From 6be4eeb38422f994195021020d3d8f8ea9fa1b54 Mon Sep 17 00:00:00 2001
From: Raul <raul@doyensec.com>
Date: Tue, 22 Oct 2024 22:16:34 +0200
Subject: [PATCH 1/6] CVE-2023-33246

---
 rocketmq/CVE-2023-33246/README.md             | 34 +++++++++++++
 .../CVE-2023-33246/docker-compose-secure.yml  | 43 ++++++++++++++++
 .../docker-compose-vulnerable.yml             | 49 +++++++++++++++++++
 3 files changed, 126 insertions(+)
 create mode 100644 rocketmq/CVE-2023-33246/README.md
 create mode 100644 rocketmq/CVE-2023-33246/docker-compose-secure.yml
 create mode 100644 rocketmq/CVE-2023-33246/docker-compose-vulnerable.yml

diff --git a/rocketmq/CVE-2023-33246/README.md b/rocketmq/CVE-2023-33246/README.md
new file mode 100644
index 00000000..2d039b7b
--- /dev/null
+++ b/rocketmq/CVE-2023-33246/README.md
@@ -0,0 +1,34 @@
+# requirements setup
+spin up an `Ubuntu 22.04` fresh instance and log in as root.
+```bash
+apt update
+apt install dos2unix
+wget -q -O - "https://get.docker.com/" | dos2unix | bash
+# clone the repo
+# cd security-testbeds/rocketmq/CVE-2023-33246
+```
+# setup Vulnerable instance
+## Start service
+```bash
+docker compose -f docker-compose-vulnerable.yml up 
+```
+## test the exploit
+### simple test
+```bash
+git clone https://github.com/Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT/tree/main
+cd CVE-2023-33246_RocketMQ_RCE_EXPLOIT
+python3 check.py --ip <IP>
+```
+The python script will output a message with the version and the exploitability
+### test with OOB
+```bash
+ python3 CVE-2023-33246_RocketMQ_RCE_EXPLOIT.py <IP> <PORT> 'curl http://<HOSTNAME>:<PORT>/test'
+```
+# setup secure instanced
+## Start service
+```bash
+docker compose -f docker-compose-secure.yml up
+```
+
+Ref:
+https://vulncheck.com/blog/rocketmq-exploit-payloads
\ No newline at end of file
diff --git a/rocketmq/CVE-2023-33246/docker-compose-secure.yml b/rocketmq/CVE-2023-33246/docker-compose-secure.yml
new file mode 100644
index 00000000..61b50623
--- /dev/null
+++ b/rocketmq/CVE-2023-33246/docker-compose-secure.yml
@@ -0,0 +1,43 @@
+services:
+  namesrv:
+    image: apache/rocketmq:5.1.1
+    container_name: rmqnamesrv-5.1.1
+    command: sh mqnamesrv
+    ports:
+      - "9877:9876"
+    volumes:
+      - ./data/logs-5.1.1:/home/rocketmq/logs
+      - ./data/store-5.1.1:/home/rocketmq/store
+    networks:
+      - rocketmq_network_5_1_1
+
+  broker:
+    image: apache/rocketmq:5.1.1
+    container_name: rmqbroker-5.1.1
+    command: sh mqbroker -n namesrv:9876
+    ports:
+      - "10912:10911"
+      - "10910:10909"
+    volumes:
+      - ./data/logs-5.1.1:/home/rocketmq/logs
+      - ./data/store-5.1.1:/home/rocketmq/store
+    depends_on:
+      - namesrv
+    networks:
+      - rocketmq_network_5_1_1
+
+  console:
+    image: styletang/rocketmq-console-ng
+    container_name: rmqconsole-5.1.1
+    ports:
+      - "8081:8080"
+    environment:
+      - "JAVA_OPTS=-Drocketmq.namesrv.addr=namesrv:9876 -Dcom.rocketmq.sendMessageWithVIPChannel=false"
+    depends_on:
+      - namesrv
+      - broker
+    networks:
+      - rocketmq_network_5_1_1
+
+networks:
+  rocketmq_network_5_1_1:
\ No newline at end of file
diff --git a/rocketmq/CVE-2023-33246/docker-compose-vulnerable.yml b/rocketmq/CVE-2023-33246/docker-compose-vulnerable.yml
new file mode 100644
index 00000000..6a4528fd
--- /dev/null
+++ b/rocketmq/CVE-2023-33246/docker-compose-vulnerable.yml
@@ -0,0 +1,49 @@
+services:
+  namesrv:
+    image: apache/rocketmq:4.9.4
+    container_name: rmqnamesrv-4.9.4
+    command: sh mqnamesrv
+    ports:
+      - "9876:9876"
+    volumes:
+      - ./data/logs-4.9.4:/home/rocketmq/logs
+      - ./data/store-4.9.4:/home/rocketmq/store
+    networks:
+      - rocketmq_network_4_9_4
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+
+  broker:
+    image: apache/rocketmq:4.9.4
+    container_name: rmqbroker-4.9.4
+    command: sh mqbroker -n namesrv:9876
+    ports:
+      - "10911:10911"
+      - "10909:10909"
+    volumes:
+      - ./data/logs-4.9.4:/home/rocketmq/logs
+      - ./data/store-4.9.4:/home/rocketmq/store
+    depends_on:
+      - namesrv
+    networks:
+      - rocketmq_network_4_9_4
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+
+  console:
+    image: styletang/rocketmq-console-ng
+    container_name: rmqconsole-4.9.4
+    ports:
+      - "8080:8080"
+    environment:
+      - "JAVA_OPTS=-Drocketmq.namesrv.addr=namesrv:9876 -Dcom.rocketmq.sendMessageWithVIPChannel=false"
+    depends_on:
+      - namesrv
+      - broker
+    networks:
+      - rocketmq_network_4_9_4
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+
+networks:
+  rocketmq_network_4_9_4:

