Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-46604 PoC — Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a

Source
https://github.com/mranv/honeypot.rs
Associated Vulnerability
Title:Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack (CVE-2023-46604)
Description:The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
Description
 CVE-2023-46604 (Apache ActiveMQ RCE Vulnerability) and focused on getting Indicators of Compromise.
Readme
# honeypot.rs

Honeypot that scopes [CVE-2023-46604 (Apache ActiveMQ RCE Vulnerability)](https://nvd.nist.gov/vuln/detail/CVE-2023-46604) and focused on getting Indicators of Compromise. This honeypot can be used in any Threat Intelligence infrastructure to get attacker's IP adresses, Post-Exploitation samples and malware samples. This information can be helpful to detect and prevent attacks in future.

# How it works?

In real case attacker sends specific packet to Apache ActiveMQ service. This packet contains ExceptionResponse with Class `org.springframework.context.support.ClassPathXmlApplicationContext` and Message which contains XML payload url.
| ![Attack Example](assets/attack_example.png) |
|:--:|
| _Attack Example_ |

Secondly, vulnerable service downloads XML payload which commonly contains RCE command.
| ![XML Payload Example](assets/xml_loading_example.png) |
|:--:|
| _XML Payload Example_ |

This honeypot simulates vulnerable Apache ActiveMQ service and extracts attacker's ip addresses, XML payload url and RCE command from XML payload. Then this information can be parsed from JSON.

Honeypot logs can be checked by path `logfile` that you specified in `Service.toml`.
| ![Honeypot Logs](assets/real_attack_logs.png) |
|:--:|
| _Honeypot Logs_ |

Honeypot also creates JSON output with parsable indicators. You can specify path of `outfile` in `Service.toml`.
| ![JSON Output](assets/real_attack_json.png) |
|:--:|
| _JSON Output_ |

# Installation

Honeypot can be deployed on your own server (for example VPS or VDS) in docker variant.

### Configuration

Service configuration file `Service.toml` can be changed by your own:

```
service_ip = "0.0.0.0" # listen ip address
service_port = 61616 # port (default for Apache ActiveMQ 61616)
logfile = "logs/service.log" # main log file
outfile = "logs/out.json" # output json for parsing
api_enabled = false # enabled or disable api for downloading honeypot results (true/false)
api_ip = "0.0.0.0" # listen ip address for api
api_port = 9123 # port for api
api_user = "user" # user for api auth
api_password = "" # password for api auth
```

You can enable api if you want to have access to `out.json`. Results can be downloaded using curl:

```
curl -X POST http://<api_ip>:<api_port>/ --data 'username=<api_user>&password=<api_password>'
```

### Using docker

```
git clone https://github.com/mranv/honeypot.rs -b main
cd activemq-honeypot
docker compose up --build -d
```

You also should disable original Apache ActiveMQ (if exists) and make sure that configured port not used by another process. Service building can take some time.

You also can change `LevelFilter` to `Debug` in `main.rs` and get more helpful debug info
| ![Debug Level](assets/debug_level_example.png) |
|:--:|
| _Debug LevelFilter_ |
File Snapshot

 [4.0K]  /data/pocs/4de2eeafadcbdac58476167185b0d0af1984b17d
├── [4.0K]  assets
│   ├── [ 22K]  attack_example.png
│   ├── [ 59K]  debug_level_example.png
│   ├── [ 25K]  real_attack_json.png
│   ├── [136K]  real_attack_logs.png
│   └── [ 75K]  xml_loading_example.png
├── [ 41K]  Cargo.lock
├── [ 510]  Cargo.toml
├── [ 205]  docker-compose.yml
├── [ 258]  Dockerfile
├── [ 11K]  LICENSE
├── [4.0K]  logs
├── [2.7K]  README.md
├── [4.0K]  resources
│   └── [ 313]  openwire_response.dat
├── [ 189]  Service.toml
└── [4.0K]  src
    ├── [3.9K]  backend.rs
    ├── [ 220]  data.rs
    ├── [4.9K]  fakeserver.rs
    └── [7.4K]  main.rs

4 directories, 17 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →