Land rapid7#6947, add auxiliary/scanner/jenkins/jenkins_udp_broadcast_enum

Author: wchen-r7

documentation/modules/auxiliary/scanner/jenkins/jenkins_udp_broadcast_enum.md

@@ -0,0 +1,29 @@
+Jenkins is an open source tool that provides continuous integration services for software
+development. This module will attempt to find Jenkins servers by performing a UDP
+broadcast.
+
+To use this module, you should be on the same network as the Jenkins server(s).
+
+
+## Verification Steps
+
+To test this module, you must make sure there is at least one Jenkins server on the same network.
+To download Jenkins, please follow this link:
+
+[https://jenkins.io/](https://jenkins.io/)
+
+
+## Options
+
+Unlike most Metasploit modules, jenkins_udp_broadcast_enum does not have any datastore options
+to configure. So all you have to do is load it, and run, like this:
+
+```
+msf auxiliary(jenkins_udp_broadcast_enum) > run
+
+[*] Sending Jenkins UDP Broadcast Probe ...
+[*] 192.168.1.96 - Found Jenkins Server 1.638 Version
+[*] Auxiliary module execution completed
+```
+Once you have found the Jenkins server, you should be able to browse to the web server.
+And by default, that port is 8080.

modules/auxiliary/scanner/jenkins/jenkins_udp_broadcast_enum.rb

@@ -0,0 +1,76 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::Udp
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'           => 'Jenkins Server Broadcast Enumeration',
+        'Description'    => %q(
+            This module sends out a udp broadcast packet querying for
+            any Jenkins servers on the local network.
+            Be advised that while this module does not identify the
+            port on which Jenkins is running, the default port for
+            Jenkins is 8080.
+        ),
+        'Author'         =>
+          [
+            'Adam Compton <[email protected]>',
+            'Matt Schmidt <[email protected]>'
+          ],
+        'References'     =>
+          [
+            [ 'URL', 'https://wiki.jenkins-ci.org/display/JENKINS/Auto-discovering+Jenkins+on+the+network' ]
+          ],
+        'License'        => MSF_LICENSE
+      )
+    )
+    deregister_options('RHOST', 'RPORT')
+  end
+
+  def parse_reply(pkt)
+    # if empty packet, exit
+    return unless pkt[1]
+
+    # strip to just the IPv4 address
+    if pkt[1] =~ /^::ffff:/
+      pkt[1] = pkt[1].sub(/^::ffff:/, '')
+    end
+
+    # check for and extract the version string
+    ver = pkt[0].scan(/version>(.*)<\/version/i).flatten.first
+
+    # if a version was identified, then out and store to DB
+    if ver
+      print_status("#{pkt[1]} - Found Jenkins Server #{ver} Version")
+      report_host(
+        host: pkt[1],
+        info: "Jenkins v.#{ver} (port typically 8080)"
+      )
+    end
+  end
+
+  def run
+    print_status('Sending Jenkins UDP Broadcast Probe ...')
+
+    udp_sock = connect_udp
+
+    udp_sock.sendto('\n', '255.255.255.255', 33848, 0)
+
+    # loop a few times to account for multiple or slow responders
+    iter = 0
+    while (r = udp_sock.recvfrom(65535, 0.1)) && (iter < 20)
+      parse_reply(r)
+      iter += 1
+    end
+  end
+end