Description
This module exploits an unauthenticated command injection vulnerability in MajorDoMo's remote command handler (rc/index.php). The param parameter is interpolated into double quotes without escapeshellarg(), and the resulting string is passed to safe_exec() which inserts it into the safe_execs database table with no sanitization.
The cycle_execs.php worker script is web-accessible without authentication. On startup it purges the safe_execs queue, then enters an infinite loop polling the table every second and passing each command to exec(). A race condition is required: the worker must be started first (which purges existing entries), then the injection is performed while the worker is polling. The next iteration picks up and executes the attacker's payload.
The command parameter must reference a valid .bat file in rc/commands/. The default MajorDoMo installation ships with shutdown.bat, displayon.bat, and displayoff.bat.
All versions of MajorDoMo up to and including the latest release are affected. The fix is tracked in PR sergejey/majordomo#1177.
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/multi/http/majordomo_cmd_injection_rcemsf undefined(majordomo_cmd_injection_rce) > show actions ...actions...msf undefined(majordomo_cmd_injection_rce) > set ACTION < action-name >msf undefined(majordomo_cmd_injection_rce) > show options ...show and set options...msf undefined(majordomo_cmd_injection_rce) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub