From d2c19efeac1823d1ef616638195600218eb810ea Mon Sep 17 00:00:00 2001
From: Metasploit <metasploit@rapid7.com>
Date: Wed, 13 Mar 2024 19:28:29 -0500
Subject: [PATCH] automatic module_metadata_base.json update

---
 db/modules_metadata_base.json | 64 +++++++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)

diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json
index 513a484938..1fdaa02de3 100644
--- a/db/modules_metadata_base.json
+++ b/db/modules_metadata_base.json
@@ -101168,6 +101168,70 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_multi/http/jetbrains_teamcity_rce_cve_2024_27198": {
+    "name": "JetBrains TeamCity Unauthenticated Remote Code Execution",
+    "fullname": "exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-03-04",
+    "type": "exploit",
+    "author": [
+      "sfewer-r7"
+    ],
+    "description": "This module exploits an authentication bypass vulnerability in JetBrains TeamCity. An unauthenticated\n          attacker can leverage this to access the REST API and create a new administrator access token. This token\n          can be used to upload a plugin which contains a Metasploit payload, allowing the attacker to achieve\n          unauthenticated RCE on the target TeamCity server. On older versions of TeamCity, access tokens do not exist\n          so the exploit will instead create a new administrator account before uploading a plugin. Older version of\n          TeamCity have a debug endpoint (/app/rest/debug/process) that allows for arbitrary commands to be executed,\n          however recent version of TeamCity no longer ship this endpoint, hence why a plugin is leveraged for code\n          execution instead, as this is supported on all versions tested.",
+    "references": [
+      "CVE-2024-27198",
+      "URL-https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/",
+      "URL-https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/"
+    ],
+    "platform": "Java,Linux,Unix,Windows",
+    "arch": "java, cmd",
+    "rport": 8111,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Java",
+      "Java Server Page",
+      "Windows Command",
+      "Linux Command",
+      "Unix Command"
+    ],
+    "mod_time": "2024-03-13 09:58:51 +0000",
+    "path": "/modules/exploits/multi/http/jetbrains_teamcity_rce_cve_2024_27198.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/jetbrains_teamcity_rce_cve_2024_27198",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
   "exploit_multi/http/jira_hipchat_template": {
     "name": "Atlassian HipChat for Jira Plugin Velocity Template Injection",
     "fullname": "exploit/multi/http/jira_hipchat_template",