From 64b485ad1808ea0a000155c2b419f528a9f832fa Mon Sep 17 00:00:00 2001
From: lokiuox <saviosisco@gmail.com>
Date: Wed, 23 Oct 2024 21:16:44 +0200
Subject: [PATCH 2/6] Moved rocketmq into Apache folder

---
 {rocketmq => apache/rocketmq}/CVE-2023-33246/README.md            | 0
 .../rocketmq}/CVE-2023-33246/docker-compose-secure.yml            | 0
 .../rocketmq}/CVE-2023-33246/docker-compose-vulnerable.yml        | 0
 3 files changed, 0 insertions(+), 0 deletions(-)
 rename {rocketmq => apache/rocketmq}/CVE-2023-33246/README.md (100%)
 rename {rocketmq => apache/rocketmq}/CVE-2023-33246/docker-compose-secure.yml (100%)
 rename {rocketmq => apache/rocketmq}/CVE-2023-33246/docker-compose-vulnerable.yml (100%)

diff --git a/rocketmq/CVE-2023-33246/README.md b/apache/rocketmq/CVE-2023-33246/README.md
similarity index 100%
rename from rocketmq/CVE-2023-33246/README.md
rename to apache/rocketmq/CVE-2023-33246/README.md
diff --git a/rocketmq/CVE-2023-33246/docker-compose-secure.yml b/apache/rocketmq/CVE-2023-33246/docker-compose-secure.yml
similarity index 100%
rename from rocketmq/CVE-2023-33246/docker-compose-secure.yml
rename to apache/rocketmq/CVE-2023-33246/docker-compose-secure.yml
diff --git a/rocketmq/CVE-2023-33246/docker-compose-vulnerable.yml b/apache/rocketmq/CVE-2023-33246/docker-compose-vulnerable.yml
similarity index 100%
rename from rocketmq/CVE-2023-33246/docker-compose-vulnerable.yml
rename to apache/rocketmq/CVE-2023-33246/docker-compose-vulnerable.yml

From b6400b7d16bb52ac356c62f195d7f3d99f0bb5a0 Mon Sep 17 00:00:00 2001
From: lokiuox <saviosisco@gmail.com>
Date: Wed, 23 Oct 2024 22:22:03 +0200
Subject: [PATCH 3/6] Better wording in README

---
 apache/rocketmq/CVE-2023-33246/README.md | 42 +++++++++++-------------
 1 file changed, 19 insertions(+), 23 deletions(-)

diff --git a/apache/rocketmq/CVE-2023-33246/README.md b/apache/rocketmq/CVE-2023-33246/README.md
index 2d039b7b..a77e765c 100644
--- a/apache/rocketmq/CVE-2023-33246/README.md
+++ b/apache/rocketmq/CVE-2023-33246/README.md
@@ -1,34 +1,30 @@
-# requirements setup
-spin up an `Ubuntu 22.04` fresh instance and log in as root.
-```bash
-apt update
-apt install dos2unix
-wget -q -O - "https://get.docker.com/" | dos2unix | bash
-# clone the repo
-# cd security-testbeds/rocketmq/CVE-2023-33246
-```
-# setup Vulnerable instance
-## Start service
+# RocketMQ CVE-2023-33246 Testbed
+
+## Start the service
+
+### Vulnerable instance
 ```bash
 docker compose -f docker-compose-vulnerable.yml up 
 ```
-## test the exploit
-### simple test
+
+### Secure instance
 ```bash
-git clone https://github.com/Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT/tree/main
-cd CVE-2023-33246_RocketMQ_RCE_EXPLOIT
-python3 check.py --ip <IP>
+docker compose -f docker-compose-secure.yml up
 ```
-The python script will output a message with the version and the exploitability
-### test with OOB
+
+## Check if the instance is vulnerable
+You can use the scripts from the following repository to check whether a RocketMQ instance is vulnerable: https://github.com/Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT.
+
+Here are some examples.
+### Simple version-based check
 ```bash
- python3 CVE-2023-33246_RocketMQ_RCE_EXPLOIT.py <IP> <PORT> 'curl http://<HOSTNAME>:<PORT>/test'
+python3 check.py --ip <IP>
 ```
-# setup secure instanced
-## Start service
+The python script will output a message with the detected version and the exploitability.
+### Test with out-of-bound callback
 ```bash
-docker compose -f docker-compose-secure.yml up
+ python3 CVE-2023-33246_RocketMQ_RCE_EXPLOIT.py <IP> <PORT> 'curl <CANARY_URL>'
 ```
 
