infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove unneeded require

master
Ziconius 2019-02-11 11:24:04 -05:00
parent 08e1f86390
commit b49b7ca9db
1 changed files with 9 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
modules/exploits/unix/webapp/webmin_1900_rce.rb
View File

@ -3,8 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##
require 'uri'
class MetasploitModule < Msf::Exploit::Remote class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking Rank = ExcellentRanking
@ -18,14 +16,13 @@ class MetasploitModule < Msf::Exploit::Remote
This module exploits an arbitrary command execution vulnerability in Webmin This module exploits an arbitrary command execution vulnerability in Webmin
1.900 and lower versions. Any user authorized to the "Java file manager" 1.900 and lower versions. Any user authorized to the "Java file manager"
and "Upload and Download" fields, to execute arbitrary commands with root privileges. and "Upload and Download" fields, to execute arbitrary commands with root privileges.
In addition, "Running Processes" field must be authorized to discover the directory to be uploaded. In addition, if the 'Running Processes' (proc) privilege is set the user can
A vulnerable file can be printed on the original files of the Webmin application. accurately determine directory upload to. Webmin application files can be
The vulberable file we are uploading should be integrated with the application. written/overwritten, thus allowing RCE root. The module has been tested
Therefore, a ".cgi" file with the vulnerability belong to webmin application should be used. successfully with Webmin 1900 over Debia'cookie' "redirect=1; testing=1;
The module has been tested successfully with Webmin 1900 over Debia'cookie' => "redirect=1; testing=1; sid=#{session}"n 4.9.18. sid=#{session}"n 4.9.18.
Update: The update to this module allows the user to set 'GUESSUPLOAD' to true, which will attempt Using GUESSUPLOAD attempts to use a default installation path in order to trigger the
to upload the files to known default locations. This removes 'proc' permission requirement, meaning exploit.
attackers only need 'file' and 'updown' permissions.
), ),
'Author' => [ 'Author' => [
'AkkuS <Özkan Mustafa Akkuş>', # Vulnerability Discovery, Initial PoC module 'AkkuS <Özkan Mustafa Akkuş>', # Vulnerability Discovery, Initial PoC module
@ -57,7 +54,7 @@ class MetasploitModule < Msf::Exploit::Remote
[ [
Opt::RPORT(10000), Opt::RPORT(10000),
OptBool.new('SSL', [true, 'Use SSL', true]), OptBool.new('SSL', [true, 'Use SSL', true]),
OptBool.new('GUESSUPLOAD', [true, "If the 'Running Process' permission is not given to the user guess the path.", false]), OptBool.new('GUESSUPLOAD', [true, "If no 'proc' permissions exists use default path.", false]),
OptString.new('USERNAME', [true, 'Webmin Username']), OptString.new('USERNAME', [true, 'Webmin Username']),
OptString.new('PASSWORD', [true, 'Webmin Password']) OptString.new('PASSWORD', [true, 'Webmin Password'])
], self.class ], self.class