CVE-2018-1000861

Simple script to exploit CVE-2018-1000861, written in Python 3

Usage:

usage: exploit.py [-h] -u URL [-c CMD] [-r] [-i IP] [-p PORT] [-v]

options:
  -h, --help            show this help message and exit
  -u URL, --url URL     Target Jenkins server
  -c CMD, --cmd CMD     Command to execute
  -r, --revshell        Execute reverse shell
  -i IP, --ip IP        IP address for reverse shell callback
  -p PORT, --port PORT  Port for reverse shell callback
  -v, --verbose         Verbose output

Ex:

python exploit.py -u http://192.168.1.20 -c 'ping 192.168.1.10'

Notes:

• This tool does not attempt to verify the target is vulnerable. All it does is shove a shell command into a Java class.
• Shell commands executed will not return output. You'll need to either have method of verifying the command execute (ie ping + tcpdump) or use a reverse shell
• This vulnerability affects both Linux and Windows installs of Jenkins where the . You should attempt to verify target OS prior to executing this (such as through ICMP TTL or available services)
• The script should work for both Linux and Windows
• reverse shell module (-r, -i, p options) aren't implemented
• Use responsibly

TODO:

• Platform specific reverse shell modules
• Vuln identification
• Verbosity with vuln identification

Refs:

• Credit to Orange Tsai
• https://github.com/orangetw/awesome-jenkins-rce-2019
• https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html
• https://twitter.com/orange_8361/status/1075492505657925632