New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apache RocketMQ & ActiveMQ fixes #19141
Apache RocketMQ & ActiveMQ fixes #19141
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I went and tested this against an HTTPS server again, and the #timed_read
method returns nil when it times out so I made some suggestions to accommodate that.
modules/exploits/multi/misc/apache_activemq_rce_cve_2023_46604.rb
Outdated
Show resolved
Hide resolved
Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>
58206df
to
6055d8a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @jheysel-r7, I just ran through the tests and things are looking much better now. I confirmed that apache_rocketmq_update_config
is still executing its payload and it's check method is much faster now when targeting and HTTPS server:
metasploit-framework (S:0 J:0) exploit(multi/http/apache_rocketmq_update_config) > check
[*] 18.220.174.0:9876 - The target appears to be vulnerable. RocketMQ version: 4.9.4
metasploit-framework (S:0 J:0) exploit(multi/http/apache_rocketmq_update_config) > check https://zerosteiner.com
[*] 192.168.249.3:443 - Cannot reliably check exploitability. Unable to determine the version
auxiliary/scanner/misc/rocketmq_version
is also still working and much faster when targeting an invalid server.
metasploit-framework (S:0 J:0) auxiliary(scanner/misc/rocketmq_version) > set RHOSTS 18.220.174.0
RHOSTS => 18.220.174.0
metasploit-framework (S:0 J:0) auxiliary(scanner/misc/rocketmq_version) > run
[+] 18.220.174.0:9876 - RocketMQ version V4.9.4 found with brokers: [{"brokerAddrs"=>{"0"=>"172.17.0.3:10911"}, "brokerName"=>"broker-a", "cluster"=>"DefaultCluster"}]
[*] 18.220.174.0:9876 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
metasploit-framework (S:0 J:0) auxiliary(scanner/misc/rocketmq_version) > run https://zerosteiner.com
[-] 192.168.249.3:443 - Invalid or no response received
[*] https://zerosteiner.com:9876 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
metasploit-framework (S:0 J:0) auxiliary(scanner/misc/rocketmq_version) >
Finally, exploit/multi/misc/apache_activemq_rce_cve_2023_46604
is much faster when targeting an HTTPS server.
metasploit-framework (S:0 J:0) exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > time check https://zerosteiner.com
[*] 192.168.249.3:443 - Cannot reliably check exploitability.
[+] Command "check https://zerosteiner.com" completed in 10.14058061500009 seconds
metasploit-framework (S:0 J:0) exploit(multi/misc/apache_activemq_rce_cve_2023_46604) >
metasploit-framework (S:0 J:0) exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > check
[*] 18.220.174.0:61616 - The target appears to be vulnerable. Apache ActiveMQ 5.18.2
metasploit-framework (S:0 J:0) exploit(multi/misc/apache_activemq_rce_cve_2023_46604) >
Release NotesThis fixes timeout issues encountered by rocketmq and activemq modules that would occur when the target is not running the expected service. |
Fixes a timeout issue that was being seen when running the following modules:
Once this PR is landed we should be able to close #19037 & #19038
Verification
RocketMQ
use exploit/multi/http/apache_rocketmq_update_config
.RHOST
andLHOST
options.ActiveMQ
Steps (Linux target):
use exploit/multi/misc/apache_activemq_rce_cve_2023_46604
set RHOST <LINUX_TARGET_IP>
set SRVHOST eth0
set target 1
set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp
check
exploit
Ensure neither module hangs, times out or errors in any unexpected way (they shouldn't).
Testing
RocketMQ
ActiveMQ