Tuesday, September 4, 2012

Manually Exploiting Tomcat Manager

By Tony Lee.

Apache Tomcat is a very popular open source implementation for handling JavaServer Pages. However, Apache Tomcat is often deployed with default or weak credentials protecting the web accessible Tomcat Manager functionality. Tomcat Manager allows administrators (and attackers) to upload and publish Web application ARchive (WAR) files remotely.

A very common initial foothold for attackers is to take advantage of weak or default Tomcat Manager Credentials and use this to remotely deploy and execute a payload to gain a backdoor to the host.

Vulnerability scanners will pick up this particular finding as:

McAfee Vulnerability Manager (MVM): Tomcat Manager Default Or Blank Login Password
Nessus: Apache Tomcat Manager Common Administrative Credentials

The Metasploit exploit (tomcat_mgr_deploy) is the de facto exploit for this vulnerability and is usually rock solid, however I have seen a few occasions where it will fail with little-to-no explanation. Additionally, the host may have A/V or HIPS that catches the payload and it may be necessary to upload a custom binary or extra special treat manually instead of using MSF to deploy it. The information below is just one possible manual workaround if you don’t have the time to troubleshoot the issue.

Assess the situation

In my scenario:
  • Windows 7 (32-bit) development box
  • Default Tomcat manager credentials running on port 8081
  • UAC enabled
  • Tried setting target 2 (for Windows) and we were getting a “500 Internal Server Error” with all payloads <- frustrating…. :|
  • Tried automatic target and java payloads—nothing worked!!

The steps and screenshots below illustrate how to deploy an alternative shell and provide a few ideas of what to do—note: these are only ideas; your plan of attack may be different depending on the circumstance.

Download and extract an alternative shell

Download the Laudanum files (which contains the cmd.war file) from here:
(props to Kevin Johnson, Tim Medin, and John Sawyer)

According to the SourceForge page:
“Laudanum is a collection of injectable files, designed to be used in a pentest when SQL injection flaws are found and are in multiple languages for different environments. They provide functionality such as shell, DNS query, LDAP retrieval and others.”

Extract and understand the code

This is always a best practice to try to understand the code. Even if you are not familiar with the language, use Google and try to understand what the code is doing to the best of your abilities. It will help you learn how to effectively use the tool and may identify limitations or areas of concern.

Upload the cmd.war

Upload the cmd.war file to the remote server in the “WAR file to deploy” section shown in the screenshot below:

Utilize the JSP shell

Utilize the shell (found at /cmd/cmd.jsp) to run various situational awareness commands

Remember, many commands you are used to running are a function of the command shell and are not individual binaries—such as dir. In this case, execute them by first specifying “cmd.exe /c [whatever]” (as shown below).

Get file transfer capabilities

Luckily the developer enabled the tftp client on this Windows 7 host. Wooot!

Upgrade your shell

We could not get a meterpreter shell to execute for some reason. I believe this had to do with UAC and the particular user’s permissions. So we settled for hex edited netcat (which is a step up from the jsp shell).

To transfer (transfer an alternate backdoor to the remote host -- this is a hex edited version of netcat):

Start listener and receive callback (the first command is starting a local listener and the second command is executed on the remote host after the callback succeeds.):

Get creative

This pivot host can now be used to not only attack the host itself, but also others in the network. You are only limited by the privileges that you can gain and your own imagination. For example, you could upload gsecdump in order to dump hashes, fpipe to portforward other protocols to bypass firewalls, or use Windows native commands in order to datamine and propagate to other hosts. Not the sexiest hack, but it is quite effective.

This article and hack utilized and expanded on an idea from the following blog entry (props and thanks to the author):


Metasploit is a powerful framework that simplifies the attacks and adds fantastic functionality, but knowledge of the manual methods is a must—especially when your trusty tools fail and in-depth troubleshooting is not an option. This often comes up in our classes when students ask why we show multiple ways to accomplish a task... If you want to hack, you gotta learn how things really work and be able to bounce back if your tool fails.


  1. Very useful info once again by Mr. Lee! This technique will also work on the Apache Geronimo Console while the Metasploit tomcat_mgr_deploy module fails. Default creds on the Geronimo server are system/manager.

  2. when using the makewar.sh script the cmd.jsp would not be found in:

    but rather here:

    In order to resolve this make the following changes to the script:

    jar -cvf cmd.war -C warfiles .