Share
## https://sploitus.com/exploit?id=8E9BA6CE-02CE-596F-852E-C12EFE1D7A98
# MSMQ Vulnerability Proof of Concept

This repository contains a ready to run proof of concept that targets Microsoft Message Queuing listening on TCP port 1801. This work is based on and uses materials from the original project at  
https://github.com/leongxudong/MSMQ-Vulnerability

This repository uses the binary artifacts provided by that project. The binary files included and referenced by the PoC are
1. `establish_connection.bin`
2. `connection_parameters.bin`
3. `user_message.bin`

# Description

This PoC attempts to reproduce the condition described in CVE 2023 21554 by sending a sequence of MSMQ protocol frames to a target host on port 1801. The PoC scripts only perform network level activity and do not perform any post exploitation actions. This project is intended for analysis and defensive verification in an isolated lab environment only.

# Files included

1. `poc.py` Original PoC script that sends the three binary blobs in sequence  
2. `CVE-2023-21554.py` Attacker side helper script that logs responses, hexdumps, timestamps and socket level errors. Use this script to obtain more useful attacker side evidence  
3. `establish_connection.bin` Binary stage one payload from the original repository  
4. `connection_parameters.bin` Binary stage two payload from the original repository  
5. `user_message.bin` Binary stage three payload from the original repository  
6. `README.md` This file

# Prerequisites

1. Python 3 installed on your attacker host  
2. Network access to the target host port 1801 and explicit permission to test that host  
3. A snapshot of the target virtual machine so you can revert changes after testing  
4. Tools to capture evidence for verification for example Wireshark or tcpdump and Sysinternals procdump for Windows

# How to run the PoC in a lab environment

1. Place the three binary files in the same folder as the PoC script  
2. Edit the PoC script to set the target IP address  
3. Start a network capture on your attacker machine for the target IP and port Example command in a separate shell  
   ```bash
   sudo tcpdump -i eth0 host 10.0.2.15 and port 1801 -w msmq_test.pcap
   ```
4. Run the enhanced check script to get timestamped logs and hexdumps  
   ```bash
   python3 CVE-2023-21554.py
   ```
5. Save the PoC output and the network capture file for analysis

# How to tell if the PoC worked

1. Attacker side indicators  
   1. The PoC shows a connection reset exception or the `CVE-2023-21554.py` reports `connection_reset` or `orderly_close` immediately after a payload stage  
   2. The PoC receives a non trivial reply from the target that you can hexdump and compare to a patched host  
   3. The network capture shows a TCP reset or other abnormal termination immediately after the exploit packets

2. Target side indicators  
   1. The Message Queuing service process `mqsvc.exe` crashes or restarts at the time of the test  
   2. Windows Event Viewer contains Application or System events referencing an access violation or a faulting application name `mqsvc.exe`  
   3. A procdump captured at the time of the test shows an exception in the `mqsvc` process

# Evidence collection checklist

1. Save the full stdout log from `CVE-2023-21554.py` to a text file  
2. Save the network capture file for example `msmq_test.pcap`  
3. Export Application and System events from Event Viewer that correspond to the test time  
4. If available capture a crash dump of `mqsvc.exe` using procdump and save it for analysis

# Safety and legal notice

This code may cause service crashes and instability on target hosts. Do not run it against systems you do not own or do not have explicit permission to test. Always test in an isolated lab environment and take a VM snapshot before running tests. The original work is credited to the upstream project at  
https://github.com/leongxudong/MSMQ-Vulnerability

# Attribution

This repository is derived from the original project at  
https://github.com/leongxudong/MSMQ-Vulnerability