-Ref:
+## References:
 https://vulncheck.com/blog/rocketmq-exploit-payloads
\ No newline at end of file

From dfadcb5fcd61d2cfd172ad061b6d520389a696dd Mon Sep 17 00:00:00 2001
From: lokiuox <saviosisco@gmail.com>
Date: Wed, 23 Oct 2024 22:22:37 +0200
Subject: [PATCH 4/6] [RocketMQ] Simplified docker compose

---
 .../CVE-2023-33246/docker-compose-secure.yml  | 36 ++---------------
 .../docker-compose-vulnerable.yml             | 40 +------------------
 2 files changed, 5 insertions(+), 71 deletions(-)

diff --git a/apache/rocketmq/CVE-2023-33246/docker-compose-secure.yml b/apache/rocketmq/CVE-2023-33246/docker-compose-secure.yml
index 61b50623..1d0036de 100644
--- a/apache/rocketmq/CVE-2023-33246/docker-compose-secure.yml
+++ b/apache/rocketmq/CVE-2023-33246/docker-compose-secure.yml
@@ -1,43 +1,13 @@
+name: rocketmq_secure
 services:
   namesrv:
     image: apache/rocketmq:5.1.1
-    container_name: rmqnamesrv-5.1.1
     command: sh mqnamesrv
     ports:
-      - "9877:9876"
-    volumes:
-      - ./data/logs-5.1.1:/home/rocketmq/logs
-      - ./data/store-5.1.1:/home/rocketmq/store
-    networks:
-      - rocketmq_network_5_1_1
+      - "9876:9876"
 
   broker:
     image: apache/rocketmq:5.1.1
-    container_name: rmqbroker-5.1.1
     command: sh mqbroker -n namesrv:9876
-    ports:
-      - "10912:10911"
-      - "10910:10909"
-    volumes:
-      - ./data/logs-5.1.1:/home/rocketmq/logs
-      - ./data/store-5.1.1:/home/rocketmq/store
     depends_on:
-      - namesrv
-    networks:
-      - rocketmq_network_5_1_1
-
-  console:
-    image: styletang/rocketmq-console-ng
-    container_name: rmqconsole-5.1.1
-    ports:
-      - "8081:8080"
-    environment:
-      - "JAVA_OPTS=-Drocketmq.namesrv.addr=namesrv:9876 -Dcom.rocketmq.sendMessageWithVIPChannel=false"
-    depends_on:
-      - namesrv
-      - broker
-    networks:
-      - rocketmq_network_5_1_1
-
-networks:
-  rocketmq_network_5_1_1:
\ No newline at end of file
+      - namesrv
\ No newline at end of file
diff --git a/apache/rocketmq/CVE-2023-33246/docker-compose-vulnerable.yml b/apache/rocketmq/CVE-2023-33246/docker-compose-vulnerable.yml
index 6a4528fd..29605f71 100644
--- a/apache/rocketmq/CVE-2023-33246/docker-compose-vulnerable.yml
+++ b/apache/rocketmq/CVE-2023-33246/docker-compose-vulnerable.yml
@@ -1,49 +1,13 @@
+name: rocketmq_vulnerable
 services:
   namesrv:
     image: apache/rocketmq:4.9.4
-    container_name: rmqnamesrv-4.9.4
     command: sh mqnamesrv
     ports:
       - "9876:9876"
-    volumes:
-      - ./data/logs-4.9.4:/home/rocketmq/logs
-      - ./data/store-4.9.4:/home/rocketmq/store
-    networks:
-      - rocketmq_network_4_9_4
-    extra_hosts:
-      - "host.docker.internal:host-gateway"
 
