This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on the Jenkins master, which allows remote arbitrary code execution. Authentication is not required to exploit this vulnerability.

Module Name

exploit/linux/misc/jenkins_java_deserialize

Authors

• Christopher Frohoff
• Steve Breen
• Dev Mohanty
• Louis Sato
• William Vu
• juan vazquez <juan.vazquez [at] metasploit.com>
• Wei Chen

References

• CVE-2015-8103
• URL: https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/jenkins.py
• URL: https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java
• URL: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability
• URL: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11

Targets

• Jenkins 1.637

Platforms

• java

Architectures

• java

Reliability

• Excellent

Development

• Source Code
• History

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

Related Vulnerabilities

• Remote code execution vulnerability due to unsafe deserialization in Jenkins remoting
• Jenkins Advisory 2015-11-11: CVE-2015-8103: Remote code execution vulnerability due to unsafe deserialization in Jenkins remoting

Related Modules

• Jenkins-CI Unauthenticated Script-Console Scanner