Apache ActiveMQ OpenWire Remote Code Execution

This repository is a lab automation project for CVE-2023-46604 against Apache ActiveMQ, not a standalone custom exploit implementation. The actual exploitation is delegated to Metasploit's module exploit/multi/misc/apache_activemq_rce_cve_2023_46604, so the repository's main purpose is to provision a reproducible attacker/victim environment and automatically launch the exploit. Structure: README.md documents the workflow; PowerShell scripts create/delete VirtualBox VMs and orchestrate SSH-based setup; Bash scripts configure the Debian victim and Kali attacker; kaliCommands.sh contains manual Metasploit commands and network setup notes. The Debian setup script installs OpenJDK 11 and Apache ActiveMQ 5.18.2, assigns the victim IP 192.168.50.10, modifies /opt/activemq/conf/jetty.xml to replace 127.0.0.1 with 0.0.0.0, and starts ActiveMQ. The Kali setup script assigns 192.168.50.20 and writes an exploit.rc Metasploit resource file that configures the ActiveMQ CVE-2023-46604 module with payload cmd/linux/http/x64/shell_reverse_tcp. Main exploit capability: remote command execution against the Debian-hosted ActiveMQ instance, yielding a reverse command shell session back to the Kali VM. The automation uses SSH over localhost-forwarded ports to bootstrap both VMs, then runs msfconsole with the prepared resource script. Fingerprintable infrastructure includes the internal lab IPs 192.168.50.10 and 192.168.50.20, localhost SSH forwards on 2220/2225, Metasploit HTTP services on 8888/8889, the Apache archive download URL, and ActiveMQ configuration paths under /opt/activemq. Overall, this is an operational lab wrapper around a Metasploit exploit rather than original exploit code.

This repository is a standalone Java Swing exploit toolkit for Apache ActiveMQ, not a Metasploit/Nuclei module. The project is Maven-based, with a single executable entry point in src/main/java/cc/kiiy/App.java that launches a GUI (MainFrame). The codebase is organized into service classes for exploitation/detection logic (EnvironmentService, VulnerabilityService), UI panels for each supported CVE and settings, and utility helpers for HTTP and local config handling. Core capability-wise, the tool supports both detection and exploitation. EnvironmentService fingerprints ActiveMQ by requesting the target URL and checking for the Apache ActiveMQ title, and can authenticate to /admin/ using HTTP Basic auth to extract hostname, version, and uptime from the admin console HTML. VulnerabilityService is the main exploit engine. For CVE-2015-5254, it accepts a user-provided Base64 serialized payload, decodes it, wraps it into an ActiveMQObjectMessage, and sends it over OpenWire/JMS to a chosen queue on tcp://<host>:<port> (default 61616), enabling broker-side deserialization when the message is processed/viewed. For CVE-2016-3088, it performs a PUT to /fileserver/<random>.txt and then a MOVE to file:///etc/cron.d/root, planting a cron entry that launches a Perl reverse shell back to the operator. This is a real exploitation path, not just a detector, but it depends on vulnerable behavior and elevated target privileges. The repository also includes support for CVE-2022-41678 workflows. Although the provided content truncates some of the implementation, the UI and service references clearly show functionality to write a default or custom webshell and then execute commands through it, with selectable methods such as auto, log4j2, and jfr. The included JfrTemplate.java contains a large embedded JFR configuration template, indicating one exploitation path abuses JFR-related file write/config behavior. BeanXmlPanel generates Spring BeanXML payloads using java.lang.ProcessBuilder for arbitrary command execution, likely intended to support XML-based ActiveMQ exploitation such as CVE-2023-46604-style xbean loading. The code also contains logic for a Jolokia-based probe labeled CVE-2026-34197 that sends an addNetworkConnector request with a vm://evil?brokerConfig=xbean:<xmlServer> argument, causing the target to fetch attacker-controlled XML from an external server. Network and fingerprintable artifacts are abundant: HTTP(S) access to the target web console and admin paths, OpenWire TCP access to port 61616, PUT/MOVE requests to /fileserver/, file destinations like file:///etc/cron.d/root, attacker XML hosting URLs, and Basic Authorization headers. The GUI exposes global custom headers and proxy settings, allowing the operator to tune requests and route traffic through a local proxy. Overall, this is an operational multi-CVE ActiveMQ exploitation toolkit with a GUI front end, combining reconnaissance, authenticated checks, payload generation, deserialization delivery, arbitrary file write abuse, XML-based RCE testing, and webshell management.

