2016-06-07 20:57:06 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2016-06-09 16:04:50 +00:00
|
|
|
|
2016-06-07 20:57:06 +00:00
|
|
|
include Msf::Exploit::Remote::Udp
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(
|
|
|
|
update_info(
|
|
|
|
info,
|
|
|
|
'Name' => 'Jenkins Server Broadcast Enumeration',
|
|
|
|
'Description' => %q(
|
|
|
|
This module sends out a udp broadcast packet querying for
|
|
|
|
any Jenkins servers on the local network.
|
|
|
|
Be advised that while this module does not identify the
|
|
|
|
port on which Jenkins is running, the default port for
|
|
|
|
Jenkins is 8080.
|
|
|
|
),
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Adam Compton <adam_compton@rapid7.com>',
|
|
|
|
'Matt Schmidt <matt_schmidt@rapid7.com>'
|
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'URL', 'https://wiki.jenkins-ci.org/display/JENKINS/Auto-discovering+Jenkins+on+the+network' ]
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
)
|
|
|
|
)
|
|
|
|
deregister_options('RHOST', 'RPORT')
|
|
|
|
end
|
|
|
|
|
|
|
|
def parse_reply(pkt)
|
|
|
|
# if empty packet, exit
|
2016-06-08 13:28:08 +00:00
|
|
|
return unless pkt[1]
|
2016-06-07 20:57:06 +00:00
|
|
|
|
|
|
|
# strip to just the IPv4 address
|
|
|
|
if pkt[1] =~ /^::ffff:/
|
|
|
|
pkt[1] = pkt[1].sub(/^::ffff:/, '')
|
|
|
|
end
|
|
|
|
|
|
|
|
# check for and extract the version string
|
2016-06-09 16:07:00 +00:00
|
|
|
ver = pkt[0].scan(/version>(.*)<\/version/i).flatten.first
|
2016-06-07 20:57:06 +00:00
|
|
|
|
|
|
|
# if a version was identified, then out and store to DB
|
|
|
|
if ver
|
2016-06-08 13:28:08 +00:00
|
|
|
print_status("#{pkt[1]} - Found Jenkins Server #{ver} Version")
|
2016-06-07 20:57:06 +00:00
|
|
|
report_host(
|
2016-06-09 16:07:00 +00:00
|
|
|
host: pkt[1],
|
|
|
|
info: "Jenkins v.#{ver} (port typically 8080)"
|
2016-06-07 20:57:06 +00:00
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
print_status('Sending Jenkins UDP Broadcast Probe ...')
|
|
|
|
|
2016-06-09 16:04:50 +00:00
|
|
|
udp_sock = connect_udp
|
2016-06-07 20:57:06 +00:00
|
|
|
|
|
|
|
udp_sock.sendto('\n', '255.255.255.255', 33848, 0)
|
|
|
|
|
2016-06-08 13:28:08 +00:00
|
|
|
# loop a few times to account for multiple or slow responders
|
2016-06-07 20:57:06 +00:00
|
|
|
iter = 0
|
2016-06-08 13:28:08 +00:00
|
|
|
while (r = udp_sock.recvfrom(65535, 0.1)) && (iter < 20)
|
2016-06-07 20:57:06 +00:00
|
|
|
parse_reply(r)
|
|
|
|
iter += 1
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|