Share
## https://sploitus.com/exploit?id=40BCBE31-6F2A-52B1-A0F4-D78EF8FA011A
# CVE-2024-27198 โ€“ JetBrains TeamCity Authentication Bypass & RCE PoC

> **Author:** EynaExp
> **Scope:** Research / Defensive Validation / Authorized Testing Only

---

## Overview

This repository contains a **proof-of-concept mass scanner** targeting **JetBrains TeamCity** instances affected by **CVE-2024-27198**, an authentication bypass vulnerability that may lead to full administrative compromise and remote code execution (RCE).

The tool is designed to **detect vulnerable TeamCity servers**, validate administrative access, and optionally **verify remote command execution (RCE)** using multiple techniques depending on server version and configuration.

It supports **multi-threaded scanning**, optional **proxying**, and **structured output logging**.

---

## Features

* Detects TeamCity instances and extracts version information
* Exploits authentication bypass to create an admin user
* Generates and retrieves API tokens automatically
* OS detection (Linux / Windows / macOS)
* Multiple RCE validation methods:

  * Debug process execution endpoint
  * Plugin upload & execution fallback
* Thread-safe logging and colored console output
* Optional HTTP/HTTPS proxy support
* Mass scanning via target list

---

## Dorks

### Fofa
```app="JET_BRAINS-TeamCity"```

### Shodan
```http.component:"teamcity"```


---

## Tested Against

* JetBrains TeamCity (on-prem)
* Versions vulnerable prior to official JetBrains patches

> โš ๏ธ Behavior and exploitability depend on **TeamCity version**, **hardening**, and **network exposure**.

---

## Requirements

* Python **3.8+**
* Network access to target instances

### Python Dependencies

```
requests
urllib3
faker
```

Install dependencies:

```
pip install -r requirements.txt
```

---

## Usage

```
python teamcity_scanner.py -l targets.txt -t 20 -o results.txt
```

### Arguments

| Flag            | Description                                                     |
| --------------- | --------------------------------------------------------------- |
| `-l, --list`    | File containing target URLs or IP:PORT entries                  |
| `-o, --output`  | File to store vulnerable results (optional)                     |
| `-t, --threads` | Number of concurrent threads (default: 10)                      |
| `--proxy`       | Proxy URL (e.g. [http://127.0.0.1:8080](http://127.0.0.1:8080)) |

---

## Output

Successful detections include:

* Target URL
* TeamCity version
* Generated admin credentials
* Exploitation method used
* `whoami` execution result (if RCE validated)

Example log entry:

```
Target: http://example.com
Version: 2023.05
User: x8k2m9qz
Pass: ********
Method: Debug Endpoint
Whoami: teamcity
--------------------------------------------------
```

---

## Exploitation Logic (High-Level)

> **Primary CVE:** CVE-2024-27198

1. Identify TeamCity endpoint
2. Attempt authentication bypass
3. Create admin-level user
4. Generate API token
5. Detect operating system
6. Validate execution via:

   * Debug execution endpoint
   * Plugin upload fallback

---

## Disclaimer

This project is provided **for educational and security research purposes only**.

* Do **NOT** scan or exploit systems without **explicit authorization**
* The author assumes **no responsibility** for misuse
* Usage against systems you do not own or have permission to test may be illegal

---

## Related Work

* ๐Ÿ”— **Other PoCs by EynaExp**
  [https://github.com/EynaExp](https://github.com/EynaExp)

* ๐Ÿ”— **Related Repository**
  [https://github.com/EynaExp/CVE-2025-55182-POC](https://github.com/EynaExp/CVE-2025-55182-POC)

---

## Credits

* JetBrains Security Team (Disclosure & Patching)
* Security researchers who analyzed TeamCity auth flows

---

## License

This project is released under the **MIT License**.

Use responsibly.