This repository is a proof-of-concept exploit for CVE-2023-46604, a remote code execution vulnerability in Apache ActiveMQ (tested on version 5.15.10). The exploit consists of a Python script (attacker/exploit.py) that crafts and sends a malicious OpenWire protocol packet to the target's TCP port 61616. The packet instructs the server to load a Spring XML configuration from a URL (hosted by attacker/serve.py on port 8000), which contains a bean definition that triggers arbitrary command execution (touching a file in /tmp). The repository includes a Docker Compose environment to run a vulnerable ActiveMQ instance for testing. The exploit demonstrates successful code execution by creating a file on the victim server. The main attack vector is network-based, targeting the OpenWire port, and the exploit requires the attacker to host a malicious XML file accessible to the victim server.

This repository provides a working exploit for CVE-2023-46604, a remote code execution vulnerability in Apache ActiveMQ (tested on version 5.18.2). The exploit consists of a Python script (exploit.py) that crafts and sends a specially formatted packet to the ActiveMQ server's TCP port (default 61616). The payload references a malicious XML file (poc.xml) hosted on an HTTP server controlled by the attacker. When the vulnerable ActiveMQ instance processes this XML, it executes a bash command that creates and runs a reverse shell script, connecting back to the attacker's machine (port 4444). The repository includes Dockerfiles and a docker-compose configuration to set up both attacker and victim environments for testing. There is also a sample firewall rule script (rule_protect.txt) to block exploitation. The main exploit capabilities are remote code execution and reverse shell access, with clear instructions and automation for both setup and exploitation.

This repository is a Java-based GUI tool (ActiveMQ_RCE_GUI) designed to exploit a remote code execution (RCE) vulnerability in Apache ActiveMQ servers (version <= 5.18.2). The main exploit logic is implemented in 'src/main/java/org/example/ActiveMQ_RCE_GUI.java', which provides a Swing-based interface for the user to specify the target IP, port, and a URL hosting a malicious Spring XML payload. The tool connects to the target ActiveMQ server using the provided credentials (default: admin/admin), retrieves the server version, and if the version is vulnerable, it attempts to exploit the server by sending a specially crafted ExceptionResponse containing a reference to the malicious payload. The payload, when loaded by the server, results in arbitrary command execution (e.g., launching calculator). The repository also includes proxy configuration support (SOCKS/HTTP) via a secondary GUI. The exploit requires the attacker to host the payload and have network access to the target's ActiveMQ service port. No specific CVE is referenced, but the exploit targets a known class of deserialization vulnerabilities in ActiveMQ's handling of Spring XML payloads.

This repository provides a working exploit for CVE-2023-46604, a critical remote code execution vulnerability in Apache ActiveMQ. The exploit leverages the OpenWire protocol's unsafe reflection to trigger the loading of a malicious Spring Bean XML, which in turn executes arbitrary commands on the target system. The repository is structured as follows: - Java components (in 'activemq-exploit') implement an HTTP server (HttpServer.java) that serves the malicious Spring Bean XML (exploit.xml) and an ActiveMQ client (ActiveMQClient.java) that connects to a broker. - The 'vulnerability/Vulnerability.java' file demonstrates the vulnerable reflection logic as found in ActiveMQ's OpenWire marshaller. - Python scripts ('scripts/client_exploit.py' and 'scripts/server_exploit.py') implement the network logic to interact with the OpenWire protocol, send the malicious payload, and trigger the exploit. The client exploit simulates a malicious broker attacking a client, while the server exploit attempts to attack a broker directly. - The payload (exploit.xml) is a Spring Bean definition that instantiates a ProcessBuilder to run a bash command, demonstrating code execution by creating a file on the Desktop. The exploit requires the target to be running a vulnerable version of ActiveMQ with the OpenWire protocol enabled and accessible. The attack vector is network-based, and the exploit demonstrates operational maturity with a working payload and clear instructions for use.

