Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Windows support to Atlassian Confluence CVE-2021-26084 exploit #15769

Merged
merged 3 commits into from
Oct 18, 2021
Merged

Add Windows support to Atlassian Confluence CVE-2021-26084 exploit #15769

merged 3 commits into from
Oct 18, 2021

Conversation

wvu
Copy link
Contributor

@wvu wvu commented Oct 14, 2021
edited
Loading

To-do

  • Add automatic fingerprinting/targeting of platform
    • java.lang.System.getProperty("os.name") via OGNL sandbox escape
msf6 exploit(multi/http/atlassian_confluence_webwork_ognl_injection) > info

       Name: Atlassian Confluence WebWork OGNL Injection
     Module: exploit/multi/http/atlassian_confluence_webwork_ognl_injection
   Platform: Unix, Linux, Windows
       Arch: cmd, x86, x64
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2021-08-25

Provided by:
  Benny Jacob
  Jang
  wvu <wvu@metasploit.com>

Module side effects:
 ioc-in-logs
 artifacts-on-disk

Module stability:
 crash-safe

Module reliability:
 repeatable-session

Available targets:
  Id  Name
  --  ----
  0   Unix Command
  1   Linux Dropper
  2   Windows Command
  3   Windows Dropper
  4   PowerShell Stager

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
  RPORT      8090             yes       The target port (TCP)
  SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
  SRVPORT    8080             yes       The local port to listen on.
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
  TARGETURI  /                yes       Base path
  URIPATH                     no        The URI to use for this exploit (default is random)
  VHOST                       no        HTTP server virtual host

Payload information:

Description:
  This module exploits an OGNL injection in Atlassian Confluence's
  WebWork component to execute commands as the Tomcat user.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2021-26084
  https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
  https://jira.atlassian.com/browse/CONFSERVER-67940
  https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis
  https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md
  https://testbnull.medium.com/atlassian-confluence-pre-auth-rce-cve-2021-26084-v%C3%A0-c%C3%A2u-chuy%E1%BB%87n-v%E1%BB%81-%C4%91i%E1%BB%83m-m%C3%B9-khi-t%C3%ACm-bug-43ab36b6c455
  https://tradahacking.vn/atlassian-confluence-cve-2021-26084-the-other-side-of-bug-bounty-45ed19c814f6

msf6 exploit(multi/http/atlassian_confluence_webwork_ognl_injection) >

Updates #15645. Fixes #15051.

@wvu wvu mentioned this pull request Oct 14, 2021
Merged
@wvu wvu marked this pull request as draft October 15, 2021 05:12
@wvu wvu marked this pull request as ready for review October 18, 2021 14:23
@wvu wvu self-assigned this Oct 18, 2021
@wvu wvu merged commit 53fba0b into rapid7:master Oct 18, 2021
@wvu wvu deleted the feature/confluence branch October 18, 2021 14:36
@wvu
Copy link
Contributor Author

wvu commented Oct 18, 2021

Release Notes

Added Windows support to the Atlassian Confluence CVE-2021-26084 exploit.

wvu
wvu commented Oct 20, 2021
View reviewed changes
lib/msf/base/sessions/command_shell.rb
@@ -118,7 +118,7 @@ def bootstrap(datastore = {}, handler = nil)
end

token = Rex::Text.rand_text_alphanumeric(8..24)
response = shell_command("echo #{token}", 3)
response = shell_command("echo #{token}")
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

69c525c

@dwelch-r7 dwelch-r7 added the rn-enhancement release notes enhancement label Oct 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wvu wvu

Labels
bug docs enhancement library module rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@wvu @dwelch-r7