POC详情: ef31d7d1d1949c3c5c493519d91fc3959495c98e

来源
https://github.com/Malayke/CVE-2023-37582_EXPLOIT
关联漏洞
标题: Apache RocketMQ 代码注入漏洞 (CVE-2023-37582)
描述:Apache RocketMQ是美国阿帕奇(Apache)基金会的一款轻量级的数据处理平台和消息传递引擎。 Apache RocketMQ 存在代码注入漏洞,该漏洞源于当NameServer地址在外网泄露且缺乏权限验证时,NameServer组件仍然存在远程命令执行漏洞。
描述
Apache RocketMQ Arbitrary File Write Vulnerability Exploit
介绍
# CVE-2023-37582_EXPLOIT
Apache RocketMQ Arbitrary File Write Vulnerability Exploit Demo

# Overview
In fact, the Arbitrary file write vulnerability(CVE-2023-37582) in Apache RocketMQ has already been addressed in the CVE-2023-33246 RCE vulnerability. 
However, the fix provided for [CVE-2023-33246](https://github.com/Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT) RCE is not comprehensive as it only resolves the impact on RocketMQ's broker. 
This vulnerability affects RocketMQ's nameserver, and exploiting it allows for arbitrary file write capabilities.




# Setup local RocketMQ environment via Docker
```bash

# start name server
docker run -d --name rmqnamesrv -p 9876:9876 apache/rocketmq:4.9.6 sh mqnamesrv

# start broker
docker run -d --name rmqbroker \
  --link rmqnamesrv:namesrv \
  -e "NAMESRV_ADDR=namesrv:9876" \
  -p 10909:10909 \
  -p 10911:10911 \
  -p 10912:10912 \
  apache/rocketmq:4.9.6 sh mqbroker \
  -c /home/rocketmq/rocketmq-4.9.6/conf/broker.conf

```

# Exploit 

It is important to note that the exploit provided is for demonstration purposes only. 
The current exploit allows for the writing of a file to the nameserver's `/tmp/pwned` directory.
Modifying the content of the `body` variable allows for the exploitation of this vulnerability by writing an OpenSSH private key or adding a cronjob. 
However, it is crucial to remember that such activities are unauthorized and can lead to serious security breaches. 
It is strongly advised to refrain from engaging in any malicious activities and to prioritize responsible and ethical cybersecurity practices.

```
usage: CVE-2023-37582.py [-h] [-ip IP] [-p P]

RocketMQ Exploit

optional arguments:
  -h, --help  show this help message and exit
  -ip IP      Nameserver address
  -p P        Nameserver listen port
```

# References
[RocketMQ commit: Fix incorrect naming](https://github.com/apache/rocketmq/pull/6843/files)
文件快照

 [4.0K]  /data/pocs/ef31d7d1d1949c3c5c493519d91fc3959495c98e
├── [2.9K]  CVE-2023-37582.py
├── [ 11K]  LICENSE
└── [1.9K]  README.md

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。