Added module to exploit ActiveMQ; CVE-2016-3088 #8519
Merged
+140
−0
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This module exploits a vulnerability in Apache ActiveMQ 5.x before 5.14.0 which allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request. By default, a JSP web shell and Java Meterpreter payload are uploaded to the '/fileserver/' path of a vulnerable server, then moved via an HTTP MOVE request to either '/api/' or '/admin/'.
Vulnerable Application
Apache ActiveMQ is a popular open source message broker and integration patterns server which implements Java Message Service (JMS) 1.1.
Source and Installers
Testing with Docker
The easiest way to quickly spin up an ActiveMQ server to test with Metasploit is to install Docker, then pull and launch a vulnerable ActiveMQ image from the Docker Hub. For example:
Verification Steps
msfconsole
use exploit/multi/http/apache_activemq_upload_jsp
set rhost [IP]
run
Basic Options
AutoCleanup
Remove web shells from the target system after callback is received (Default: true)
BasicAuthUser
User-supplied username (Default: admin)
BasicAuthPass
User-supplied password associated with username (Default: admin)
JSP
Desired name to assign to the JSP web shell when it is uploaded to the target system. Do not include the .jsp extension (Default: randomly-generated string)
Advanced Options
UploadPath
Custom path into which web shells will be uploaded on the target system. If the user determines that a nonstandard directory is able to execute .jsp files, user can specify this directory for exploitation (Default: attempt /api/; if that fails, attempt /admin/)