ai-exploits/README.md

<div align="center">

# AI Exploits

  <img width="250" src="https://github.com/protectai/ai-exploits/assets/5151193/aef11c4a-d758-45fe-aab8-c9df714cdbe5" alt="AI Exploits Logo">

</div>

The AI world has a security problem and it's not just in the inputs given to LLMs such as ChatGPT. Based 
on research done by [Protect AI](https://protectai.com) and independent security experts on the [Huntr](https://huntr.com) Bug Bounty Platform, there are far more impactful and practical attacks 
against the tools, libraries and frameworks used to build, train, and deploy machine learning models. Many of these 
attacks lead to complete system takeovers and/or loss of sensitive data, models, or credentials most often without the need
for authentication. 

With the release of this repository, [Protect AI](https://protectai.com) hopes to demystify to the Information Security community what practical attacks against AI/Machine Learning infrastructure look like in the real world and raise awareness to the amount of vulnerable components that currently exist in the AI/ML ecosystem. More vulnerabilities can be found here:
* [November Vulnerability Report](https://protectai.com/threat-research/november-vulnerability-report)
* [December Vulnerability Report](https://protectai.com/threat-research/december-vulnerability-report)
* [January Vulnerability Report](https://protectai.com/threat-research/january-vulnerability-report)

## Overview

This repository, **ai-exploits**, is a collection of exploits and scanning templates for responsibly disclosed vulnerabilities affecting machine learning tools.

Each vulnerable tool has a number of subfolders containing three types of utilities: [Metasploit](https://github.com/rapid7/metasploit-framework) modules, [Nuclei](https://github.com/projectdiscovery/nuclei) templates
and CSRF templates. Metasploit modules are for security professionals looking to exploit the vulnerabilities and Nuclei templates are for scanning a large number of remote servers to determine if they're vulnerable.

## Demo

Video demonstrating running one of the Metasploit modules against Ray:

[![Exploit Demo](https://img.youtube.com/vi/5aSwPQKKhi4/0.jpg)](https://youtu.be/5aSwPQKKhi4)

## Setup & Usage

The easiest way to use the modules and scanning templates is to build and run the Docker image provided by the `Dockerfile` in this repository. The Docker image will have Metasploit and Nuclei already installed along with all the necessary configuration.

###  Docker

1. Build the image:

   ```bash
   git clone https://github.com/protectai/ai-exploits && cd ai-exploits
   docker build -t protectai/ai-exploits .
   ```

2. Run the docker image:
   
   ```bash
   docker run -it --rm protectai/ai-exploits /bin/bash
   ```

The latter command will drop you into a `bash` session in the container with `msfconsole` and `nuclei` ready to go.

### Using the Metasploit Modules

#### With Docker

Start the Metasploit console (the new modules will be available under the `exploits/protectai` category), load a module, set the options, and run the exploit.

   ```bash
   msfconsole
   msf6 > use exploit/protectai/ray_job_rce
   msf6 exploit(protectai/ray_job_rce) > set RHOSTS <target IP>
   msf6 exploit(protectai/ray_job_rce) > run
   ```

#### With Metasploit Installed Locally

Create a folder `~/.msf4/modules/exploits/protectai` and copy the exploit modules into it.

   ```bash
   mkdir -p ~/.msf4/modules/exploits/protectai
   cp ai-exploits/ray/msfmodules/* ~/.msf4/modules/exploits/protectai
   msfconsole
   msf6 > use exploit/protectai/<exploit_name.py>
   ```

### Using Nuclei Templates

Nuclei is a vulnerability scanning engine which can be used to scan large numbers of servers for known vulnerabilities in web applications and networks.