This repository contains a Go-based exploit for CVE-2023-46604, a critical remote code execution vulnerability in Apache ActiveMQ. The main exploit logic resides in 'cve-2023-46604.go', which implements the following capabilities: - Validates if a remote ActiveMQ instance is running and checks its version for vulnerability. - Delivers a Nashorn JavaScript payload via a malicious Spring XML bean, exploiting the deserialization flaw to achieve code execution. - Supports two main payloads: a reverse shell (using Nashorn JS) or a command to download and execute a binary (using curl), both of which are base64-encoded and injected into the target. - Spins up a local HTTP server to serve the malicious XML payload to the target, with the endpoint path randomized per run. - The exploit is configurable via command-line flags for target host/port, callback address, and payload type. The repository is well-structured, with a single main exploit file, build scripts (Makefile, Dockerfile), and documentation (README.md) that provides usage instructions and example output. The exploit is operational and can be used to gain remote code execution on vulnerable ActiveMQ instances accessible over the network.

This repository provides a working exploit for CVE-2023-46604, a remote code execution vulnerability in Apache ActiveMQ. The exploit is implemented in Go (main.go) and is designed to send a specially crafted message to the target ActiveMQ server (default port 61616) that references a malicious XML file (poc-linux.xml or poc-windows.xml) hosted by the attacker. The XML files use Spring's ClassPathXmlApplicationContext to trigger execution of a command on the target: for Linux, it downloads and executes a reverse shell ELF binary; for Windows, it downloads and executes a reverse shell EXE. The payloads are generated using msfvenom and must be hosted on the attacker's web server. The README provides detailed usage instructions, including how to generate payloads and host the XML files. The exploit targets both Linux and Windows platforms and requires the attacker to specify the target IP and the URL of the hosted XML file. The repository structure is straightforward, with the main exploit logic in main.go, configuration in go.mod, and the two XML payload templates for each platform. The exploit is operational and provides a reverse shell to the attacker if successful.

This repository provides a Python-based exploit for CVE-2023-46604, a critical unauthenticated remote code execution vulnerability in Apache ActiveMQ (versions 5.18.0-5.18.2, 5.17.0-5.17.5, 5.16.0-5.16.6, and all versions before 5.15.16). The exploit consists of a main script (CVE-2023-46604-RCE.py), a sample malicious XML payload (poc.xml), and a README with usage instructions. The Python script crafts and sends a malicious OpenWire packet to the target ActiveMQ server, instructing it to load an attacker-hosted XML file. The XML file leverages Java deserialization to execute arbitrary system commands on the server (e.g., launching calculator or creating a file). The exploit supports targeting multiple hosts and ports, and the payload can be customized by editing poc.xml. The attack vector is network-based, requiring access to the ActiveMQ OpenWire port (default 61616). No hardcoded IPs or URLs are present; the attacker must supply the target and payload URL at runtime.

This repository provides a Golang-based exploit for Apache ActiveMQ's CVE-2023-46604 remote code execution vulnerability. The exploit targets the OpenWire protocol (default TCP port 61616) and works by sending a specially crafted packet that instructs the ActiveMQ server to load a malicious Spring XML bean definition from an attacker-controlled URL. The provided 'poc.xml' payload uses Java's ProcessBuilder to execute arbitrary system commands (the PoC opens the calculator, but this can be changed to any command). The repository contains two main code files: 'main.go' (the exploit logic) and 'poc.xml' (the payload). The exploit is operational and can be used for both detection (by pointing the XML URL to a DNS log) and exploitation (by pointing to a command-executing XML). The README files provide detailed protocol analysis and usage instructions. No framework is used; the exploit is standalone.

This repository contains a Python proof-of-concept exploit (attack.py) targeting Apache ActiveMQ (notably version 5.18.3) via the OpenWire protocol. The exploit script constructs a specially crafted OpenWire packet referencing a malicious XML file and sends it to the target ActiveMQ server (default port 61616). The README provides usage instructions and references to vulnerability analysis resources. The exploit requires the attacker to host a malicious XML file and have network access to the target's ActiveMQ service. The repository structure is simple, consisting of a single exploit script and a README. The exploit demonstrates remote code execution capabilities by leveraging a deserialization vulnerability in ActiveMQ.

