Share
## https://sploitus.com/exploit?id=40BCBE31-6F2A-52B1-A0F4-D78EF8FA011A
# CVE-2024-27198 โ JetBrains TeamCity Authentication Bypass & RCE PoC
> **Author:** EynaExp
> **Scope:** Research / Defensive Validation / Authorized Testing Only
---
## Overview
This repository contains a **proof-of-concept mass scanner** targeting **JetBrains TeamCity** instances affected by **CVE-2024-27198**, an authentication bypass vulnerability that may lead to full administrative compromise and remote code execution (RCE).
The tool is designed to **detect vulnerable TeamCity servers**, validate administrative access, and optionally **verify remote command execution (RCE)** using multiple techniques depending on server version and configuration.
It supports **multi-threaded scanning**, optional **proxying**, and **structured output logging**.
---
## Features
* Detects TeamCity instances and extracts version information
* Exploits authentication bypass to create an admin user
* Generates and retrieves API tokens automatically
* OS detection (Linux / Windows / macOS)
* Multiple RCE validation methods:
* Debug process execution endpoint
* Plugin upload & execution fallback
* Thread-safe logging and colored console output
* Optional HTTP/HTTPS proxy support
* Mass scanning via target list
---
## Dorks
### Fofa
```app="JET_BRAINS-TeamCity"```
### Shodan
```http.component:"teamcity"```
---
## Tested Against
* JetBrains TeamCity (on-prem)
* Versions vulnerable prior to official JetBrains patches
> โ ๏ธ Behavior and exploitability depend on **TeamCity version**, **hardening**, and **network exposure**.
---
## Requirements
* Python **3.8+**
* Network access to target instances
### Python Dependencies
```
requests
urllib3
faker
```
Install dependencies:
```
pip install -r requirements.txt
```
---
## Usage
```
python teamcity_scanner.py -l targets.txt -t 20 -o results.txt
```
### Arguments
| Flag | Description |
| --------------- | --------------------------------------------------------------- |
| `-l, --list` | File containing target URLs or IP:PORT entries |
| `-o, --output` | File to store vulnerable results (optional) |
| `-t, --threads` | Number of concurrent threads (default: 10) |
| `--proxy` | Proxy URL (e.g. [http://127.0.0.1:8080](http://127.0.0.1:8080)) |
---
## Output
Successful detections include:
* Target URL
* TeamCity version
* Generated admin credentials
* Exploitation method used
* `whoami` execution result (if RCE validated)
Example log entry:
```
Target: http://example.com
Version: 2023.05
User: x8k2m9qz
Pass: ********
Method: Debug Endpoint
Whoami: teamcity
--------------------------------------------------
```
---
## Exploitation Logic (High-Level)
> **Primary CVE:** CVE-2024-27198
1. Identify TeamCity endpoint
2. Attempt authentication bypass
3. Create admin-level user
4. Generate API token
5. Detect operating system
6. Validate execution via:
* Debug execution endpoint
* Plugin upload fallback
---
## Disclaimer
This project is provided **for educational and security research purposes only**.
* Do **NOT** scan or exploit systems without **explicit authorization**
* The author assumes **no responsibility** for misuse
* Usage against systems you do not own or have permission to test may be illegal
---
## Related Work
* ๐ **Other PoCs by EynaExp**
[https://github.com/EynaExp](https://github.com/EynaExp)
* ๐ **Related Repository**
[https://github.com/EynaExp/CVE-2025-55182-POC](https://github.com/EynaExp/CVE-2025-55182-POC)
---
## Credits
* JetBrains Security Team (Disclosure & Patching)
* Security researchers who analyzed TeamCity auth flows
---
## License
This project is released under the **MIT License**.
Use responsibly.