Navigate to nuclei templates folder such as `ai-exploits/mlflow/nuclei-templates`. In the Docker container these are stored in the `/root/nuclei-templates` folder. Then simply point to the template file and the target server.
   ```
   cd ai-exploits/mlflow/nuclei-templates
   nuclei -t mlflow-lfi.yaml -u http://<target>:<port>`
   ```

### Using CSRF Templates

Cross-Site Request Forgery (CSRF) vulnerabilities enable attackers to stand up a web server hosting a malicious HTML page 
that will execute a request to the target server on behalf of the victim. This is a common attack vector for exploiting 
vulnerabilities in web applications, including web applications which are only exposed on the localhost interface and 
not to the broader network. Below is a simple demo example of how to use a CSRF template to exploit a vulnerability in a 
web application.

Start a web server in the csrf-templates folder. Python allows one to stand up a simple web server in any 
directory. Navigate to the template folder and start the server.

   ```bash
   cd ai-exploits/ray/csrf-templates
   python3 -m http.server 9999
   ```

Now visit the web server address you just stood up (http://127.0.0.1:9999) and hit F12 to open 
the developer tools, then click the Network tab. Click the link to ray-cmd-injection-csrf.html. You should see that 
the browser sent a request to the vulnerable server on your behalf.

## Contribution Guidelines

We welcome contributions to this repository. Please read our [Contribution Guidelines](CONTRIBUTING.md) for more information on how to contribute.

## License

This project is licensed under the [Apache 2.0 License](LICENSE).
Initial commit for release 🗡️ 2023-11-16 16:25:48 +00:00			`<div align="center">`

			`# AI Exploits`

Fixed logo 2023-11-16 16:28:49 +00:00			`<img width="250" src="https://github.com/protectai/ai-exploits/assets/5151193/aef11c4a-d758-45fe-aab8-c9df714cdbe5" alt="AI Exploits Logo">`
Initial commit for release 🗡️ 2023-11-16 16:25:48 +00:00
			`</div>`

			`The AI world has a security problem and it's not just in the inputs given to LLMs such as ChatGPT. Based`
			`on research done by [Protect AI](https://protectai.com) and independent security experts on the [Huntr](https://huntr.com) Bug Bounty Platform, there are far more impactful and practical attacks`
			`against the tools, libraries and frameworks used to build, train, and deploy machine learning models. Many of these`
			`attacks lead to complete system takeovers and/or loss of sensitive data, models, or credentials most often without the need`
Link 2023-11-16 19:46:32 +00:00			`for authentication.`
Initial commit for release 🗡️ 2023-11-16 16:25:48 +00:00
Update README.md 2024-01-22 21:22:13 +00:00			`With the release of this repository, [Protect AI](https://protectai.com) hopes to demystify to the Information Security community what practical attacks against AI/Machine Learning infrastructure look like in the real world and raise awareness to the amount of vulnerable components that currently exist in the AI/ML ecosystem. More vulnerabilities can be found here:`
			`* [November Vulnerability Report](https://protectai.com/threat-research/november-vulnerability-report)`
			`* [December Vulnerability Report](https://protectai.com/threat-research/december-vulnerability-report)`
			`* [January Vulnerability Report](https://protectai.com/threat-research/january-vulnerability-report)`
Initial commit for release 🗡️ 2023-11-16 16:25:48 +00:00
			`## Overview`

			`This repository, ai-exploits, is a collection of exploits and scanning templates for responsibly disclosed vulnerabilities affecting machine learning tools.`

			`Each vulnerable tool has a number of subfolders containing three types of utilities: [Metasploit](https://github.com/rapid7/metasploit-framework) modules, [Nuclei](https://github.com/projectdiscovery/nuclei) templates`
Update README.md vulnerabilies -> vulnerabilities 2023-11-19 16:20:53 +00:00			`and CSRF templates. Metasploit modules are for security professionals looking to exploit the vulnerabilities and Nuclei templates are for scanning a large number of remote servers to determine if they're vulnerable.`
Initial commit for release 🗡️ 2023-11-16 16:25:48 +00:00
Update README.md 2023-11-16 23:25:14 +00:00			`## Demo`

