Posted on 6 Comments

Hack remote PC with Jenkins CLI RMI Java Deserialization exploit

Good evening friends. Welcome back to Hackercool. Today we will see how to hack remote PC with Jenkins with Jenkins CLI RMI Java Deserialization exploit. It exploits a vulnerability in Jenkins. If you don’t know what Jenkins is, it is “an award-winning, cross-platform, continuous integration and continuous delivery application that increases your productivity. You can use Jenkins to build and test your software projects continuously making it easier for developers to integrate changes to the project, and making it easier for users to obtain a fresh build. It also allows you to continuously deliver your software by providing powerful ways to define your build pipelines and integrating with a large number of testing and deployment technologies.”  An unsafe deserialization bug exists on the Jenkins master, which allows remote arbitrary code execution. The good thing is authentication is not required to exploit this vulnerability.  This exploit works on Jenkins 1.637 version. Ufff, lot of theory, now let’s get into some real stuff.

Start Metasploit and load the exploit as shown below. Type command “show options” to see what are the options required. Set the target address as shown below.

jenkins1

Type command “show payloads” to see the available payloads for this exploit.

jenkins2

Set any payload you want. I chose the above highlighted payload. Set the payload as shown below.

jenkins3

Ok. Run the exploit as shown below. You should get access to the remote system’s shell as shown below.

jenkins4

You can run any commands as shown below.

jenkins5

6 thoughts on “Hack remote PC with Jenkins CLI RMI Java Deserialization exploit

  1. e para manter persistencia da backdoor apos inicialização sistema?

    1. Desco, I really didn’t get your language.

  2. Hey there,

    I’m pretty new to deserialization exploits. I’m trying to use this on random sites but i get “exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (URL/IP goes here)”.

    Is this what happens when a site isn’t vulnerable? Or Am I doing something wrong?

    Here is a screenshot of the result: http://imgur.com/UD6IpFF

    Any help you could provide would be super appreciated!

    1. Your screenshot is not there. Sorry for the late reply. But the error definitely means firewall is blocking it or you are targeting a wrong port.

  3. Good One Bro 🙂
    I have read your both magazines, October and November edition. You explain very well, my question is about to real world penetration testing which that, in case we use kali linux from our virtual environment that is oracle VM or VMware whats ever and mostly we uses NAT or Bridge connection if we use vpn or any proxy chain, in that case which ip we use to back connect to us.?
    Kali vm ip or our public ip?
    suppose!
    i am going to hack a website which have SQL injection vuln, before that i will use anonymity like vpn or proxy chains, in that case if we grab data from server or any communication back to server or any thing else to where we have to use our ip which ip we have to use and how system acknowledge that and response back and how can we sure that we are anonymous??

    sorry for my bad english
    waiting for your kind response 🙁

    1. Hey Real Stone. Thanks for reading my magazines. Your question has been answered in the December issue of the magazine. It’s free of charge to download.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.