We saw some great teamwork this week from jheysel-r7 and h00die to bring you an exploit module for CVE-2023-33246.
In Apache RocketMQ version 5.1.0 and under, there is an access control issue which the module leverages to update the broker’s configuration file without authentication. From here we can gain remote code execution as whichever user is running the service.
Authors: Malayke, h00die, and jheysel-r7
Type: Exploit
Pull request: #18082 contributed by jheysel-r7
AttackerKB reference: CVE-2023-33246
Description: This adds an exploit module that leverages an RCE in Apache RocketMQ. Due to an access control issue, one can update the Broker’s configuration file without authentication and obtain remote code execution in the context of the user running Apache RocketMQ. This vulnerability is identified as CVE-2023-33246.
load capture
and run with captureg --help
.show payloads
command for a module that supports encrypted payloads on a machine that doesn’t have a Mingw compiler available.You can always find more documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).