![]() ![]() But, as it turns out that one does a ton of stuff we don’t need! The next approach was to take an existing JSP module, adobe_robohelper_authbypass, and go from there. ![]() So, now to build a metasploit module and take advantage of some of the more useful payloads the framework has to offer.īeing a Tomcat vulnerability, we decided to start with an existing Tomcat module, exploit/multi/http/tomcat_mgr_upload and tweak it to our needs. #Apache tomcat 7.0.88 exploit codeYep! Our proof of concept code and test environment both look to be in order. Are we actually working with a legitimate set-up?Ī 201 Response from our POC request to /1.jsp/ results in the jsp code executing server side, outputting “hello” to the browser. Our next step was to take the POC and test it out on our environment. Our setup is as follows: Windows Server 212 R2 (Amazon AMI), Apache Tomcat 7.0.81, “readonly” initialization variable set to “false”. This was fairly straightforward to set up and a quick trip to the Apache Tomcat archives armed us with a vulnerable version (7.0.81). We first needed a vulnerable version of Tomcat running on a Windows server to test the POC. Since this exploit is fairly straightforward and can give us remote code execution on our engagements, we decided to test it out, then weaponize it in the form of a Metasploit module □ This vulnerability allows an attacker to gain potentially privileged remote code execution on the system. A recent example of this is CVE-2017-12617, in which servers with PUTs enabled are subject to arbitrary JSP file uploads via specially crafted requests. On top of these issues, Apache Tomcat is often running as a System service, elevating its allure even further.ĭespite this scrutiny by security professionals, we continue to see more vulnerabilities discovered. With ample opportunities to exploit security misconfigurations in the management GUI (tomcat:tomcat….) or technical vulnerabilities, it’s no wonder attackers continue to pay attention to the platform. Tomcat has been a staple target for penetration testers and malicious actors for years. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |