Fix edge case for java payloads when Spawn is set to 0, all access to…

… the plugin will block. We can still get a session if we fall through here. We cant delete the plugin as access will block because we did not spawn.
rapid7 · Mar 8, 2024 · 0513654 · 0513654
1 parent ab0327f
commit 0513654
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/modules/exploits/multi/http/jetbrains_teamcity_rce_cve_2024_27198.rb b/modules/exploits/multi/http/jetbrains_teamcity_rce_cve_2024_27198.rb
@@ -405,7 +405,14 @@ def exploit
       )
 
       unless res&.code == 200
-        fail_with(Failure::UnexpectedReply, 'Failed to load the plugin.')
+        # If we configure a Java payload to not Spawn (i.e. Spawn == 0), the call to load the plugin will block,
+        # and we get nil as the response due to timeout. We still get a session, so just print a warning and let
+        # the exploit complete, but we wont be able to delete the plugin (as all access to the plugin will block).
+        if res.nil? && (target['Arch'] == ARCH_JAVA) && (target['Platform'] == 'java') && (datastore['Spawn'] == 0)
+          print_warning('Spawn was 0, accessing the plugin will block and timeout.')
+        else
+          fail_with(Failure::UnexpectedReply, 'Failed to load the plugin.')
+        end
       end
 
       # As we have uploaded the plugin, this begin block ensure we delete the plugin when we are done.