h00die
42 lines
1.3 KiB
Markdown
42 lines
1.3 KiB
Markdown
## Vulnerable Application
|
|
|
|
Version scanner for the Apache RocketMQ product.
|
|
|
|
### Setup
|
|
|
|
Instructions taken from https://github.com/Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT
|
|
|
|
```
|
|
docker pull apache/rocketmq:4.9.4
|
|
# Start nameserver
|
|
docker run -d --name rmqnamesrv -p 9876:9876 apache/rocketmq:4.9.4 sh mqnamesrv
|
|
# Start Broker
|
|
docker run -d --name rmqbroker --link rmqnamesrv:namesrv -e "NAMESRV_ADDR=namesrv:9876" -p 10909:10909 -p 10911:10911 -p 10912:10912 apache/rocketmq:4.9.4 sh mqbroker -c /home/rocketmq/rocketmq-4.9.4/conf/broker.conf
|
|
```
|
|
|
|
## Verification Steps
|
|
|
|
1. Install the application
|
|
1. Start msfconsole
|
|
1. Do: `use auxiliary/scanner/misc/rocketmq_version`
|
|
1. Do: `set rhosts [ips]`
|
|
1. Do: `run`
|
|
1. You should get the version number from rocketmq
|
|
|
|
## Options
|
|
|
|
## Scenarios
|
|
|
|
### 4.9.4 on Docker from above instructions
|
|
|
|
```
|
|
msf6 > use auxiliary/scanner/misc/rocketmq_version
|
|
msf6 auxiliary(scanner/misc/rocketmq_version) > set rhosts 127.0.0.1
|
|
rhosts => 127.0.0.1
|
|
msf6 auxiliary(scanner/misc/rocketmq_version) > run
|
|
|
|
[+] 127.0.0.1:9876 - RocketMQ version V4.9.4 found with brokers: [{"brokerAddrs"=>{"0"=>"172.17.0.4:10911"}, "brokerName"=>"broker-a", "cluster"=>"DefaultCluster"}]
|
|
[*] 127.0.0.1:9876 - Scanned 1 of 1 hosts (100% complete)
|
|
[*] Auxiliary module execution completed
|
|
```
|