   broker:
     image: apache/rocketmq:4.9.4
-    container_name: rmqbroker-4.9.4
     command: sh mqbroker -n namesrv:9876
-    ports:
-      - "10911:10911"
-      - "10909:10909"
-    volumes:
-      - ./data/logs-4.9.4:/home/rocketmq/logs
-      - ./data/store-4.9.4:/home/rocketmq/store
     depends_on:
-      - namesrv
-    networks:
-      - rocketmq_network_4_9_4
-    extra_hosts:
-      - "host.docker.internal:host-gateway"
-
-  console:
-    image: styletang/rocketmq-console-ng
-    container_name: rmqconsole-4.9.4
-    ports:
-      - "8080:8080"
-    environment:
-      - "JAVA_OPTS=-Drocketmq.namesrv.addr=namesrv:9876 -Dcom.rocketmq.sendMessageWithVIPChannel=false"
-    depends_on:
-      - namesrv
-      - broker
-    networks:
-      - rocketmq_network_4_9_4
-    extra_hosts:
-      - "host.docker.internal:host-gateway"
-
-networks:
-  rocketmq_network_4_9_4:
+      - namesrv
\ No newline at end of file

From ca6ade355c0f8b933b3908253bd6787f9dddbcc8 Mon Sep 17 00:00:00 2001
From: lokiuox <saviosisco@gmail.com>
Date: Thu, 24 Oct 2024 19:06:20 +0200
Subject: [PATCH 5/6] Expose broker port

---
 apache/rocketmq/CVE-2023-33246/docker-compose-secure.yml     | 3 +++
 apache/rocketmq/CVE-2023-33246/docker-compose-vulnerable.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/apache/rocketmq/CVE-2023-33246/docker-compose-secure.yml b/apache/rocketmq/CVE-2023-33246/docker-compose-secure.yml
index 1d0036de..9df1c9cc 100644
--- a/apache/rocketmq/CVE-2023-33246/docker-compose-secure.yml
+++ b/apache/rocketmq/CVE-2023-33246/docker-compose-secure.yml
@@ -9,5 +9,8 @@ services:
   broker:
     image: apache/rocketmq:5.1.1
     command: sh mqbroker -n namesrv:9876
+    ports:
+      - "10911:10911"
+      - "10909:10909"
     depends_on:
       - namesrv
\ No newline at end of file
diff --git a/apache/rocketmq/CVE-2023-33246/docker-compose-vulnerable.yml b/apache/rocketmq/CVE-2023-33246/docker-compose-vulnerable.yml
index 29605f71..b4f73a9f 100644
--- a/apache/rocketmq/CVE-2023-33246/docker-compose-vulnerable.yml
+++ b/apache/rocketmq/CVE-2023-33246/docker-compose-vulnerable.yml
@@ -9,5 +9,8 @@ services:
   broker:
     image: apache/rocketmq:4.9.4
     command: sh mqbroker -n namesrv:9876
+    ports:
+      - "10911:10911"
+      - "10909:10909"
     depends_on:
       - namesrv
\ No newline at end of file

From f862c5ff461497f9bcafc3d285fd9e9de4d017a2 Mon Sep 17 00:00:00 2001
From: lokiuox <saviosisco@gmail.com>
Date: Thu, 24 Oct 2024 19:12:11 +0200
Subject: [PATCH 6/6] Some clarifications in the README

---
 apache/rocketmq/CVE-2023-33246/README.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/apache/rocketmq/CVE-2023-33246/README.md b/apache/rocketmq/CVE-2023-33246/README.md
index a77e765c..973f6248 100644
--- a/apache/rocketmq/CVE-2023-33246/README.md
+++ b/apache/rocketmq/CVE-2023-33246/README.md
@@ -1,7 +1,6 @@
 # RocketMQ CVE-2023-33246 Testbed
 
 ## Start the service
-
 ### Vulnerable instance
 ```bash
 docker compose -f docker-compose-vulnerable.yml up 
@@ -11,17 +10,20 @@ docker compose -f docker-compose-vulnerable.yml up
 ```bash
 docker compose -f docker-compose-secure.yml up
 ```
-
+## Detection
+The vulnerability can be verified and exploited by connecting to the broker port, which is `10911` by default. Unfortunately, this port is not included in nmap's top 1000 ports, therefore Tsunami will not detect it during a standard scan, unless you manually specify to scan it in the CLI arguments: `--port-ranges-target=10911`.
 ## Check if the instance is vulnerable
 You can use the scripts from the following repository to check whether a RocketMQ instance is vulnerable: https://github.com/Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT.
 
 Here are some examples.
 ### Simple version-based check
+Note: this needs the nameserver port (9876) to be reachable.
 ```bash
 python3 check.py --ip <IP>
 ```
 The python script will output a message with the detected version and the exploitability.
 ### Test with out-of-bound callback
+This script will exploit the vulnerability with the supplied command. You can use a canary URL to confirm the presence of the vulnerability.
 ```bash
  python3 CVE-2023-33246_RocketMQ_RCE_EXPLOIT.py <IP> <PORT> 'curl <CANARY_URL>'
 ```