Update README.md 2023-11-16 23:25:56 +00:00			`Video demonstrating running one of the Metasploit modules against Ray:`

Update README.md 2023-11-16 23:25:14 +00:00			`[![Exploit Demo](https://img.youtube.com/vi/5aSwPQKKhi4/0.jpg)](https://youtu.be/5aSwPQKKhi4)`

Initial commit for release 🗡️ 2023-11-16 16:25:48 +00:00			`## Setup & Usage`

			The easiest way to use the modules and scanning templates is to build and run the Docker image provided by the `Dockerfile` in this repository. The Docker image will have Metasploit and Nuclei already installed along with all the necessary configuration.

			`### Docker`

			`1. Build the image:`

			```bash
Update README.md 2023-11-21 15:44:45 +00:00			`git clone https://github.com/protectai/ai-exploits && cd ai-exploits`
			`docker build -t protectai/ai-exploits .`
Initial commit for release 🗡️ 2023-11-16 16:25:48 +00:00			```

			`2. Run the docker image:`

			```bash
			`docker run -it --rm protectai/ai-exploits /bin/bash`
			```

			The latter command will drop you into a `bash` session in the container with `msfconsole` and `nuclei` ready to go.

			`### Using the Metasploit Modules`

			`#### With Docker`

			Start the Metasploit console (the new modules will be available under the `exploits/protectai` category), load a module, set the options, and run the exploit.

			```bash
			`msfconsole`
			`msf6 > use exploit/protectai/ray_job_rce`
			`msf6 exploit(protectai/ray_job_rce) > set RHOSTS <target IP>`
			`msf6 exploit(protectai/ray_job_rce) > run`
			```

			`#### With Metasploit Installed Locally`

			Create a folder `~/.msf4/modules/exploits/protectai` and copy the exploit modules into it.

			```bash
			`mkdir -p ~/.msf4/modules/exploits/protectai`
			`cp ai-exploits/ray/msfmodules/* ~/.msf4/modules/exploits/protectai`
			`msfconsole`
			`msf6 > use exploit/protectai/<exploit_name.py>`
			```

			`### Using Nuclei Templates`

			`Nuclei is a vulnerability scanning engine which can be used to scan large numbers of servers for known vulnerabilities in web applications and networks.`

			Navigate to nuclei templates folder such as `ai-exploits/mlflow/nuclei-templates`. In the Docker container these are stored in the `/root/nuclei-templates` folder. Then simply point to the template file and the target server.
			```
			`cd ai-exploits/mlflow/nuclei-templates`
			nuclei -t mlflow-lfi.yaml -u http://<target>:<port>`
			```

			`### Using CSRF Templates`

			`Cross-Site Request Forgery (CSRF) vulnerabilities enable attackers to stand up a web server hosting a malicious HTML page`
			`that will execute a request to the target server on behalf of the victim. This is a common attack vector for exploiting`
			`vulnerabilities in web applications, including web applications which are only exposed on the localhost interface and`
			`not to the broader network. Below is a simple demo example of how to use a CSRF template to exploit a vulnerability in a`
			`web application.`

			`Start a web server in the csrf-templates folder. Python allows one to stand up a simple web server in any`
			`directory. Navigate to the template folder and start the server.`

			```bash
			`cd ai-exploits/ray/csrf-templates`
			`python3 -m http.server 9999`
			```

			`Now visit the web server address you just stood up (http://127.0.0.1:9999) and hit F12 to open`
			`the developer tools, then click the Network tab. Click the link to ray-cmd-injection-csrf.html. You should see that`
			`the browser sent a request to the vulnerable server on your behalf.`

			`## Contribution Guidelines`

			`We welcome contributions to this repository. Please read our [Contribution Guidelines](CONTRIBUTING.md) for more information on how to contribute.`

			`## License`

			`This project is licensed under the [Apache 2.0 License](LICENSE).`