-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix Jenkins Login For Newer Versions #17013
Conversation
This retains backwards compatibility
After spinning up Before:
After:
Logging in manually works: For the browser it looks like it's posting directly into With http trace:
From a quick glance - it looks like the status check might be wrong, and the javascript redirect isn't being followed? Let me know if it's just pebkac though 🤔 |
Ah, the verification steps were missing the Also required changing the payload manually, works for me now 🎉
|
@@ -40,7 +40,7 @@ def initialize(info = {}) | |||
'CmdStagerFlavor' => [ 'certutil', 'vbs' ] | |||
} | |||
], | |||
['Linux', { 'Arch' => ARCH_X86, 'Platform' => 'linux' }], | |||
['Linux', { 'Arch' => [ ARCH_X64, ARCH_X86 ], 'Platform' => 'linux' }], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a confirmation question - when the user sets the target to linux, as they expected to manually change the payload too? 👀 By default it's a windows payload
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah but I think if the payload is left unset, the default payload selection logic will kick in and pick one automagically. Would the alternative be to hard code a default here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For me a payload isn't rechoosen; Potentially due to #13566
Yeah I forgot to mention that the default |
Happy to leave it as-is; It's not a blocker for me, but maybe we could detect the scenario when the jenkins server returns those types of responses that the TARGETURI might be wrong and have that within the error message that bubbles up to the user? 🤔 That seems (naively) relatively low effort for a good UX improvement |
@@ -187,9 +161,19 @@ def exploit | |||
end | |||
else | |||
print_status('Logging in...') | |||
# get that first cookie that's needed by newer versions | |||
res = send_request_cgi({ 'uri' => normalize_uri(@uri.path, 'login'), 'keep_cookies' => true }) | |||
fail_with(Failure::UnexpectedReply, 'Unexpected reply from server') unless res&.code == 200 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just looping in the suggestion that we could do error detection here when the user has pointed the module to a jenkins instance running on /
and hasn't updated the TARGETURI value from the default /jenkins
to /
Release NotesThis PR enhances |
Fixes #16945. Jenkins v2.246 (pushed to docker July 21st 2020) changed how the login works. This PR updates the exploit module to handle this, effectively allowing the module to target Jenkins version 2.246 and later.
Also dropped the custom linux stager favor of the standard CmdStager library. This wasn't done originally because it wasn't available yet, see my original comment on the matter here #1338 (comment) At the time the command stagers were mixins and hadn't been unified yet until #2484.
Verification
List the steps needed to make sure this thing works
docker run -p 8080:8080 jenkins/jenkins:2.346.3
msfconsole
use exploit/multi/http/jenkins_script_console
RPORT
,TARGET
,PAYLOAD
andPASSWORD
options (the password is in the docker output)Tested successfully on the following Jenkins versions (while trying to make sure there wasn't an intermediate version)