Merge pull request #249 from JD2344/jenkins_cli

Add jenkins_cli Exploit
2026-02-21 19:28:02 +00:00 · 2023-04-04 10:59:42 +01:00
parent 46a4af09f6 d2603d6ff7
commit 5941edfa89
9 changed files with 170 additions and 0 deletions
--- a/modules/vulnerabilities/unix/http/jenkins_cli/files/jenkins.war.partaa
+++ b/modules/vulnerabilities/unix/http/jenkins_cli/files/jenkins.war.partaa
--- a/modules/vulnerabilities/unix/http/jenkins_cli/files/jenkins.war.partab
+++ b/modules/vulnerabilities/unix/http/jenkins_cli/files/jenkins.war.partab
--- a/modules/vulnerabilities/unix/http/jenkins_cli/files/stretch.list
+++ b/modules/vulnerabilities/unix/http/jenkins_cli/files/stretch.list
@@ -0,0 +1,2 @@
+deb http://deb.debian.org/debian/ stretch main
+deb-src http://deb.debian.org/debian stretch main
--- a/modules/vulnerabilities/unix/http/jenkins_cli/jenkins_cli.pp
+++ b/modules/vulnerabilities/unix/http/jenkins_cli/jenkins_cli.pp
@@ -0,0 +1,4 @@
+contain jenkins_cli::install
+contain jenkins_cli::configure
+Class['jenkins_cli::install']
+-> Class['jenkins_cli::configure']
--- a/modules/vulnerabilities/unix/http/jenkins_cli/manifests/configure.pp
+++ b/modules/vulnerabilities/unix/http/jenkins_cli/manifests/configure.pp
@@ -0,0 +1,29 @@
+# Class: jenkins_cli::configure
+# Configuration and extras for Jenkins cli
+#
+class jenkins_cli::configure {
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $leaked_filenames = $secgen_parameters['leaked_filenames']
+  $strings_to_leak = $secgen_parameters['strings_to_leak']
+
+  Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+  $user = $secgen_parameters['leaked_username'][0]
+  $user_home = "/home/${user}"
+
+  # Create user
+  user { $user:
+    ensure     => present,
+    home       => $user_home,
+    managehome => true,
+  }
+
+  ::secgen_functions::leak_files { 'jenkins-flag-leak':
+    storage_directory => $user_home,
+    leaked_filenames  => $leaked_filenames,
+    strings_to_leak   => $strings_to_leak,
+    owner             => $user,
+    mode              => '0644',
+    leaked_from       => 'jenkins_cli',
+  }
+}
--- a/modules/vulnerabilities/unix/http/jenkins_cli/manifests/install.pp
+++ b/modules/vulnerabilities/unix/http/jenkins_cli/manifests/install.pp
@@ -0,0 +1,49 @@
+# Class: jenkins_cli
+# Install process for Jenkins cli
+# https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/jenkins_cli_deserialization.md
+class jenkins_cli::install {
+  Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }
+
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $user = $secgen_parameters['leaked_username'][0]
+  $port = $secgen_parameters['port'][0]
+
+  $modulename = 'jenkins_cli'
+  $releasename = 'jenkins.war'
+  $splits = ["${releasename}.partaa",
+  "${releasename}.partab"]
+
+  $splits.each |String $split| {
+    file { "/tmp/${split}":
+      ensure => file,
+      source => "puppet:///modules/${modulename}/${split}",
+    }
+  }
+
+  # This generates a repo file so we can get packages from debian stretch
+  file { '/etc/apt/sources.list.d/stretch.list':
+    ensure => file,
+    source => 'puppet:///modules/jenkins_cli/stretch.list'
+  }
+  -> exec { 'update-packages':
+    command => 'apt update'
+  }
+  -> package { 'install-jdk8':
+    ensure => installed,
+    name   => 'openjdk-8-jdk',
+  }
+
+  exec { 'rebuild-archive':
+    cwd     => '/tmp/',
+    command => "cat ${releasename}.parta* >/usr/local/bin/${releasename}",
+  }
+  -> file { '/etc/systemd/system/jenkins.service':
+    content => template("${modulename}/jenkins.service.erb"),
+    owner   => 'root',
+    mode    => '0755',
+  }
+  -> service { 'jenkins':
+    ensure => running,
+    enable => true,
+  }
+}
--- a/modules/vulnerabilities/unix/http/jenkins_cli/secgen_metadata.xml
+++ b/modules/vulnerabilities/unix/http/jenkins_cli/secgen_metadata.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0"?>
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+
+  <name>Jenkins CLI Deserialization - v2.56 and below</name>
+  <author>James Davis</author>
+  <module_license>MIT</module_license>
+  <description>An unauthenticated Java object deserialization vulnerability exists
+    in the CLI component for Jenkins versions `v2.56` and below.
+    The `readFrom` method within the `Command` class in the Jenkins
+    CLI remoting component deserializes objects received from clients without
+    first checking / sanitizing the data. Because of this, a malicious serialized
+    object contained within a serialized `SignedObject` can be sent to the Jenkins
+    endpoint to achieve code execution on the target.</description>
+
+  <type>http</type>
+  <type>bruteforceable</type>
+  <type>in_the_wild</type>
+  <privilege>user_rwx</privilege>
+  <access>remote</access>
+  <platform>linux</platform>
+  <difficulty>low</difficulty>
+
+  <read_fact>port</read_fact>
+  <read_fact>strings_to_leak</read_fact>
+  <read_fact>leaked_filenames</read_fact>
+
+  <default_input into="port">
+    <generator module_path=".*/random_unregistered_port" />
+  </default_input>
+
+  <default_input into="strings_to_leak">
+    <generator type="flag_generator" />
+  </default_input>
+
+  <default_input into="leaked_filenames">
+    <value>flag</value>
+  </default_input>
+
+  <default_input into="leaked_username">
+    <generator type="username_generator" />
+  </default_input>
+
+  <!--optional
+  vulnerability details-->
+  <cve>CVE-2017-1000353</cve>
+  <cvss_base_score>9.8</cvss_base_score>
+  <cvss_vector>AV:N/AC:L/Au:N/C:C/I:C/A:C</cvss_vector>
+  <reference>
+    https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/jenkins_cli_deserialization.rb</reference>
+  <reference>
+    https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/jenkins_cli_deserialization.md</reference>
+  <software_name>Jenkins</software_name>
+  <software_license>MIT</software_license>
+
+</vulnerability>
--- a/modules/vulnerabilities/unix/http/jenkins_cli/templates/jenkins.service.erb
+++ b/modules/vulnerabilities/unix/http/jenkins_cli/templates/jenkins.service.erb
@@ -0,0 +1,13 @@
+[Unit]
+Description=Jenkins Service
+After=network.target
+
+[Service]
+Type=simple
+User=<%= @leaked_username %>
+ExecStart=/bin/sh -c "java -Djenkins.install.runSetupWizard=false -jar /usr/local/bin/jenkins.war --httpPort=<% @port %>"
+Restart=on-abort
+RestartSec=1
+
+[Install]
+WantedBy=multi-user.target
--- a/scenarios/examples/vulnerability_examples/jenkins_cli.xml
+++ b/scenarios/examples/vulnerability_examples/jenkins_cli.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+    <system>
+        <system_name>jenkins_cli</system_name>
+        <base distro="Debian 10" type="desktop" name="KDE" />
+
+        <vulnerability module_path=".*/jenkins_cli" />
+
+        <network type="private_network" range="dhcp" />
+    </system>
+
+</scenario>