are authorized to test, these must not be used for illegal purposes. The author cannot be held responsible for any misuse or damage from any material provided here.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.