RocketMQ is a distributed messaging and streaming platform.
A critical remote code execution (RCE) vulnerability, CVE-2023-33246, was identified in Apache RocketMQ versions 5.1.0 and below. This vulnerability allows attackers to execute arbitrary commands as the system user running the application, posing a significant risk to affected systems. The exploit has been actively leveraged by threat actors, leading to the deployment of the DreamBus botnet.
This exploit script and PoC are written for an in-depth CVE analysis on vsociety.
Run the exploit:
python3 exploit.py 127.0.0.1 10911 <commands>
Run the scanner
usage: check.py [-h] [--ip IP] [--file FILE] [--port PORT] [--cidr CIDR]
Check CVE-2023-33246 RocketMQ RCE vulnerability
optional arguments:
-h, --help show this help message and exit
--ip IP A single IP address to check
--file FILE A file containing a list of IP addresses, one per line
--port PORT The port number to use when connecting to the server (default
is 9876)
--cidr CIDR A CIDR range to scan (e.g. 1.2.3.0/24)
Upgrade org.apache.rocketmq:rocketmq-broker to version 4.9.6, 5.1.1 or higher.