This repository provides an operational exploit for CVE-2023-46604, a remote code execution vulnerability in Apache ActiveMQ's OpenWire protocol due to unsafe deserialization. The repository contains three files: a Python exploit script (exploit.py), a malicious XML payload (poc.xml), and a README.md with usage instructions. The exploit.py script connects to a specified ActiveMQ server (default port 61616) and sends a specially crafted payload referencing the poc.xml file. The poc.xml file, when processed by the vulnerable server, causes it to instantiate a ProcessBuilder that executes a bash reverse shell, connecting back to the attacker's machine (10.10.10.10:9001). The exploit requires the attacker to host the poc.xml file and have the target server access it. The main attack vector is network-based, targeting the OpenWire protocol. The exploit is operational, providing a working reverse shell payload, and is not part of a larger framework.

This repository provides a working exploit for CVE-2023-46604, a critical remote code execution vulnerability in Apache ActiveMQ due to unsafe deserialization in the OpenWire protocol. The exploit consists of a Python script (exploit.py) that automates the attack: it generates a malicious XML payload (poc.xml) that, when processed by a vulnerable ActiveMQ server, causes arbitrary shell commands to be executed via Java's ProcessBuilder. The script also runs a local HTTP server to serve the XML payload and to receive the output of executed commands from the target server via HTTP POST requests. This enables a semi-interactive pseudo-shell experience, where the attacker can issue commands and receive their output without needing a traditional reverse shell. The exploit requires the attacker to specify both the target ActiveMQ server and an IP/port on their own machine to serve the payload and receive data. The repository includes a README.md with detailed usage instructions and an example session. The main attack vector is network-based, targeting the OpenWire port (default 61616) of the ActiveMQ server. The endpoints involved include the attacker's HTTP server (for serving the payload and receiving data) and the target's OpenWire TCP port. The exploit is operational and provides real command execution on the target, with output exfiltrated over HTTP.

This repository is a proof-of-concept exploit targeting Apache ActiveMQ versions prior to 5.18.3, 5.17.6, 5.16.7, and 5.15.16. The exploit leverages the ability to send a crafted ExceptionResponse containing a reference to a remote Spring bean XML file, which is then loaded by the target server, resulting in remote code execution. The repository contains Java source code (Main.java) that connects to an ActiveMQ broker (default: tcp://localhost:61616) using default credentials, crafts an ExceptionResponse with a ClassPathXmlApplicationContext pointing to a malicious XML file hosted on an HTTP server (e.g., http://127.0.0.1:8000/1.xml), and sends it to the broker. The malicious XML file, as described in the README, uses ProcessBuilder to execute arbitrary commands (such as launching Calculator). The structure includes Maven build files and minimal Java code, with the main entry point being Main.java. No framework (such as Metasploit) is used; this is a standalone Java exploit. The attack vector is network-based, requiring access to the ActiveMQ broker and the ability to host a malicious XML file.

This repository provides an operational exploit for CVE-2023-46604, a critical remote code execution vulnerability in Apache ActiveMQ. The exploit consists of a Python script (exploit.py) that targets ActiveMQ servers accessible on TCP port 61616. The script can attack single or multiple targets, reading addresses from a file or command line. It sends a specially crafted OpenWire protocol payload that instructs the target to fetch and process a malicious XML configuration (poc.xml) from an attacker-controlled URL. The XML payload leverages Spring's ClassPathXmlApplicationContext to instantiate a ProcessBuilder, executing a bash reverse shell that connects back to the attacker's server. The repository also includes a README.md with usage instructions and background on the vulnerability. The exploit is not part of a framework and is operational, requiring the attacker to host the XML payload and provide target addresses. The main attack vector is network-based, exploiting insecure deserialization over the OpenWire protocol.

This repository is a functional exploit for CVE-2023-46604, a remote code execution vulnerability in Apache ActiveMQ versions prior to 5.18.3. The exploit is implemented in Java and is structured as a Maven project. The main entry point is 'src/main/java/org/example/Main.java', which provides a command-line interface for launching the exploit against a target ActiveMQ server. The exploit supports two main payload delivery methods: (1) via a malicious Spring XML bean (exp.xml), and (2) via a crafted Shiro INI configuration. The payloads leverage Java deserialization to achieve arbitrary command execution on the target. The exploit can generate payloads for different Java versions and supports both direct command execution and custom bytecode execution. The code includes utilities for generating the necessary serialized objects and for handling the network protocol with ActiveMQ. The exploit is operational and provides command output (echo) to the attacker. The only required endpoint is the ActiveMQ TCP service, typically on port 61616. No hardcoded IPs or domains are present; the target is specified by the user at runtime.