Skip to content

Malayke/CVE-2023-37582_EXPLOIT

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 

Repository files navigation

CVE-2023-37582_EXPLOIT

Apache RocketMQ Arbitrary File Write Vulnerability Exploit Demo

Overview

In fact, the Arbitrary file write vulnerability(CVE-2023-37582) in Apache RocketMQ has already been addressed in the CVE-2023-33246 RCE vulnerability. However, the fix provided for CVE-2023-33246 RCE is not comprehensive as it only resolves the impact on RocketMQ's broker. This vulnerability affects RocketMQ's nameserver, and exploiting it allows for arbitrary file write capabilities.

Setup local RocketMQ environment via Docker

# start name server
docker run -d --name rmqnamesrv -p 9876:9876 apache/rocketmq:4.9.6 sh mqnamesrv

# start broker
docker run -d --name rmqbroker \
  --link rmqnamesrv:namesrv \
  -e "NAMESRV_ADDR=namesrv:9876" \
  -p 10909:10909 \
  -p 10911:10911 \
  -p 10912:10912 \
  apache/rocketmq:4.9.6 sh mqbroker \
  -c /home/rocketmq/rocketmq-4.9.6/conf/broker.conf

Exploit

It is important to note that the exploit provided is for demonstration purposes only. The current exploit allows for the writing of a file to the nameserver's /tmp/pwned directory. Modifying the content of the body variable allows for the exploitation of this vulnerability by writing an OpenSSH private key or adding a cronjob. However, it is crucial to remember that such activities are unauthorized and can lead to serious security breaches. It is strongly advised to refrain from engaging in any malicious activities and to prioritize responsible and ethical cybersecurity practices.

usage: CVE-2023-37582.py [-h] [-ip IP] [-p P]

RocketMQ Exploit

optional arguments:
  -h, --help  show this help message and exit
  -ip IP      Nameserver address
  -p P        Nameserver listen port

References

RocketMQ commit: Fix incorrect naming

About

Apache RocketMQ Arbitrary File Write Vulnerability Exploit

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages